ebfa594dd6a7f8dccf1588621fb1fa050748e3dc891a1eaee0f4592c0d6507f0

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe
Size

483KB
MD5

11aa1d59a3b5626a6a5c04ab3ad2e610
SHA1

acf9eae420c41616171408172b6d68389991edae
SHA256

ebfa594dd6a7f8dccf1588621fb1fa050748e3dc891a1eaee0f4592c0d6507f0
SHA512

8ec71eac9af20fd222b0b0b1db1cec1d467bfdb0e5ca3535c58971875f94681a94a5d472ef417d6fae0132b8be2905767b48b9b906ff6d144b5326a9fe3fcec6
SSDEEP

6144:p4AUmKtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTDpL1k38:mptY5vARM0RM/3ARMSG0dhvARMoHG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peqcjkfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbnia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcioiood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chghdqbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkdkplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkhdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbmncp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhbgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qloebdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfibe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dohfbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faihkbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdjjckag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnkdhpjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abkjdnoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eocenh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihepnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbmncp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkcmdhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkidenlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faihkbci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkjlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkhoae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alkdnboj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibqpimpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe

Executes dropped EXE 64 IoCs

pid	Process
4900	Ljnnch32.exe
4660	Lphfpbdi.exe
1812	Mciobn32.exe
4472	Mkpgck32.exe
2968	Mjeddggd.exe
1396	Mnapdf32.exe
60	Mpaifalo.exe
4432	Mnfipekh.exe
2436	Njljefql.exe
3048	Nceonl32.exe
3288	Nqiogp32.exe
3472	Nbhkac32.exe
4796	Ncihikcg.exe
4024	Ndidbn32.exe
3972	Ncnadk32.exe
4960	Odpjcm32.exe
3900	Obdkma32.exe
1280	Ojopad32.exe
4260	Ocgdji32.exe
2468	Onmhgb32.exe
2112	Pkaiqf32.exe
1392	Peimil32.exe
2304	Pbmncp32.exe
2868	Pjhbgb32.exe
408	Pkhoae32.exe
1384	Peqcjkfp.exe
2008	Qecppkdm.exe
3924	Qnkdhpjn.exe
2056	Qloebdig.exe
1852	Aegikj32.exe
2144	Abkjdnoa.exe
632	Aldomc32.exe
3532	Acocaf32.exe
3748	Alfkbc32.exe
3668	Abpcon32.exe
2872	Adapgfqj.exe
1912	Ajkhdp32.exe
2804	Aealah32.exe
2256	Alkdnboj.exe
2848	Abemjmgg.exe
1252	Bdfibe32.exe
4316	Bajjli32.exe
4296	Bhdbhcck.exe
4636	Bnnjen32.exe
4656	Bdkcmdhp.exe
3344	Bjdkjo32.exe
4836	Baocghgi.exe
320	Bldgdago.exe
3480	Baaplhef.exe
5048	Bdolhc32.exe
840	Bkidenlg.exe
3092	Cacmah32.exe
1208	Chmeobkq.exe
4040	Cbcilkjg.exe
4840	Clkndpag.exe
4944	Cecbmf32.exe
5012	Chbnia32.exe
3428	Cajcbgml.exe
4872	Cdiooblp.exe
2104	Cbjoljdo.exe
1248	Chghdqbf.exe
3484	Daolnf32.exe
224	Dldpkoil.exe
1668	Dboigi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hkkhqd32.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Eadopc32.exe	Elgfgl32.exe
File opened for modification	C:\Windows\SysWOW64\Hckjacjg.exe	Gdjjckag.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Pegplgln.dll	Ojopad32.exe
File opened for modification	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hoiafcic.exe
File opened for modification	C:\Windows\SysWOW64\Bdfibe32.exe	Abemjmgg.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dohfbj32.exe	Dlijfneg.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Kpmmhi32.dll	Dhpjkojk.exe
File opened for modification	C:\Windows\SysWOW64\Gfngap32.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Jcpfco32.dll	Chghdqbf.exe
File opened for modification	C:\Windows\SysWOW64\Ipbdmaah.exe	Ifjodl32.exe
File opened for modification	C:\Windows\SysWOW64\Jmhale32.exe	Jfoiokfb.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Ijhkffjm.dll	Cdiooblp.exe
File opened for modification	C:\Windows\SysWOW64\Jfeopj32.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ghaddm32.dll	Cajcbgml.exe
File created	C:\Windows\SysWOW64\Gfngap32.exe	Gododflk.exe
File opened for modification	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Ebooppnl.dll	Odpjcm32.exe
File created	C:\Windows\SysWOW64\Fnhfnh32.dll	Cacmah32.exe
File opened for modification	C:\Windows\SysWOW64\Edihepnm.exe	Echknh32.exe
File opened for modification	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hkfoeega.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Iiaephpc.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jbgkimpf.dll	Dldpkoil.exe
File opened for modification	C:\Windows\SysWOW64\Jmknaell.exe	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Qecppkdm.exe	Peqcjkfp.exe
File created	C:\Windows\SysWOW64\Dlgcki32.dll	Ajkhdp32.exe
File opened for modification	C:\Windows\SysWOW64\Cecbmf32.exe	Clkndpag.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pjkolmml.dll	Fchddejl.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Qgphkcho.dll	Obdkma32.exe
File created	C:\Windows\SysWOW64\Geplnioe.dll	Faihkbci.exe
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7280	8144	WerFault.exe	366

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doeiljfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eekaebcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnnjen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chghdqbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flqimk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glccbn32.dll"	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgkmfoj.dll"	Glhonj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alfkbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmcmk32.dll"	Alkdnboj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpili32.dll"	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkmlofol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcfcfldc.dll"	Aegikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekcpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linjpeof.dll"	Echknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpaeonmc.dll"	Bkidenlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bldgdago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbgkimpf.dll"	Dldpkoil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obdkma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eekaebcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjhib32.dll"	Aldomc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4900	5028	11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe	81
PID 5028 wrote to memory of 4900	5028	11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe	81
PID 5028 wrote to memory of 4900	5028	11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe	81
PID 4900 wrote to memory of 4660	4900	Ljnnch32.exe	82
PID 4900 wrote to memory of 4660	4900	Ljnnch32.exe	82
PID 4900 wrote to memory of 4660	4900	Ljnnch32.exe	82
PID 4660 wrote to memory of 1812	4660	Lphfpbdi.exe	83
PID 4660 wrote to memory of 1812	4660	Lphfpbdi.exe	83
PID 4660 wrote to memory of 1812	4660	Lphfpbdi.exe	83
PID 1812 wrote to memory of 4472	1812	Mciobn32.exe	84
PID 1812 wrote to memory of 4472	1812	Mciobn32.exe	84
PID 1812 wrote to memory of 4472	1812	Mciobn32.exe	84
PID 4472 wrote to memory of 2968	4472	Mkpgck32.exe	85
PID 4472 wrote to memory of 2968	4472	Mkpgck32.exe	85
PID 4472 wrote to memory of 2968	4472	Mkpgck32.exe	85
PID 2968 wrote to memory of 1396	2968	Mjeddggd.exe	86
PID 2968 wrote to memory of 1396	2968	Mjeddggd.exe	86
PID 2968 wrote to memory of 1396	2968	Mjeddggd.exe	86
PID 1396 wrote to memory of 60	1396	Mnapdf32.exe	87
PID 1396 wrote to memory of 60	1396	Mnapdf32.exe	87
PID 1396 wrote to memory of 60	1396	Mnapdf32.exe	87
PID 60 wrote to memory of 4432	60	Mpaifalo.exe	88
PID 60 wrote to memory of 4432	60	Mpaifalo.exe	88
PID 60 wrote to memory of 4432	60	Mpaifalo.exe	88
PID 4432 wrote to memory of 2436	4432	Mnfipekh.exe	89
PID 4432 wrote to memory of 2436	4432	Mnfipekh.exe	89
PID 4432 wrote to memory of 2436	4432	Mnfipekh.exe	89
PID 2436 wrote to memory of 3048	2436	Njljefql.exe	90
PID 2436 wrote to memory of 3048	2436	Njljefql.exe	90
PID 2436 wrote to memory of 3048	2436	Njljefql.exe	90
PID 3048 wrote to memory of 3288	3048	Nceonl32.exe	91
PID 3048 wrote to memory of 3288	3048	Nceonl32.exe	91
PID 3048 wrote to memory of 3288	3048	Nceonl32.exe	91
PID 3288 wrote to memory of 3472	3288	Nqiogp32.exe	92
PID 3288 wrote to memory of 3472	3288	Nqiogp32.exe	92
PID 3288 wrote to memory of 3472	3288	Nqiogp32.exe	92
PID 3472 wrote to memory of 4796	3472	Nbhkac32.exe	93
PID 3472 wrote to memory of 4796	3472	Nbhkac32.exe	93
PID 3472 wrote to memory of 4796	3472	Nbhkac32.exe	93
PID 4796 wrote to memory of 4024	4796	Ncihikcg.exe	94
PID 4796 wrote to memory of 4024	4796	Ncihikcg.exe	94
PID 4796 wrote to memory of 4024	4796	Ncihikcg.exe	94
PID 4024 wrote to memory of 3972	4024	Ndidbn32.exe	95
PID 4024 wrote to memory of 3972	4024	Ndidbn32.exe	95
PID 4024 wrote to memory of 3972	4024	Ndidbn32.exe	95
PID 3972 wrote to memory of 4960	3972	Ncnadk32.exe	96
PID 3972 wrote to memory of 4960	3972	Ncnadk32.exe	96
PID 3972 wrote to memory of 4960	3972	Ncnadk32.exe	96
PID 4960 wrote to memory of 3900	4960	Odpjcm32.exe	97
PID 4960 wrote to memory of 3900	4960	Odpjcm32.exe	97
PID 4960 wrote to memory of 3900	4960	Odpjcm32.exe	97
PID 3900 wrote to memory of 1280	3900	Obdkma32.exe	98
PID 3900 wrote to memory of 1280	3900	Obdkma32.exe	98
PID 3900 wrote to memory of 1280	3900	Obdkma32.exe	98
PID 1280 wrote to memory of 4260	1280	Ojopad32.exe	99
PID 1280 wrote to memory of 4260	1280	Ojopad32.exe	99
PID 1280 wrote to memory of 4260	1280	Ojopad32.exe	99
PID 4260 wrote to memory of 2468	4260	Ocgdji32.exe	100
PID 4260 wrote to memory of 2468	4260	Ocgdji32.exe	100
PID 4260 wrote to memory of 2468	4260	Ocgdji32.exe	100
PID 2468 wrote to memory of 2112	2468	Onmhgb32.exe	101
PID 2468 wrote to memory of 2112	2468	Onmhgb32.exe	101
PID 2468 wrote to memory of 2112	2468	Onmhgb32.exe	101
PID 2112 wrote to memory of 1392	2112	Pkaiqf32.exe	102

C:\Users\Admin\AppData\Local\Temp\11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\Ljnnch32.exe
  C:\Windows\system32\Ljnnch32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\Lphfpbdi.exe
    C:\Windows\system32\Lphfpbdi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\Mciobn32.exe
      C:\Windows\system32\Mciobn32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Ncnadk32.exe
        
        C:\Windows\system32\Ncnadk32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Odpjcm32.exe
        
        C:\Windows\system32\Odpjcm32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Obdkma32.exe
        
        C:\Windows\system32\Obdkma32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        23⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Pjhbgb32.exe
        
        C:\Windows\system32\Pjhbgb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Peqcjkfp.exe
        
        C:\Windows\system32\Peqcjkfp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Qecppkdm.exe
        
        C:\Windows\system32\Qecppkdm.exe
        28⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        34⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        37⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        39⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        44⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        47⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        48⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        50⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        51⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        54⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        55⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        57⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        61⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        63⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        65⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        66⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        67⤵
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        68⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4256
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        70⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        71⤵
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1816
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4552
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2324
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        76⤵
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4800
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3180
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        79⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1536
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        81⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        83⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        84⤵
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        85⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        86⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        87⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        89⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        90⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        91⤵
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        92⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        93⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        95⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        96⤵
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        97⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        98⤵
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        99⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        100⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        102⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        103⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        104⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        105⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        106⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        107⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        108⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        110⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        111⤵
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        112⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        114⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        115⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        117⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1436
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        119⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        120⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        121⤵
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        122⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        124⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        125⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        126⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        127⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        128⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        131⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        133⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        135⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        136⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        137⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        138⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        140⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        141⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        142⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        143⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        147⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        148⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        149⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        151⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        152⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        153⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        154⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        156⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        157⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        158⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        160⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        164⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        165⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        166⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        167⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        168⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        170⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        172⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        173⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        174⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        175⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        176⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        177⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        178⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        179⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        180⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        181⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        182⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        183⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        184⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        186⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        187⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        188⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        189⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        191⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        192⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        193⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        194⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        195⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        196⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        197⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        198⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        200⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        201⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        202⤵
        Drops file in System32 directory
        
        PID:6852
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        204⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        206⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        208⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        209⤵
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        210⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        211⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        212⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        213⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        214⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        215⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        216⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        217⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        218⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        219⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        220⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        221⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        222⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        223⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        224⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        226⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        227⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        228⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        229⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        230⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        231⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        232⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        234⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        235⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        237⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        238⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        239⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        240⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        241⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        242⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        243⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        244⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        246⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        247⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        248⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        249⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        250⤵
        Modifies registry class
        
        PID:7184
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        251⤵
        Drops file in System32 directory
        
        PID:7228
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        252⤵
        Drops file in System32 directory
        
        PID:7268
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        254⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        255⤵
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        256⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        257⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        258⤵
        Modifies registry class
        
        PID:7528
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7572
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        260⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        262⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        263⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7792
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        265⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        266⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        267⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        268⤵
        Modifies registry class
        
        PID:7968
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        269⤵
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        270⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        271⤵
        Drops file in System32 directory
        
        PID:8100
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        272⤵
        Modifies registry class
        
        PID:8148
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        273⤵
        Modifies registry class
        
        PID:8188
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        274⤵
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        275⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        276⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        277⤵
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        278⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7504
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        279⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7644
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        281⤵
        Modifies registry class
        
        PID:7724
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        282⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        283⤵
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        284⤵
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        285⤵
        Drops file in System32 directory
        
        PID:7976
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8052
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        287⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8144 -s 396
        288⤵
        Program crash
        
        PID:7280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8144 -ip 8144
1⤵
PID:7216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abkjdnoa.exe

Filesize
483KB

MD5
693247c574806f5f96fef5f0e8fd2d17

SHA1
1f1f1f2d398eb91e940ee97483443b99c10b5bdb

SHA256
793a89cf3f3d90b10ef81bc9a15e1d5acc7be12f2fe9750d9735e358c3f90b3a

SHA512
dddc1aa67956d431437ace9958b4460b9f91513b86c27a7a2f1b652a27357c1aca71754aa24a9efd942d49d557347feb101fd8038accb7334ab248f4fe907651

Download Submit
C:\Windows\SysWOW64\Aealah32.exe

Filesize
483KB

MD5
a38da299e1cfb61281c6566797bc6473

SHA1
1b58b0d9f1554eb08057a7accea211945769109a

SHA256
5b63aeee2ff7e3d00c732f77a4d3fd6c1185dd8644f13cbbc493b574b4c33893

SHA512
d86df0492519e750cbcc8f7c76985ad00fd5ecd36eae522e4a921a8b706c2c077955504909065075ddb649318b72e53e48673ac7fa24800f18842e51759bdcd1

Download Submit
C:\Windows\SysWOW64\Aegikj32.exe

Filesize
483KB

MD5
82c509f1b4797a2e6ffe32cbe68dcc66

SHA1
9180d6f53399e658c011cf71471bc66cd4599568

SHA256
f1512fe98d6a516462b14bf45caefb270628990e7c3cbc0ae695ceccbf3b106f

SHA512
bee6b23f57eaa905d3bfc7840cd7209d8bef7af75ea74497b81fab7dfe8d30dabe692fa25351ac770cffa6a26e7d86823c9def11ce2017d370a14f07a43e5d5e

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
483KB

MD5
e23621727d912a990c0aab1ee2c9bf60

SHA1
42ff908122c9c5a8012a3f57ff3d777559fee1ba

SHA256
6e2d32369e5a571d73382ee94c676ca951cc634b838e62265930e4a0017b6b5c

SHA512
3e811aec52303b5780396ea421bd360e79826664456ef061b8d2ef3de75aaa2fef91eb71171773509bf1641e4c69cb67197a389ad2854320fe2f53f2d00f490b

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
483KB

MD5
e7dd4b8a0124707484d723a0f87e67c5

SHA1
0418db94842420d50b2b0227d148b90ab4793af5

SHA256
04fb1d58786ddec148a3ffd67a936da5957baf0b3c96c35238a7347313d022ce

SHA512
7acfd6e3fa967c6b161394db7e416217027b1db37b37376029a0091dbf77da297ee2c8381db0dcd8a373f1cece573351fa076fb53d1dd527f3f47597dcd27f78

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
483KB

MD5
2f0a6ea30167fdac1b94365949733fb1

SHA1
db0e552796117b97bfd48bbc3ca16fa0e95ed2dd

SHA256
ddb37f9b5a73a1be91cfa723edba3824942fc6c88f2dfc4ad613b45553d807af

SHA512
77510db182363380ec6b0ef3e54acc5be901b33f4066314f76f1270f76dcf83a8bd879c70e7a53fa0e3722321fd5fb141b4ec3900aa59f6bafd8f3218e3829ff

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
483KB

MD5
a258b8349351915c12cef861dc1e5aea

SHA1
2973cd857671f75b10208fa9128c4cbec9616924

SHA256
d2ef6ccc7e382ca60a9f795248112bd5fb27cc4278f7da2d4ba467b17479f09d

SHA512
0d19828686e8b0e4b93a8735d7091e0863633211a951ab0ad5203669b6101b9152ca9e73526a1965bf01b1598b4297cd6dcdf504e9369b165e04194c8f888d08

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
483KB

MD5
0f74ee37786a0eb9877c15ca10d242ff

SHA1
f831745a595b298af5c2f46dbfffe2dc8035a595

SHA256
6e05090be9fac4b42b6811f7b37725d67f38df7441b0d05210368f9ce505a11a

SHA512
17f007219e6c958239fd97a803b65e6d389f9bfd5ce9747bdf8d57b0d3aa3e20a98f2bb973312aa72eaace1985f735de2b8ca8968245fb1ac92975878c66780a

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
483KB

MD5
6b6d69a46e464908da186bb4c68dfe1c

SHA1
5eb36c595992c0992486c29f81077e66741f3fba

SHA256
4a6770266b1e5452c5bf2864f3c97b1364b13c6a5429d1d23793ba6e4bef1b54

SHA512
32989e84669d4e08f31c7740cf7cdc125ae61bf7ac165966954319b3214d37701cd3cf8692f04bd3908fe35ff452bc203a9601dcf7c14200b26271615cebece1

Download Submit
C:\Windows\SysWOW64\Bnnjen32.exe

Filesize
483KB

MD5
86aeecbef7e419d36fb252c587eaa049

SHA1
640109347b9e16f42a42c21d7b2d580ed172d900

SHA256
c4784d20bdec7b87f5bb05e4d737e6d6c30450c6d2fbd4570769ad9c0297602c

SHA512
e1702c5433b8e3cdc67cdde0bbc25e460ee94479dc69019edfd37fdf710c08bdce5ae833b1ec4b0558ea932d301f4ad106c4872a16cefe6491f759920914d4f9

Download Submit
C:\Windows\SysWOW64\Cbjoljdo.exe

Filesize
483KB

MD5
ca2646bff8d558c91d5de980873aba92

SHA1
37d08c57754b9c502a30639e4ec469506c7aa447

SHA256
3b8e51b794d457dcab4aba0072c4c9212a0e7f7518304da333f44a3b32ba3b0d

SHA512
02508e1670e6e908bb10486450d8e8ba545e2c48f039413546857ba6d3474c30ed31b3b0bdc7cc296c1077fe7762ee479d810b062945abecdc1d838d448b55f0

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
483KB

MD5
c7bec0ae4f004955e731f2897726285a

SHA1
2fc969c674feb8345cd4e2a4e6a2fd1e6c5e4744

SHA256
2353c1518a05fe035612ac02d7d433c923c11b16e4b417f7e06ab96d565571c9

SHA512
cac3a58cb4e591b7ad1b02b26a47271754fb657e019b669dbe9395dcab54494c95d92243e9cf3516f88197f2ca0001496d27c5855b2602e6d771a83df8a5b830

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
483KB

MD5
55c620cf0d7d8dfb5826ce618578f849

SHA1
f117179558acf42a4a5c6d1db6c349e7d6d837ab

SHA256
4c7e2406848d61349049061811fade727d623e231c3d462fc7b37be86e264f56

SHA512
bce931fbf378fa06d6a63e01997f48c375739aed7a0f79c6d43d912a7d4cc62df94900d69d5e8aac048c81c9db8917e09ad1aed9b7077097c9f88eb8107e782b

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
483KB

MD5
655c1e38e4309fc61ebe4150f898b303

SHA1
f84caf862b2c4f5c9ae2a2fddebcd7721d9844e2

SHA256
0aa86e9bdb32986e6a43faadb31ed16afbd6cfe2ea5ba9406b5af4660dae55c8

SHA512
d8f568003e388ab76a36195ac6fa35251d9deb3b8ed69f0cbf8e3ad8ad15509426fcdb0182016aa412b6d0e2c54a5793d47a32dd302aa2380dc2c5ca414bdc5c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
483KB

MD5
84643cce8b7409cffc7453853b1d0700

SHA1
4a3486383867491eef5385fcb5c4f0048f984ea5

SHA256
373ed79aad92614629302ad9d0c3b64f2bee61f222d000b39b705c4ba0020d61

SHA512
5e37f52e41d93e0dee8f0ee1dd33d68f3c61d9984583b2062faee398f23e863352774246c8e74a150c6176abd091d61064a769d073f5e1e1009589bd61f77e4d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
483KB

MD5
5d282cafcafba5936c7d58ec02cb5c34

SHA1
2d6e54d89fbfb245817079647b906f364d94a2fb

SHA256
ec2b11e6310948dad126d5e2d052e4675abf3dd12c3cb0bed4c02b9616f86d02

SHA512
b9e56a51865f22707b5325edbad72c9664bf753abe684d7cbd241c291bef867e2747ebc503b8cd8faea878defb8fbcabf03be1b41506ee56e8a3f97219b2ae04

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
483KB

MD5
d686566941c912d983eff7ffdcd4ffbe

SHA1
fca6a136bdc53befa795ab4748eaa81adae65173

SHA256
3adfaf666301d7a202b83a97cba617b3c8157d0970e289e266c080ab0d3747e7

SHA512
f0c4275e4123f4e0c73da473fe2a1ff6d5ddbec20f98ebdaad1cea0c7125b952342b63e642649bbe81548d85f2b3a2745928b22f0d464339e80628fbf7c87bdc

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
483KB

MD5
c560fee34e3557e3a094197f35b63306

SHA1
543128eefca86db75cf7aa50eb817cd5ef9c5065

SHA256
cbb4e669ffd40229c9d673653c8932893f62cce17d55381e6c029a2d9cfb979e

SHA512
3ea360f2f0990baf957e2c96a14c18b00052f296e61d73d7249995c35b1645f710d242c34463b7ecae9f13e06a9a9b63a8d1dd043fb5807ecd3a69fcc82dda0e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
483KB

MD5
b585f652f8e756a6f3aa8c8fc5a23ef5

SHA1
1017d6adbb528f4a3ad72834d0e9f9f136435a67

SHA256
204ea1b3457cac44aeedb833925b7c0b175a91993c1ce354bc3410558d448684

SHA512
a56858f07fa1e856a17ed057815fc77308d91bec2fd09f3d369e074904880f7ce12946b2607050eb3ca026871b8be1f4a2fa1abe9334880db3da088e0f4426d0

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
483KB

MD5
f98af965b82bbd1c7110b54f2d23f9bd

SHA1
6193851067479ad59ce3741e132787b8eafbecc5

SHA256
767b2379bbec2dc9f5e2a3dfcf7bb5470ae9e0fa7db65d47a1058ae0fa81a030

SHA512
06d626406cd84e0e5b3521222af43aa4f77d473b0b0ee34959bf8a3bdd17da1e433087973dbeccf5f943464ecab0ec46d85c8037bdb1fa4499984f6c5d2074fd

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
483KB

MD5
684d9e73cf2e5c5aa75c24893e76bcd3

SHA1
ee8aa9db3f10905c6a851848c505aa22b39ae033

SHA256
77ce2035eec26096ca321b67e18ba50ff57049bc9fc6e7b277f25c8f2e8cc031

SHA512
1afcf63b3ae394c2b5c947c1a8b9fe937427bc0b79741c3e2d160eed52ea2e4989834bac90792a8e6d54c3641b81dfacac4620f02262668386438054ae494bc0

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
483KB

MD5
5a35c3018f50594206039b8f16583d1a

SHA1
8cd4928acf2271217f432a593e8caf56504e6ba9

SHA256
5bfe5c50f4362bb680ea2ff2a3368d14b1e799dfbc1c90ecfbf7dc047f6c5e9b

SHA512
bf512de8071228ba4440807adebd2775c958808b49c70eb54970002e76f9d1cbd7f57dce370e1de0eddd52480b515f7a6dc86c16af6bc6f5386af921c94d5f34

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
483KB

MD5
a9e9a4d3321b6a8c3bdc5377f786bd35

SHA1
10232c67af2fc55bb9f59c24a1d46b89514664aa

SHA256
84dae8ad7ff55b303b05ce3774c59cab54e45d099bf3ab8aa6331f005642f604

SHA512
36d76b3d55c334053a852ecc90027dd5b93cadc5a23bac0cc99cbb3fcb3b0aee5c40dc82b8b418b2a0f934f36e9999c87437cd17706e2ab2d0a2119ded686b26

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
483KB

MD5
5c3d2a63af264c94e61df921cefca950

SHA1
178e58350853e0ef4a6f13ecfb2cd6df797d0cc7

SHA256
3cad8ade98eb4644dc5d8b2c52d53fe996c871cb7b685015f39d1878916bcf9b

SHA512
11b015197099b246d7ea7bc31936ec19f6be706424827673dc7aa16576e16f312cbed1743bcef01209ccf488571b380baebe49dd2e61024aac64fa835a1a57a9

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
483KB

MD5
a7365f4fd7a3e037a1d99102c6a597ec

SHA1
888a41cf36f32622a886efbc62ad275dd9955bdb

SHA256
be05c71e2d5d92ecae57b45df7e86d297525f7b2910567c0126c352a7cd6c6a3

SHA512
6d7d8866645b69557a33f04f878872ad3cb0cf9dd979ffb2b329f1b37680d6028384bbe06d00af82bb5c20e388b40c142890587554d22e7c503b192ee5f157a7

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
483KB

MD5
3177100c033944ad5a2b3dc92c4b5dfe

SHA1
baf9e8da19fccf5a4d00855d3485014c34a901a0

SHA256
ad5fe9370d796891422eefec5e2a3dc86e690630eb5d396bd4607215c5c75b81

SHA512
960bd6cb5fbd34c7b4e26882547f3d92958fce1cf792d1227e25684c2885722974cc0b5fe27dd901415a73d0ba0ad1205399bc44c1bc74674ab52280c76f7122

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
483KB

MD5
2345682fc33cefd9d8d9795b3dc9a1d0

SHA1
8900509cad395972ca09df9fa90c21c4c8e161c6

SHA256
05c97ef13e47f3915234e4b53bf3731f189eee054e4b553d533fd6390b03d8c7

SHA512
5882e50bb871cf05753bf370b2c29f71037d872b0b410602f6484aa21d47c056c1dc536f6530204d7e4d6577c4f754b4cec34685793e119cb248e21c52bd0bff

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
483KB

MD5
64bf4c0cd1c8040a94d9924c9047c252

SHA1
0e6bcdd784a19e9222653fb839364195fc95ea51

SHA256
f4bfff378a0aec8c5f4109ccb1b71f442aebfca61d5a32bb8804f908d5dd6031

SHA512
37f357e4ad3544372a1ae60cb4349a1e16bd6c83256b339eb0ed61ad4f9a4acc4e37decbff4db1ae6785c231e16ef2e18e1a07e9d76851a80f2263a7cbfd7046

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
483KB

MD5
e4e5068144d332cceeea430b471194dd

SHA1
95c9ce4fb6ef5304c04c7ec19cc4483798163ceb

SHA256
5b8e4e6b2ebcb174b43c57cfe250bad9c19b6bbd06fdaa206e3d7d6081efdc07

SHA512
bc0aba3793df14fa2e8a992c216cac1dba82cf3c0b021806132ee7bd82a6a04e204c3a18e9702a346d29bc0a9bfeefdd44661051162ae31216bd449fbd051de3

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
483KB

MD5
dd1d6e9fba4c19602e91ad05318b5c8f

SHA1
affa6c106053e3c6e47d24cda7efb27fc40438c1

SHA256
f064e212e97cba7dcfe7e5453d599e22ed13c00e1ca1105082a06bdffc7818df

SHA512
2a601b52016269f0ccc207b597dc0db93d7760d0c2bc424e682b17461e6acd0c1c3a6f8aa8e0437a0143e88f387e8fbf472beec7d84ed5556498a3d4d7a929e6

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
483KB

MD5
1cc72df3ad07edc571770f57525ed33e

SHA1
b8f84b34ca9d1b28c33fdcc1a01cc802ec55902e

SHA256
1c4725dae86a7f7375d99451275f44ef24db50c80b333a15b2fd20e86faa977f

SHA512
1a7a956fbafd46b031af93c5e4f94d6a5260b88c512b7942ed64c7b15d79fd10bcae2de4bbbcee2c97e8fa475657cee9ecd1fb32fb69a9865e72f05095963fe8

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
483KB

MD5
4e43b8a12bb5a4c71a3dc255f1a9cac5

SHA1
62e941d4b6266b67c7c22e91cc5d51100071850e

SHA256
d9016a051209838d38eafa48d03f690bbe89d7fba55a78b851cd16beb352ab5c

SHA512
ad6d71379df083cbb6d19246ea5cc0c68580312442028a6d5563edf878f8f605ddd0a7f77b241b7e1eea942f22c5ec89795c662e8c376c160bd164647cc6da47

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
483KB

MD5
7a50eeb7c25b4024068eb2833d7666a8

SHA1
44c616cdb1df3957fb99e7f422eca2bf3f624b62

SHA256
71701a8cef3297e038800432afdbd4e1c221e3b5f41c5e3871491dc39b4e5bc4

SHA512
3708f8ce52425b7413bd5e29a05fdb17fd66e449ae4bbc1bacf082f7fc7776f3a247a0a3e90dea28353638bc69dca6082b0fb4ca2a06aa5466ccb7069da03020

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
483KB

MD5
368bf131add4b26cad1fee760afc6182

SHA1
f6440bcfa2a5a2628108d69432fb3df6c8de26ec

SHA256
3d602bc6f65a566a703039dd150fd4d51c44360892cfe3156d95ca348ace7050

SHA512
f0d8bbf5bd718aa03682b58c2b05801c43fc525e038587bc96aa854a6b2415c90832beb2305c62f091de653b1e65b982710b1932cf822d7732002cde5c918e8b

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
483KB

MD5
e7a5475c72161f439dff918ef057074f

SHA1
ead94841ba88364a1357e064520acad61855300b

SHA256
a019a5199d6571025450a076141619af826d9e6c66cb86a5407cf094b6a8545b

SHA512
71f117c38c7c6446ab6c088c301d48f2d9d6b041e1cb0142ac588ebeaf90238b1eaa108a1b26d5fc67276f4bb3e8157c2ced1434fe12cc3e1212bc16093fc236

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
483KB

MD5
828bafd018f6fa5fb12a854f7cb45948

SHA1
0053687293a8cd3d2893e955c92e1f081bb0be8f

SHA256
656f687cf66bfc4b3cc2f04e81879105111728e4d51ae46b1f289e29bd0d6761

SHA512
76af9cae74a8379eb7fdba151729ede702098f509b089227360fd623bf7462ad14729920f6b0916f8fae9c65f1c3b8b2d2a0e1b35ed3f8dcf3f2616dcfbd3174

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
483KB

MD5
0d9a6a26ae8fb15afe197d6089adecf1

SHA1
ffb783765a21126610804b1202e5848c0529ee1d

SHA256
10231a65bc0687914791112345b2bec40da7fdd64ffa46751bc93da094a4a3ab

SHA512
b0da096d892f77b6fe71c37ab338d9a3fc0ea119a964c1c1c0e5c07e5e4ecf4bd507941eb85cbbc29de15dd18cf0fd4a4ee35030fd165397e0ea64bf3f4a974f

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
483KB

MD5
b203651c614b24e27afe00c0114344ec

SHA1
c02b7d75b6cef770987b96bb0d5ab77aaf03ee69

SHA256
c674d63cb29f481f948f7a9f8410eb77129a0add4d50b708bd8254e1c918ac96

SHA512
cc5e594bf926f71dc1999a59938c4feaddbeb0a49e917a1fb0f4da697843d356810e6a1cb0ae22ba35e1321578b3aaddae5e00bd6ff204b5588212aed9240cf9

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
483KB

MD5
ea08d730e8f4bd92de85ae7ef64e3ef4

SHA1
3a1e6ee90ba041902d6e24f8631f7a9bc60fbbb9

SHA256
fdc6b59e0742f5d35dc8c40eadfa5269da4cba317fe4c230c0093006650dd197

SHA512
fa9750be21031390a7147030a8030f08c440a9788e06483ec7b3079ee68ac925cc4bf47f4192fa52c5ad3b3c6d59fa52158af55ed179481c501b0d2a48e95e5e

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
483KB

MD5
56c822bb96454558ef4cf024eb8e8859

SHA1
1e93610c783b64bdf9e73e1db02968c42e8d1f50

SHA256
b7ca0f0f831ec7b2dee8215eb15f6d2b971b7a1780f8a0dd885d2e29af0e69de

SHA512
dafcc33df087115f583aeda8ac00b7c5d46a06d8812b463f43a0c4928c0a42084b3775482f0cf7f521dd1258bcc6a39f9dcb215fe9e9d73852f7afbbd67b3654

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
483KB

MD5
ee5b915972c487ac17172ff804469232

SHA1
dd67e7da5c02ef0a59644b3a22b0a7d6b25b3c0f

SHA256
a86cadb075fd853f1bbb470fa4805718c0ae2178d453bbb0c28d66d5896bdec1

SHA512
accb1a57d30f092e759757f4560cbc5f40e3b1b842bf413704cb573ecdca1ab3c253ee33f18149498ba01aeba4f5aafec4dba89057475cd8679c18f205b30021

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
483KB

MD5
ad2e2c3c4bacf41b163fa29815c6c45f

SHA1
1ceccd23b41044358a5359c52d153076acef724a

SHA256
2f955047de222531cce13995a5a2fd9378db1e9db2a4a8b1f892adc404ddd992

SHA512
0354b3de122a613aae62a77f99b87aaa3ce6e2440d10b5b16bd7300033c8990aec27073520d746dc5626f76f15b808f809520c97f9a616738e534f759f081c27

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
483KB

MD5
946ba550e6818353cfa931ee7c31d80a

SHA1
84a083d647cc18565bb1599496ec519da98f9480

SHA256
4145856663967bc8743943871064901b44b3ee9c35dd6e1fd0198fe7ee35e167

SHA512
33824ded6eaefa8b63fc13cc0c365885585ac81a64533aa9c80b4f4f251824f60fdcce513c3c960554bc8bf95a92d08cb9985a662f19364114f812083c824d4e

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
483KB

MD5
9ce3708c6b0e9d4a6f10111f6a04ac35

SHA1
2743857d6a21a0a6b2c54fb4f4dea7ba24bf26cb

SHA256
b66675be2ddd0b0fae70a3faba69bbf44175faa759b9f69724f4809fb9b178bb

SHA512
8cf1942d2571d29cb9dc205dbbb71790b0a31c079ea4f6c6040485c0bdc155d5b039ef188acbfa204d0bd8ab0a92c73a8016ec868c497a85d41e33e3a8aa39bd

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
483KB

MD5
3bcf957ff10838e2146023909b189e16

SHA1
10e03b1ebde37ebaf97ec8455c2d23a2a4f22c6c

SHA256
f9284f8d68e36a92ac3ac924094a1c9ad60ca326227e1ceb90bbe12dffd954b9

SHA512
e2b303f576f5fe109f7bd4d4a2f322aef480098c043173177ab5ad0eea66290df07cf23c58d37983615bf55bf44d43c57337fe20ec85db78a0d0f34982271069

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
483KB

MD5
953ca73820ce0ee92d6e637b32d3bbab

SHA1
3099c71a9012617529eeb46ec88575b361a7fa4d

SHA256
eff71404e7335a94b82240a10858f8fb62f620bfbe6900f6eea453e308aa6269

SHA512
1a5502303bd21af6a81efaf47592fc2c063a638e7d8a15cc8852d71536a3ecd3df73a1c4334afb6d519ac235b3534a267c401d6fcc3f132e3131b26d1a784aba

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
483KB

MD5
5a0bd4ac3a94be3846a7a53f40c93d2a

SHA1
cf170e84930e0ec3789b6c645de26a31ed6d3e2e

SHA256
5261244cca46ef065c0843f36d5af1c1a6b05cd4a9cec2a59eb99d22b2ff4f15

SHA512
2046f71d3cf09b28bb212fc5f5785ab97ab27e6a38d8ad6a4e72d4aa49317c22f79e596c0c316713eaede37fbdab87624adbe58a6f31121fee2da4c3de80d73d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
483KB

MD5
5d4e6486bf88226dd5640b657fb06c3d

SHA1
57636f1ecbbb1db90ec733dbf822e1b8b5654f5b

SHA256
0d9904b764de58baa55e01858f5fa7ffb8c7acd856cd986835c049b4c6bf2635

SHA512
498165bae867276251995e53ff833d445ebaa56849c5b3d26f01bd1a63203c4011a6f3d274a50c26377a39684d2340702443632729c392af5fb0ed6923b22911

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
483KB

MD5
3da150c21a99434b62de68c96fb0b676

SHA1
e9fe3ef00f6e3732330deb4ae316870c0e128285

SHA256
4d5ecca479ea5a12c4b6e4b6b437c602bfd6a167d8c4ca96b4b874010de47b2d

SHA512
f4a670443197dee9376d92350eac36da3a45ffa8da81ca433d6c46d2fa55dc30d2912cd0cfa9e608ef87bb3d5c1711e55dd545186639ba30509e21e87963f97d

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
483KB

MD5
658ed0232eb0950bc34f708f78003dcc

SHA1
1306d0e546ffd627a0baec19133ee7807b9dcc26

SHA256
16d1dcd187bccaa62f511e260837c84b806d239f0787a44533b8f54374c6636f

SHA512
89917274ac7f2c8926dd84a00ff8fb951a05bcbe601ede3b4c8efc390ce654e8d3ecf359daa73bc9058a5db029ed1a889a81fcd677a82deffc3e533fcd7ce17d

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
483KB

MD5
15958a58c081af9cf72f6ea133d99e6f

SHA1
b84ae5e8ff02741434c78737de551a588ad99297

SHA256
c9eac11393ce094ffcdc91da10c5a6919c03b35ed52da2df8ad71ed5666c060e

SHA512
c16421e532938c88ca50ef61bf9a850ae89bf4db1290c99d9640debaa064d33ed71fdb49d16848f3b0796ab35d4b4fccffbbbb0502a87041f534969fa7bc029d

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
483KB

MD5
b37ff21ab97f54a30f239347d0e4904c

SHA1
510473f0650c0a9b3ccbaf97e5d01bcb7760d8ab

SHA256
1a3805fdbaa8c7412ffb51e6339569183c70b4257de480512fcf8b07576634c0

SHA512
4d5fc97dba604a13fba9e02642589f502b9b644066643da1df3457796ba814890b9d19f5d59023d0b238091bc96cdd8b91ed22a71c4b6a1770d0718bb42d0f1f

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
483KB

MD5
72b4451282695dec94b4febdeffefea6

SHA1
1894ad52f225847d7b80b17c786d883a18ab60e0

SHA256
32c65c15484e49e6538d7de2ffc3a0089103862575c36cf3a8a6de18491cd0ef

SHA512
d394d1239981bac8c116c5f586dea90da9f98906d66a2596904d67fab8da88a264d6e225f20ea73581f8bdca775fbb19c445e2eaeeb5be42ce42c57a9405a94a

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
483KB

MD5
ae83ae9d4a808b323363a741c8a3c15e

SHA1
96faee831f729c8e80b0d9c0d64c129e72b168f2

SHA256
a01649202f9200147db100b0469db7b9d3e7928fc0bef0a546f29715afb36959

SHA512
75f57136bb7849c3638764dd968f774e01b6f456bf2465ab807be32e86614e6621b63f23b0921c17623dd1e8060c918d4bf15fd773c4a8de50891e11bbf47929

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
128KB

MD5
a188b650ed0a9fe8d2a44504f5ffd696

SHA1
755a085c95e06a7bce491413d3eedac1ddd4115f

SHA256
67d59faea01fbeb994c0e430ae446cda0291d2efaaff26d9c2585021fcecddf1

SHA512
ba453150610af327ab1f802e75152de9833e2d54b99f084791f996ee87c985e87a37b91d832183413d40c5e09c25288bbe8b0e90f3ffdc08dc46a2d5bb600cc4

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
483KB

MD5
7142a873d1f0e16e7e3441ec7a49275a

SHA1
ec6c1b9e11109293db21d4fa276121e88c153ed1

SHA256
ac7d2329c265f9305b3d49de1c31ccd81df5c02777e59cd738589083550f49ae

SHA512
05f3cc5f4ea52d0d8bec2fb677f85db1526d59af999c4e3efaa1d358c22e9b8ed107f579dccd1eef1ad35c451df8d5d887f9dd28c921749e7a1524f2e7e6243a

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
483KB

MD5
b6b6eebbdf82701e695c823d6a149916

SHA1
1e40a8776243225bf5986540eb0d90c993a4eb26

SHA256
ae559a2db246b17ad929bf75b231b6b3ff8fc1e35ce02f2df87decb91e0b8c61

SHA512
956112aa5c42604ab2ce76c562fe2ffd4d32774434dd26b395374b0f99e8ee67c12a7a3b3cddbfaef924ece1f942e146c8d0a40ebe8e03a837cb8fec453a6b61

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
483KB

MD5
ca1762f22083a7548e8dcdb78babfb17

SHA1
fd0b6e46516af40d5a174286f470232310a46a3a

SHA256
989f04b0259cbb8e3b4a6120a2a9643e3dba4ee55855d782b5561f49dc31138a

SHA512
4b593cac300f6eed8518e76f4a10e160e294a964533aab6759df178f388454213a599a91e76798e5074f32dff8694104c1f83eae753dd491d35b6a3d311ae5c0

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
483KB

MD5
936df2df0ebee0726a38eda921298ef3

SHA1
7202b8625090ffbe4d6eda919e1df92cfa8137d5

SHA256
b41b48e9eaf9eb8639a64b35ed13fffdb072e9a151bcabb60bfd4ca5d8e89600

SHA512
be2974ae1b4b1a2d6f678d4a440364aa516430d3cd5c1d8a0bd64c7ba93f46472f7085783c1f9890161cbcafae0469323b8f25b0a572e990d65e59370bf13d32

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
483KB

MD5
55821596e914513e393445dec65d3710

SHA1
016f407700e22790046f521d5d6134ca6d951c54

SHA256
3524bc89e40a127b1b6d734bed8d24e8e17564f7e3d9fb917eab5e7105537858

SHA512
567c90f90658db4270ce518b5f00f4ecd7644a9caa224fd4dbce194851d5b288ac79516b0404d38c6ef98dd59e3bdde537e2adb7d2c82929b4404dd7390deefa

Download Submit
C:\Windows\SysWOW64\Ncnadk32.exe

Filesize
483KB

MD5
096f6927333c34492ab90ce6a7f3d397

SHA1
cef8bdfa4a7c63001517308bd7cf9685b7a1ab12

SHA256
4a1df725c4af09b87b929828fdc7896c360ec606e1f333de752e0d405bfaffe5

SHA512
f212ada43a8e4c6fde8b09fa876f01035cc4f85e8f9aecb92e6b5e260ceba4d776604fdf8074290f692c67e10399986993d0a952d1a2eb41a4c5fb54f7ff9ce1

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
483KB

MD5
be205ac4e207f891d4ae10d2402919a4

SHA1
41435accbd36c7c6abe58c4901f5705495549308

SHA256
98ef81e7db6fdfb93837ad1c216f02fc3b87fe55f18efb4979630bee10feae9e

SHA512
f3eb032c25ff67fc047304998ce0157bfc9675604519f7ed523fafd3356e10fff1d96caf79e05c229eaf5acd6f768decfee720c06c9891d1f797ae6133ae2845

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
483KB

MD5
98beb2ae0304927435118fbd98b15f49

SHA1
6b744d126eb86249b4ddef6412da646515988203

SHA256
5e00b45b7f134174ac778c9bc37a09d3b29823b932ce35f30bc673f42fd32317

SHA512
32e311df0c7cebfbd760beb902fa9b17b347bee3e8d3114b28eb75671b3a307e400acebb2282146c6d2f1dd88faff1df749dec7266efd9c507bf6fa9d87a94e6

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
483KB

MD5
3e5ea2ddfa1dc54aaa7850c56578ac2f

SHA1
c67097afe1cec5976f6f21f66491d4d3b48f8392

SHA256
f78e8686a68fe180fc2cdb4f40cc78ce3271497582a5ca7f2054806d4ec4def3

SHA512
e38ec51684c8d27a3f52856b07693522696a33317d7710b59c2e3a14039d9e9024565595a41441f9c9c5a01c91738138fd1098e9706861b95c83d051f55516a6

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
483KB

MD5
d432f3b33a4b8aee2a1e5bac30e7eba7

SHA1
e2849226801ed6970c72d20fb8ce51fd43bc42e4

SHA256
d8fab555ad371881e514026caacf9b4197f748c73ae3f09f2b3fc73dbcfb29ba

SHA512
503faf897005dd21aae2fdf85bc0d459fe0b7d6cf3b74900ce75088b547fe9746fae91eab37ad7654ce28404e2ed876c3c67f867cf8cd2f222477bf6ffdc7df8

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
483KB

MD5
d53b168883e0f87422fa65d68fdcd773

SHA1
4b1f86d713d0d5ae374d03337813068ebe548511

SHA256
ceb88f83d7f169f7df9d8c244416db18c82bfd2c138f790f646db44a46ed83fd

SHA512
32d360d828743135e54b8a36c272957f0238d86828a3b18622e7601813b0db2bbf997d6dc77988ee98cc4d1017ece48d9f5bfbaaed17950e37ac317ef71112a8

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
483KB

MD5
cdbd0b844e85e7c18f8d4b232ca72994

SHA1
b9ad313465fd47d47ff58463cab6ff41d9e4e43b

SHA256
579d018c56dacb81037e495170412897b7eb62aba997db41b00c1e99dd003650

SHA512
237bed41ad223f7c2c3acd67063317f954a4b890b9fb74839795e7faf0dd7e382313b44de7c330cb5dc31ce1623d5c52c906f3f226359c9309860c6298c56a81

Download Submit
C:\Windows\SysWOW64\Obdkma32.exe

Filesize
483KB

MD5
d294d8caed9387a7a2c397861e8beccd

SHA1
75270a4e6b0d772e8c34506b34cda59ad8b3d19c

SHA256
ebf799e1f44c150372016feded107019cdfcfaaecc2675706894761542bd8edb

SHA512
56dcbf23fc4474344e77920d3814148229f74d15e9806e993ea42d9a23610a5087af5a1935c6151f66e2ad6662032ea19c22bd654a1526a36692c853f71b7b42

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
483KB

MD5
e44484d1265541862ee572cdc200d4ac

SHA1
e0a7d95cc970b690abdb8fa75ee85a82a140a48a

SHA256
5199e9fcbebcc75f15f41af5ba33e0ad25493cd159fb7a70ee2a7c02ae2ed4cd

SHA512
c97639e7e0c807baa11251cea7c250d055896c15dd1e6d0e6f426e683ec9349a871cacaccf65c9a9ff737d90bacea17802749867df9c47c9746585c114b9f50e

Download Submit
C:\Windows\SysWOW64\Ocgdji32.exe

Filesize
483KB

MD5
9a6c89e06ce7f9a7f2dd94e2b440c8ab

SHA1
2650d099d5c15196c2df0364bc557770366ec745

SHA256
fbffef15f2449c5c7111691740da584cf5b548801d58a2881aeb47e4f447cabc

SHA512
de36500786dbb0d4307b59cea57a63ed72f3e41e3b9cec039ed93139631da8775285c48b7f534f888784040970daf512ccd2863e2940bf413bb135e9dd14dc62

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
483KB

MD5
6623b3580f6f6563ac5023ac1c99f32f

SHA1
c6daf9d12d10bbc87b4e89bf31abc49c76f0e302

SHA256
f1af32fd04ded644a236eaaabc526565ba389a9c6c765d2c7d5f303619a45dc7

SHA512
36564f910c257c5e8944229470776139ad41b1990b05a1b5cb2faf5839c6c046c4b70ffb0a458eb432bab1981879d35a9064b033b0d9fee45bf8fc36a560c02f

Download Submit
C:\Windows\SysWOW64\Odpjcm32.exe

Filesize
483KB

MD5
97f74d7b8f36a206aeb616a4171cca08

SHA1
f5267b7417872c873bd3810244d2d9507311e188

SHA256
5487ea20122b565187b6b2421c8faacb19761d467f2bc268bebfcdee42f3b487

SHA512
40850188ad468bd676f0a11e0d845db0cadd5b3c1f3c4b3f5a869974188afbe55ba171f21a6dfd2b5579511a378af27f1b9dd79c6951d130f6658d48cd5fe94c

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
483KB

MD5
5ad5a0311caad75ec0bdded35571b9ce

SHA1
166e60d67fa2fedb6c8811bc91965dbe0f29b0af

SHA256
e1810d786c8ff1fd3245d6ed171397790f483bfcbff4b7bc28213a66c95d0c8b

SHA512
72b5121972fb666d789962314efac3e37b304f401d2e64263f14cd86f1e2fb1707eaf0a3e15ea4f4d55572055cc85cc50aa72b1418b47a24fa9fb25447ba34b5

Download Submit
C:\Windows\SysWOW64\Ojopad32.exe

Filesize
483KB

MD5
b95785f4852f86ab0b366e17788a68e8

SHA1
719ccd581731ac53f4c8efbbbe4a0b6d151fd14e

SHA256
1a0cebd56cd4d5cfb99f5234a10f3c44043ca6922e47f008b22f18ab65de9da3

SHA512
0b9e801af92c8d3cdd52fdac34ca6570a140b6a9ae0f3a6a3e054e6373edf5134d4848c496add896bc820386d406fe711751c214032eabb00dd5dc9a6529b5bc

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
483KB

MD5
c5ae8f56c630de2ba80dd73f3d61440a

SHA1
1af8af92d795e2ab75730f598842f2d66c90c595

SHA256
c2692fc4b6754204f68ce5f46547b6c0a0fa63bff2a8e56a9d8c5020cd6eb424

SHA512
3847b206b3078be161c7b21c19af22bb14f76c0bbf71dd8392b8d9069ecfe8dddf7c4033935ef99ca386720123f66e30de4ee132b012a5e69d3e924ef39a7583

Download Submit
C:\Windows\SysWOW64\Onmhgb32.exe

Filesize
483KB

MD5
a11e85aba304056fc79d59827e291fbe

SHA1
98f978db8aa14b5bac65f1b4846c119af1e920bf

SHA256
891b65042345565dc786252e7dadea063efd6bc6711fcefc8da2dad82efbd138

SHA512
aab5226494b00778de90a6a0685839b619fd43de384187768ce9a800eb4c2e2c258a70207600289872b80ef7246a187c245c5d228d038ae4dcdd87308648bd0b

Download Submit
C:\Windows\SysWOW64\Pbmncp32.exe

Filesize
483KB

MD5
6d11254cf9a0af53aa4fbba3bbf463b6

SHA1
f24e9da738a38b98845c604f32aef386fa9f2c6d

SHA256
6b96636639291bc3171bf90c1a97e3e0e03e6c44de582c575fa3be0756056803

SHA512
ff436a73b12ba8e1fe2f1ffe731e94f8dd0d6108f9d6346be92c61e02ef93f16a37cbd98e5c3a950d5213a56ceac8cad1e42325bb334e5bd8be30d4f9374ee13

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
483KB

MD5
98f58ac165aedb836d5ac3f90f607640

SHA1
a2462f429ca3bb874b11599ce092448bf14a5f7f

SHA256
79058a66f7693b3bd79a14e694e10915f81a624073fdaa89e1933e6a83674810

SHA512
d3c5ea674b9e81c05c0e3a3aad074de29da9ce18c8f42571ee6a0af1c0dce915bbfef5497423277b19bee598ba68419521392aa5fcb61ce9c13bf78ce9adc589

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
483KB

MD5
0dfc4dce9a30cc78dac29ed5038e24be

SHA1
90df1f85332b72d1a1c7fac96e0247c192e1912b

SHA256
433502bc4c813fa103ce2d6865ff1836cf999c74b1ad0d5bceb7fdf201039ae3

SHA512
9c50fe4f3c6aee14b3f3ee68e19ab20280fc58b8b235b23e1a51ed0f3679efc9b3fd463a5dd77cfbd02ad0d2445d1b41c75c44ad9456a9064a67a70ffea5f1af

Download Submit
C:\Windows\SysWOW64\Peqcjkfp.exe

Filesize
483KB

MD5
524f3aa082c3d6b6d055db6eb1b8d7bf

SHA1
fc2df70dfb7b27c9e8f68c7640acd5ec1e9bf6ca

SHA256
c90a181878e63bade5226d93b4e9c54e01f6bc238b367d3a5fdd9bd2c150553e

SHA512
d45e1f2de7cbb08b9df949f290a51db847d203ed358875cbe9adffd99f469edabadee89171e44847a64fc9efb7a5f9532e7fdab35c5881a4bd241f03ea73e998

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
483KB

MD5
e4e4228183b83e847c3a70af08697aff

SHA1
733ea4fb47bdf1e5cfd6c1015f40e4f3a786d50a

SHA256
c6f7d626f75707e7f3487be5cd6acd280fb2c247f71df1e9cb525c06565d45b0

SHA512
4983f176b754683a7b6def280e26c7dd9dddbf6a9ab99407a8f1acedfd63d984eda8ca7d754932cae3b9cc2ccf1f95487bd691a4ea06ca78c0315fdf4751eddf

Download Submit
C:\Windows\SysWOW64\Pjhbgb32.exe

Filesize
483KB

MD5
373d1995bda57fbd8fa2cb54e2594fbf

SHA1
60ec640adf13a02bd73ec511ee8e446f69c55bd4

SHA256
bd0dc6630889a5432da0acf79f329cc3ed2ecfe988c112ae764270735d913c98

SHA512
beb2ea223ae356dfb3b2002265a46c09dbec22bffa7395a53f8e2147ebffb205b0325a627406c88d703da0b50be7a072352ba38f3c90fdb908c7e91ffa86e476

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
483KB

MD5
4a76768e024b2f2c488697491cd63d43

SHA1
50bf2793199bd999d872e570eafe59491d9ba09e

SHA256
38c24f828f5859f988e16f820f6ffc40ffc2c272d3183e64e437c1aac2f46417

SHA512
f46fc85b9e24f83ae2f4e15f2fb1756fd83934e9c064fc134baf6749386a49d51bc92cefa3a092c15fd425236c9239b8bb2fdc022de335013041b086ba5ea884

Download Submit
C:\Windows\SysWOW64\Pkaiqf32.exe

Filesize
483KB

MD5
ac4333bb4b0f050b4f5dc1ab1bda5cec

SHA1
f2ea9d96afa52bbe478f1e91f710d72bbbba9c90

SHA256
aea96670b1980d760214dd86558937219b3bd8e7d52e0ad8147e5e472b185da9

SHA512
9e6154d6a3a1a9ee885acb6a9d4100432bd9ebe64b17f3975e27bcbc84dfcb9252b72a17f9c35e4f3fbe78040e4260b491bd5293927003ee3c3ed7dcabc36ad1

Download Submit
C:\Windows\SysWOW64\Pkhoae32.exe

Filesize
483KB

MD5
6b3013264fa2d463e25393d831c10e70

SHA1
370d8e5d980e1ba3b199a671c7982783857ab8ed

SHA256
2c3373bfb633559e0bd83b516a0eab5c9d3bae48859e1a921cb2e05a6003ff66

SHA512
d4d0ec6002e9a762b00678c659317beecc536084ad153bbf6f1b6b12c5e262109b9f5d4a3662ee99f12749d8068f5b5c6f36c9de62596664d13e1b9361a9aec2

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
483KB

MD5
8cc9b2f25a6115b92d80e2ec2f1e3b6f

SHA1
696390e514423d5ddb2553bd2760f3ea07222e44

SHA256
48d70256332327d20403aa5f9bc07450add17317c237868b2455addf55bf1759

SHA512
8ef1fff9b18cbcd64c4b269d18fc929d1665fe41d2d5d265572f911af681d07f209dbd5f40d94759414e59fd0cfb207f129d3f31e23b392d73db25a7b8e1a96c

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
483KB

MD5
add666e8fcf68d2c123f1cc44a098f26

SHA1
4218bbc32d0fb82f691d76c9644dd3836381ed29

SHA256
040d7986d65ba9499db13009546394ee14a6dec84ab13a30996876cf3bb2affd

SHA512
f69863d199784532d249ef34c64151ce9c58a033f1e95afef318361f750bc98f1ecdf23ef02a07885f0c86996934bb8f303878b98b75b858cde3fad02ae21241

Download Submit
C:\Windows\SysWOW64\Qecppkdm.exe

Filesize
483KB

MD5
1a4de9069c2403fc72d72eb3d8ff60b1

SHA1
02cf6d293ed9951b9cc240a472936519794b2184

SHA256
d0cf6f75ed5283de28fc72e84dfbc64fe67bc244dcea5a3a9ee2dfa8c9b12f4a

SHA512
7bef79e04c0e9eb76c6e9c92a54f2209dfed89fa6b01dab73b41e6132fb6707408cb7942d529151e8fe55c2799a1ee6b2745fc336f8f18122b82eebd3c6e97fd

Download Submit
C:\Windows\SysWOW64\Qloebdig.exe

Filesize
483KB

MD5
ec3b780e42cbab5a55856f9769d0578a

SHA1
1e1cde92eea3b2f4ced6a8c24633dc025800bdec

SHA256
588551b51465dac8322b3e54ba80b9528d1d795ddaf83c9e86b66f5c28cd5a4b

SHA512
ba7c144d3dff93bde4137aacd4afc7817891965ad86ff24be6dd15bbdf8fceaae0d2a8ef7fc4bc1638fe85d94d6425c30eb27b70f1fbc405ac628c2568ee0a65

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
483KB

MD5
3b3b46148d5610c28987005ee4b7dd76

SHA1
45770623616263ed2c1d253f502392b33ff18ed7

SHA256
47701eb3ad01543c6658bb09b30c9d36fd963acfb7fa5c3046f77764d4ed3bd2

SHA512
da3f9cacd6576b57adcb3c48877d32547e7ccdf7c82b7c8adda0e879da114807101263594de324d7a80b2bb849313b183c25a11520a65ce16d0447c905373ecd

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
483KB

MD5
4d324f34124a848445a1e38e1ed4dfbb

SHA1
cb83d6ec15a608c68b7fbce2fa6169a67938e468

SHA256
cf875233e2fc3b0036b6afc91255c9a8d323b8f742b301c0e161f4b03e96df5a

SHA512
12047603f367b13c0dd965b21e5ed5d53c410c80439c0acc989917424aee90a89707a8c64d29c03c83e7c1232fc982ef5ce5e9da47a7eb15a02abf365a3c120a

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
483KB

MD5
f6f85b2fadd83499e98c0f688e11f574

SHA1
98777b836fc731ac2677dc02db0e5d8460fae9e1

SHA256
ac3cc56867fce17b2080fb9c2bbbb312521c1298e1f2a1da4c43adf6fb543955

SHA512
c2816a97d2d972503f9baa4c9838839b0b07f559b78c0a5433fc1583c882cef1a1a2aab0375590dd2844aa2482e2775cf221aa58030bfb7d6a966ed8b959b01c

Download Submit
memory/60-57-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/60-592-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/224-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/320-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/632-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/812-590-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/840-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1208-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1252-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1280-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1536-540-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-480-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1816-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1852-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1912-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2056-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2104-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2284-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-509-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2436-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-568-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-515-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2848-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2952-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-578-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-528-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3288-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3344-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3472-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3480-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3520-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3532-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3668-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3748-270-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3900-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3924-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4032-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4040-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-533-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4232-548-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4256-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4260-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4288-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-603-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-37-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4552-497-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4612-503-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4636-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-553-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-522-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4836-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4872-419-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-539-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5048-365-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads