cc4886e521024f52d462d73a10ec2c0d8bc132ea2573dd9559b54ad6abd2fbbc

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe
Size

64KB
MD5

6b1d537e71c871c4eb5c99c184e0a6a0
SHA1

2a785349fe5e0745fc5ac2f8269b7d0fcf6dfa31
SHA256

cc4886e521024f52d462d73a10ec2c0d8bc132ea2573dd9559b54ad6abd2fbbc
SHA512

aaec06caa15b0dfc6376c2e34bb5886e866bed6537abd06e6f37278028511d306f4e61dcb0d821e0429f63e7a74b4feff990509497ec9b666036d131fcd59ef5
SSDEEP

768:lgR8PLcL8s62PsV5Ya00iCJvN0gjJRESpIdQpZp5P4n9o55PHIoEED3qMqf/1H56:aE3r2siRCJvN/JadQp69wPolvlBly5VP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkombfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hecmijim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkmhlekj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcmmeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdgfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffimfqgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomhdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikbnacmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcpjhoq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adapgfqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlijfneg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmnpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghaliknf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjjfggb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndobo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkkhqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclneicb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbgqohi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eadopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okolkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hopnqdan.exe

Executes dropped EXE 64 IoCs

pid	Process
2472	Oqihnn32.exe
3532	Ogcpjhoq.exe
3128	Okolkg32.exe
4452	Onmhgb32.exe
2920	Oqkdcn32.exe
2728	Pkaiqf32.exe
1484	Pnpemb32.exe
3124	Pclneicb.exe
3412	Pkceffcd.exe
672	Pnbbbabh.exe
4356	Peljol32.exe
2896	Pkfblfab.exe
4892	Pndohaqe.exe
4412	Pengdk32.exe
4688	Pjkombfj.exe
4104	Paegjl32.exe
3976	Pcccfh32.exe
2296	Pjmlbbdg.exe
2924	Pagdol32.exe
1384	Qkmhlekj.exe
2804	Qnkdhpjn.exe
2000	Qajadlja.exe
4468	Qgciaf32.exe
3932	Qnnanphk.exe
5016	Acjjfggb.exe
5104	Anpncp32.exe
1532	Abkjdnoa.exe
3696	Ahhblemi.exe
2216	Ajfoiqll.exe
4948	Aaqgek32.exe
2188	Acocaf32.exe
3140	Ajiknpjj.exe
1228	Abpcon32.exe
2812	Aeopki32.exe
2544	Adapgfqj.exe
4364	Abbpem32.exe
1560	Adcmmeog.exe
3636	Ajneip32.exe
4804	Aniajnnn.exe
2476	Bdfibe32.exe
1392	Bjpaooda.exe
924	Beeflhdh.exe
3188	Bhdbhcck.exe
5060	Bjbndobo.exe
3448	Balfaiil.exe
1808	Blbknaib.exe
4980	Bblckl32.exe
2080	Bhikcb32.exe
4040	Bobcpmfc.exe
2008	Bemlmgnp.exe
3284	Bkidenlg.exe
1100	Ceoibflm.exe
3420	Cklaknjd.exe
1876	Cddecc32.exe
216	Cbefaj32.exe
2184	Clnjjpod.exe
1124	Colffknh.exe
4464	Cefoce32.exe
3648	Chdkoa32.exe
4672	Conclk32.exe
3308	Cdkldb32.exe
4780	Dbllbibl.exe
3108	Dldpkoil.exe
3848	Daaicfgd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Dbllbibl.exe	Cdkldb32.exe
File created	C:\Windows\SysWOW64\Cecenn32.dll	Dbaemi32.exe
File created	C:\Windows\SysWOW64\Bcfmgfde.dll	Dlijfneg.exe
File created	C:\Windows\SysWOW64\Pohkbc32.dll	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Dmamoe32.dll	Jefbfgig.exe
File opened for modification	C:\Windows\SysWOW64\Dafbne32.exe	Dohfbj32.exe
File opened for modification	C:\Windows\SysWOW64\Glhonj32.exe	Gdqgmmjb.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdbhcck.exe	Beeflhdh.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Febgea32.exe	Fljcmlfd.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Jcllonma.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Gfgjgo32.exe	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jedeph32.exe	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Mgpjhl32.dll	Beeflhdh.exe
File created	C:\Windows\SysWOW64\Dafbne32.exe	Dohfbj32.exe
File opened for modification	C:\Windows\SysWOW64\Gmjlcj32.exe	Gbdgfa32.exe
File created	C:\Windows\SysWOW64\Kjqkei32.dll	Ikbnacmd.exe
File opened for modification	C:\Windows\SysWOW64\Ilghlc32.exe	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Bobcpmfc.exe	Bhikcb32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Himldi32.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Dllfkn32.exe	Dafbne32.exe
File opened for modification	C:\Windows\SysWOW64\Ghaliknf.exe	Gfbploob.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Pagdol32.exe	Pjmlbbdg.exe
File created	C:\Windows\SysWOW64\Abkjdnoa.exe	Anpncp32.exe
File created	C:\Windows\SysWOW64\Ihoofe32.dll	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jcefno32.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Eegdfm32.dll	Acocaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bhikcb32.exe	Bblckl32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Qgciaf32.exe	Qajadlja.exe
File opened for modification	C:\Windows\SysWOW64\Kpbmco32.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Qnnanphk.exe	Qgciaf32.exe
File created	C:\Windows\SysWOW64\Adcmmeog.exe	Abbpem32.exe
File created	C:\Windows\SysWOW64\Qadpibkg.dll	Dahode32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8280	7208	WerFault.exe	386

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghaliknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqkdcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dalchnkg.dll"	6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll"	Eadopc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhnmh32.dll"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnihq32.dll"	Ajfoiqll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkceffcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll"	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkidenlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgciaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghaliknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hijooifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclneicb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll"	Glhonj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipkhdeq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2472	1932	6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe	82
PID 1932 wrote to memory of 2472	1932	6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe	82
PID 1932 wrote to memory of 2472	1932	6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe	82
PID 2472 wrote to memory of 3532	2472	Oqihnn32.exe	83
PID 2472 wrote to memory of 3532	2472	Oqihnn32.exe	83
PID 2472 wrote to memory of 3532	2472	Oqihnn32.exe	83
PID 3532 wrote to memory of 3128	3532	Ogcpjhoq.exe	84
PID 3532 wrote to memory of 3128	3532	Ogcpjhoq.exe	84
PID 3532 wrote to memory of 3128	3532	Ogcpjhoq.exe	84
PID 3128 wrote to memory of 4452	3128	Okolkg32.exe	85
PID 3128 wrote to memory of 4452	3128	Okolkg32.exe	85
PID 3128 wrote to memory of 4452	3128	Okolkg32.exe	85
PID 4452 wrote to memory of 2920	4452	Onmhgb32.exe	86
PID 4452 wrote to memory of 2920	4452	Onmhgb32.exe	86
PID 4452 wrote to memory of 2920	4452	Onmhgb32.exe	86
PID 2920 wrote to memory of 2728	2920	Oqkdcn32.exe	87
PID 2920 wrote to memory of 2728	2920	Oqkdcn32.exe	87
PID 2920 wrote to memory of 2728	2920	Oqkdcn32.exe	87
PID 2728 wrote to memory of 1484	2728	Pkaiqf32.exe	88
PID 2728 wrote to memory of 1484	2728	Pkaiqf32.exe	88
PID 2728 wrote to memory of 1484	2728	Pkaiqf32.exe	88
PID 1484 wrote to memory of 3124	1484	Pnpemb32.exe	89
PID 1484 wrote to memory of 3124	1484	Pnpemb32.exe	89
PID 1484 wrote to memory of 3124	1484	Pnpemb32.exe	89
PID 3124 wrote to memory of 3412	3124	Pclneicb.exe	90
PID 3124 wrote to memory of 3412	3124	Pclneicb.exe	90
PID 3124 wrote to memory of 3412	3124	Pclneicb.exe	90
PID 3412 wrote to memory of 672	3412	Pkceffcd.exe	91
PID 3412 wrote to memory of 672	3412	Pkceffcd.exe	91
PID 3412 wrote to memory of 672	3412	Pkceffcd.exe	91
PID 672 wrote to memory of 4356	672	Pnbbbabh.exe	92
PID 672 wrote to memory of 4356	672	Pnbbbabh.exe	92
PID 672 wrote to memory of 4356	672	Pnbbbabh.exe	92
PID 4356 wrote to memory of 2896	4356	Peljol32.exe	94
PID 4356 wrote to memory of 2896	4356	Peljol32.exe	94
PID 4356 wrote to memory of 2896	4356	Peljol32.exe	94
PID 2896 wrote to memory of 4892	2896	Pkfblfab.exe	95
PID 2896 wrote to memory of 4892	2896	Pkfblfab.exe	95
PID 2896 wrote to memory of 4892	2896	Pkfblfab.exe	95
PID 4892 wrote to memory of 4412	4892	Pndohaqe.exe	96
PID 4892 wrote to memory of 4412	4892	Pndohaqe.exe	96
PID 4892 wrote to memory of 4412	4892	Pndohaqe.exe	96
PID 4412 wrote to memory of 4688	4412	Pengdk32.exe	97
PID 4412 wrote to memory of 4688	4412	Pengdk32.exe	97
PID 4412 wrote to memory of 4688	4412	Pengdk32.exe	97
PID 4688 wrote to memory of 4104	4688	Pjkombfj.exe	98
PID 4688 wrote to memory of 4104	4688	Pjkombfj.exe	98
PID 4688 wrote to memory of 4104	4688	Pjkombfj.exe	98
PID 4104 wrote to memory of 3976	4104	Paegjl32.exe	100
PID 4104 wrote to memory of 3976	4104	Paegjl32.exe	100
PID 4104 wrote to memory of 3976	4104	Paegjl32.exe	100
PID 3976 wrote to memory of 2296	3976	Pcccfh32.exe	101
PID 3976 wrote to memory of 2296	3976	Pcccfh32.exe	101
PID 3976 wrote to memory of 2296	3976	Pcccfh32.exe	101
PID 2296 wrote to memory of 2924	2296	Pjmlbbdg.exe	102
PID 2296 wrote to memory of 2924	2296	Pjmlbbdg.exe	102
PID 2296 wrote to memory of 2924	2296	Pjmlbbdg.exe	102
PID 2924 wrote to memory of 1384	2924	Pagdol32.exe	103
PID 2924 wrote to memory of 1384	2924	Pagdol32.exe	103
PID 2924 wrote to memory of 1384	2924	Pagdol32.exe	103
PID 1384 wrote to memory of 2804	1384	Qkmhlekj.exe	104
PID 1384 wrote to memory of 2804	1384	Qkmhlekj.exe	104
PID 1384 wrote to memory of 2804	1384	Qkmhlekj.exe	104
PID 2804 wrote to memory of 2000	2804	Qnkdhpjn.exe	105

C:\Users\Admin\AppData\Local\Temp\6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b1d537e71c871c4eb5c99c184e0a6a0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\Oqihnn32.exe
  C:\Windows\system32\Oqihnn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\Ogcpjhoq.exe
    C:\Windows\system32\Ogcpjhoq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\SysWOW64\Okolkg32.exe
      C:\Windows\system32\Okolkg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Pclneicb.exe
        
        C:\Windows\system32\Pclneicb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Pkfblfab.exe
        
        C:\Windows\system32\Pkfblfab.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Pjkombfj.exe
        
        C:\Windows\system32\Pjkombfj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Pcccfh32.exe
        
        C:\Windows\system32\Pcccfh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Pjmlbbdg.exe
        
        C:\Windows\system32\Pjmlbbdg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Qkmhlekj.exe
        
        C:\Windows\system32\Qkmhlekj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        25⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        28⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        29⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        31⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        33⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        35⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        39⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Aniajnnn.exe
        
        C:\Windows\system32\Aniajnnn.exe
        40⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        41⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        42⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        44⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        46⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        47⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        50⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        51⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        53⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        54⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        55⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        56⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        57⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        58⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        59⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        60⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        61⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        63⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        64⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        66⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        67⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        68⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        72⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4772
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        75⤵
        
        PID:964
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:732
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        77⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        78⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        79⤵
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        80⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        82⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        83⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        84⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        85⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        86⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2956
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        88⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        89⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1340
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:640
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        92⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3604
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        94⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        95⤵
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        96⤵
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        98⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        99⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        100⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        102⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        103⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        104⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        105⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        106⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3592
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4400
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        109⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        110⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        111⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        112⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        114⤵
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        116⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        118⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        120⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        121⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        123⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        124⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        125⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        127⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        129⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        130⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        131⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        132⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        133⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        135⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        138⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        140⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        141⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        143⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        144⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        145⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        148⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        149⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        151⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        152⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        157⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        158⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        160⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        164⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        165⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        166⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        167⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        168⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        170⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        171⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        172⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        173⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        174⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        175⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        178⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        179⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        180⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        181⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        182⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        183⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        184⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        185⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        186⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        187⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        188⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        189⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        190⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        192⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        193⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        194⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        195⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        197⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        198⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        200⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        201⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        203⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        204⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        205⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        207⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        208⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        209⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        210⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        212⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        213⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        215⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        216⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        217⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        218⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        220⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        221⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        223⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        225⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        226⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        227⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        228⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        229⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        230⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        232⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        233⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        234⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        235⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        236⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        237⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        238⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        239⤵
        Modifies registry class
        
        PID:7184
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        240⤵
        Drops file in System32 directory
        
        PID:7232
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        241⤵
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        242⤵
        Drops file in System32 directory
        
        PID:7328
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        244⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        245⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        246⤵
        Modifies registry class
        
        PID:7516
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        247⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        248⤵
        Modifies registry class
        
        PID:7612
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        249⤵
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        250⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        251⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        252⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        253⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        254⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        255⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        256⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        257⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        258⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        259⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        260⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6984
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        262⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        263⤵
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        264⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        265⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        266⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        267⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        268⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        269⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        270⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        271⤵
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7936
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        273⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8040
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        276⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7240
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        278⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        279⤵
        Drops file in System32 directory
        
        PID:7420
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        280⤵
        Drops file in System32 directory
        
        PID:7540
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        281⤵
        Drops file in System32 directory
        
        PID:7640
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        282⤵
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        283⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        284⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        285⤵
        Drops file in System32 directory
        
        PID:8096
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        286⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        287⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        288⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        289⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        290⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        291⤵
        Modifies registry class
        
        PID:7948
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8104
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        293⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        294⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        296⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8008
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        297⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        299⤵
        Drops file in System32 directory
        
        PID:8152
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        300⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7648
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        302⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        303⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 400
        304⤵
        Program crash
        
        PID:8280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7208 -ip 7208
1⤵
PID:8256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaqgek32.exe

Filesize
64KB

MD5
860fcabe392b0b1f2a1bc9719cde87fe

SHA1
af9643803dea1d8dcd95908c90c6906a2ad2b936

SHA256
3090e9017559188bfa7d307861a804cbe0fd3367884e4ad79b5355660b1b9754

SHA512
a68924d821de3af332d1e07f63a10bf78dc5111dfb0d32c4875d3c029cda8c3f31c51e158601a2bbd5709c15d3b7615b00f77d6af572b08b0620fd507166e624

Download Submit
C:\Windows\SysWOW64\Abkjdnoa.exe

Filesize
64KB

MD5
a4b9444fd580c07e9201373d1615c59e

SHA1
ce956c9f3162373af56bcca1ca0f1f32158819f4

SHA256
8134226d86c75cd8bfd1d7cb05c152e3b1d796420f230696365c8870555ada0f

SHA512
3764a342c1a02f784214772f5929e85d4235fa899c6e4047426ee26e2bdcfe8c86cf6d7132a8dd9841d18087967aeacd399f1a1c649628ecb60253211b76b1d8

Download Submit
C:\Windows\SysWOW64\Acjjfggb.exe

Filesize
64KB

MD5
1622c7daa2ea168a233ce6cc498b7a37

SHA1
2cdf55a174c11cb02e21f12633518782cd00003e

SHA256
4e8bd379c3596707f638853a318f81afee9b63f5d71bde083e90a08d5628b5b0

SHA512
84deebb096fefea2ac1a2e7efb59c22030c7c8e431d59044058f392db30ba7e35d42fa0d3c2d095dafb701542dc8b6e1770b3a7e2c06769e28241bbd60ba00fd

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
64KB

MD5
b8f8cfe3492becef9e5aff53d2d4b759

SHA1
a8336fdbbd889fa8f40286aff28e3057961396f8

SHA256
5eb883687c21d11f96c13ffc281eb12e0b3947123b67b3ca72ac194c644438a3

SHA512
ba95e3e9247eb5fa3a8369f72a7a70693a6871e5ee4a479a451dfdb8751e09afbd2f0e0afc2c0f5d0619d62ca48b4c845980e3ff53666d718cc43df6e976984e

Download Submit
C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
64KB

MD5
cc15c926c5acc76435a1573e847d4d85

SHA1
9ade3d08f4d0fd17b41aaf9a29c240f086ae1456

SHA256
c533c26fb58b2d01c1a0e0b16205b1072263ac9722b49602b1c72209c39b3485

SHA512
99ca280987106d6698206fd7432a38a2f5b247f87531b2a6525fc2f3708f167e013f53dfdcc8f934a7357e28a52ec2c27d4ef913bc80502d032c82a46054d93b

Download Submit
C:\Windows\SysWOW64\Ahhblemi.exe

Filesize
64KB

MD5
aefc09151b08600dffb8ebc92dba92bc

SHA1
490943a54c98934f9f6f2089bca5e654a17f49af

SHA256
a6c16ce0808cf6c7ea3adaeda83e7f8818934a4905fa5d26e530deb5e1f55944

SHA512
1aa2f19262e79b506697f6abf054a7bebf9793e22a5ff97b2348fc0a4a6f2972d2b33d68ff7ec37de81004a22ba600fab2c037788725be9091249cec37eb9759

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
64KB

MD5
7ae737a2c520507eb7a1150c8d979516

SHA1
bf92fbcd9cade50ae02f0f2322874baa5d551037

SHA256
d15230ac389bccd361142d277511dbd6f5ff42fabe0c2bac75c31d9fb75a008c

SHA512
995cbcab7fad6be59022ad949c5e80ff9d174d1dc32f28b4cd070cb65ccb35c3fe8f2303ebaa789b9551802964665e81e24be894cc6e29c2d8c637522014110a

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
64KB

MD5
169dfdfc2a7d0d7cb50c310a504bae29

SHA1
47c717be910d76a8e4efa41751a3512faf1970e5

SHA256
f0d6680550faebcefdf33823755a2d3898557bae81ce07250677aa042118bcc4

SHA512
ac815c8a900d79a2dd48f0e315b32c4fa484b1953006fca712d128d6429cef01656ad304099a96ac2eafca0553cc74b35327ac44e794dfa78828bccee09976c4

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
64KB

MD5
62be901a43b986a9cab4904014278ed9

SHA1
3aa17a43cea1af70459f2b080ffb5434ea90cca4

SHA256
de0f8544279906cec39da74a8cbd8b878b2bc9287774ffcfdd753609b6c0ca18

SHA512
d5add68e59d77e85e26d2e58d796691e41759ab564d22e7b07dcf9cb5a61e4233e606a2cb6d83aad526b5b5d6b89f52e44a93f6d07957345ba96ef15abf54abb

Download Submit
C:\Windows\SysWOW64\Anpncp32.exe

Filesize
64KB

MD5
c901b0ec146138a19cc1067399fbc384

SHA1
cfde7933fcd5b674611f0b3958aa310a440c967c

SHA256
d63298d38eda822e07111cfd76680b1f24ef962b6ee7a70fc7558edc0cc809fc

SHA512
e09799dd7e63b24e5772b2d1522333791593048aad807d62220c5cac70c96cb1f18188c00d9df12a96f46c04b5c38475e7c2ca7f6cb67de663c1ef0809cd152c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
64KB

MD5
c21136eb4677e6a8e43857cf63f245b9

SHA1
476ca1532c20f5c479b8e6a4fe82699658c77cae

SHA256
60786c6c5fcbdf027d8239434ac2c2d0fb77a9aee813f9040e043b3b92a1add3

SHA512
e9079cb3b8ce8ec545c0c09da6903db18cb26bd5599be21c0b8514397efbd279708df374e991b22c75fabda7a6b743d5393ac455f6c49ab3ac09812262e57692

Download Submit
C:\Windows\SysWOW64\Balfaiil.exe

Filesize
64KB

MD5
78d0f912232f4a4cc8f6329dc200a821

SHA1
a20908c546e452bcf2ea75652885d40d9ad8713d

SHA256
9a081ee75eb9a1a797ac9328a920faa5a63a2a6f72aa914b5b8d168f0a4f65e9

SHA512
7710d703fae5565a3a767322b7c0c7275d79be4d5cd169a040138276be3b0460fb5dcde0299918215342504d876f6da84f6e9d96e3b1423852cb18d5735b942d

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
64KB

MD5
b2f7f755a972610000f119be0e0f0c9c

SHA1
7817266e8b69cda03efe063bfe0731b83a397471

SHA256
c2c61f296c07e2d8ff45e49fb50d7e894f2ca983921c7c239c7c570514153870

SHA512
0b3b65e28e0837383a5089be8349a9fb73ee487d5c8070be66c493786234f697e341864d77edfc61efbb353fa0f669f09a0b5be885e9d656fb51e3d46d6d0270

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
64KB

MD5
cdc86f5a6c01c1b89cdea9cf055c6c1e

SHA1
5e5448b3815bb61bc9bb999287679240013330b0

SHA256
6702ee05e25e033ee960680bd082dae539c056e1117c26f18bd3aeeee27898bc

SHA512
db66f3405d6dfcaad472843f1ac46b8ea0321ed4392e7a93bdc8a30fdc77cba9c41236f37c2408605a9495a7192d7b6c5e2275e46f5a2a03eefc14f521aed005

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
a2a3ccfb9d1b602954154f2942e0e281

SHA1
8aa2ec7bde5d6fabb19bdd69d09ccc4fb6b52346

SHA256
59afed96c3c9cb798700c6303a2bf17859462158e6fe4112f8d6b7902dd79ef2

SHA512
24a677ec6b933968b3e8a6b6d20c35b34dbb4c113f8b824ba9fca9cd658c1f0b37f598410cc853f768c8aaa57bd6587a0cab3d1ed8a289f88a4ba9b14c8b3cce

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
34289992b9823373a92c5bbefe0e6ed1

SHA1
aa32671fdf125a23961d6a025467d32f0ae12bc0

SHA256
783bfa7434774303244cf4e391968daf19c74bff97e0711bfcd1225754b11081

SHA512
3397e49dbb879f22842d31eb4d5d7973aeea2b3aa49e9e19e564c6fe02965e562dcab20a49ec2304095468d2faa07b35314e6482a8397f91d3869c376aa5f4fc

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
64KB

MD5
0d475c5e4f5c96f809d0b97c7d4c4ee3

SHA1
c0593eab0881d1b6bfac3e4c144713abfdf3793a

SHA256
cd9f3c9377bdc40c5f953ec732d341cfb501a22532a6d8b2c119f24c29873f55

SHA512
8435872fb16a3e62fa89a4ab6e3223231b1553dcd4bd707a45f9a8bf00bf6f58e723010e1c85fc9e864143edd383cff757449f22de6ecc05bef660200c3c52ad

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
64KB

MD5
2bf653823648809abe2a573bc8ff4351

SHA1
ecf15934fac6a7d69267ed46311eabbc017779aa

SHA256
f584d661f24a51a7a39fc6e1bb512c4921163421acd2b67cd4bbfa56e40b2ed3

SHA512
d5094fd9efcb0cbb8e8e5bc366987b38ded29e5a8534e37bceeb495f122913d8eb766e7daf65d7ff68f5599cde2372cf3fe54eb1bbcc6cbce10c063d3bc94f56

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
64KB

MD5
5944eb7377b5627dfb691dd3860a66a1

SHA1
16773a6a33713be9bd5dbb0b6b9ee68091ace218

SHA256
0761e4aaf2e36784fbcefd09b959b99b3d11f8ace9bd365cffdf5b0fe02d3c21

SHA512
82704e278d744ba4fc17c856028ae91576a771b5b0cd350ec14d84045919a47188909c103457b77b3e31eaec0b8639953b610c2ef46a2b938dbf8d756134f065

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
e739330a233d105961b5b239ebaf620f

SHA1
a430054cf888d563adbe1728d9120634e276d7bf

SHA256
e7a11441e11300210f2f44ac4505e65adee916fa752b7d3adc293277e71b30fe

SHA512
ca618ceb437b1226b731c392bbe9ffba9fe79ee68cb971efa76704f38ce3b4df34e7f2ec2932006758720d5f7da74cd94f85c19bc286eb05403b6ec6eb69d9fa

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
ae8daf0e1e4d6ef835e9913e1b0812cd

SHA1
2fdafd4bbddb1ccd176703cc0e595682b130c217

SHA256
badf3805a516e0176eb416590fdf83130efd4462698384b7f0f2161831ec0679

SHA512
a88d349853375d317618b9971e8833448c8046b5cefb9a854583035d41f706a7985945e402c2bb513ed4f079a1d7f91b44783fb756863e32f675e0aaf6392cd7

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
64KB

MD5
b18cccf232cb6fd59b3bbb36f09efd11

SHA1
3720b76fe53e21fadb7b10855a5322532455c893

SHA256
384eee4cd157b28ade6bc8880370a8b4d5a3959e6245fa4e26be273833647426

SHA512
13ce2465c821d05359a03b0facd8a37843b588c2d690c532cefa8dee456f1f5510a19a9489cf435bf1121aef42a075dbaed0240ca8dd647e1cd273838ad488b1

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
64KB

MD5
040a6d220bbc781897419373a9624505

SHA1
6f1fb5202aa175eb2a9ebdb06537ba741030b81c

SHA256
091493ccc11c1a8eaa8f5dd9efc36537e0dfd32e94dba3b45fc1a0b35fbe9947

SHA512
11f890022a471a7a42a59b217f4e4fc8a961758deede5e6260a88ea7b3b1b84bfbca619063415c80e5b619f27b9d186fb61f8b443c8af406b71bd6c532ac58b2

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
64KB

MD5
9c133d3fcac1441787d1fce968b04cee

SHA1
af0f677ee2c1931d72ade15c2dd46bd03da17175

SHA256
0634c3b90593a0901e292287c806a99ce8c46c1cf409b9b27f7902388be6e1a8

SHA512
6d212c30f44d0bfe5d5c8bf82d2ad98acc5a9400e8743811e4622f7debd220e6a497537fd93f8cdb17a0c420dddf35ddecf9655626d6881783e2f2a60473d389

Download Submit
C:\Windows\SysWOW64\Ehgqln32.exe

Filesize
64KB

MD5
1b25a94110071981ba394fad69028f03

SHA1
a8313919d5fd5d7c179ee1c88f478556a355743e

SHA256
771644dfb42e7362991dc12ec4f162e50bb02b5fe0d93d1b951cdb48813197a7

SHA512
ebfa8b5a33d77a0cc2a1f82fd238f7cab950332f590ef98c2aa2528645d8e4b08fa0f4c891dd39ae004e28fbbddb26f94b1e75017998b94297487cee8df60e95

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
64KB

MD5
d32648cfa1cd3d8647ffd6a2c9b5bc85

SHA1
b8b819af34eaffc91d543fe77cd6681797276ecc

SHA256
53e1ffaf41fa0b6d458efeaca6ebee0e5d564011b17d02067430ec9092c8a6b5

SHA512
c5a492e77b770097673f1d1e43d56ba0c47f6e957c094e6f6c01a2865e1379196859628d1a8772e981740ab0334d04b9231e265a42ff18ae052c5301dfed6ec1

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
64KB

MD5
fb057ba94faf812596fca036073e35f3

SHA1
42ed5a6a5adb7451a0734d6583c4b3796e508e98

SHA256
ba6d0f09f663c6ae4ef47cf6a605c041f73ec22ac9c943aa0cb4969f1434eab5

SHA512
5e69fb218413ba843c5fdc643aeed3cab3d43d26fa84b439028a6809d9781c77577ac49de353209f75352b03a173dda18056ebfc8c75c82afdbd77063a41edcc

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
64KB

MD5
d2f99a39ca8d696c75cceadb7fcb23cf

SHA1
dbfc8e5a26f19d8cd27421c8da741cd779a902cd

SHA256
9a6fbcb59ccef4f1284768c0ff6990815c31ee91aabd749548830858b84f0174

SHA512
3d37ae15eca715003f89438005311227e53716ed1c6f06ddd85cc93a82fad1468c22e1d8e08265a8271b89c0d934d1adf65125d9aff89bca923ecac3e0663993

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
64KB

MD5
4fc7e2c8fd2996df6ffefa6881f2539d

SHA1
f41d446488788c065057c745282f13adb7cc740d

SHA256
780c2a32dc4a993065a7bdde4b08ad8ac3100d1e58daea4f499aa6d27f09e6f5

SHA512
0a62563fa03dd7f829e6c635fe464869eeb0c8317ac150f11c58759583afe4df973725e9f848ba0e2953e6cf9ad45f03d46bec082e3834b544bec6745fffb405

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
64KB

MD5
bef70505221357b5ba107f4e956588ae

SHA1
1e321e67ac888b48f870e1c64a2633c2fda883d1

SHA256
76574e249fe7ed1c4908d424d2d66b1c452bf60205d37a488b2e7ab0be981836

SHA512
4d9cbcae899b3fb1c0458dca3216cb8797754431ff964f152f592329ac5ea1d1b6eaee18292c9ddea0b0a125f9e7dc121ea9900dbeec2ea13360569c36cb96fe

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
64KB

MD5
8b88e391927968d7e4d215e83917e5be

SHA1
c26c9252617364641ae5d2c1ece2e7d7fb118eb4

SHA256
da8a40cf0ce215e4f83457caf83c224e8bb5f7ba7a18fd948e4a991482d48aa9

SHA512
eae80d09686b09bd29480a05f333df03392bee64401308ea8deec3816e70369f4f29556eb4d63caeac87b54f614ddf9d43f5854545c9dbaad233271937564df7

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
64KB

MD5
599130ef5c00e407df73ce617f63ec42

SHA1
b36021274794609d89cbeb084a2b9f0911a97806

SHA256
b86378e55761a00b044f544966fe94eef550fc6d58f203f8e7b92870cc09441c

SHA512
29d5a976ac0f66aa8f66c38d65573394b1e4ecf19ca4054930f60392d4586e2cee4747a557522418291abb20e3b5fcd71dc85298f96fcf67745c1c10a76546d7

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
64KB

MD5
d6ceb643860f92f6c827b15b6cbf72eb

SHA1
866db587bd48a5761e178262e31516652a3c693c

SHA256
da8d3b80dd504c73d1056b841bdcf8268f3f186c34bda52283efcb06f1d9bcc3

SHA512
2bfb9b2cb8b9b0c8e8632363fe426e4d74f2b9a1d644509f1e89ccbbfc4126fbc52cb30221b9d310877c0c8448a39bcb8aba7c06f45d9e9733ac47d13fb44389

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
64KB

MD5
50ab039fd1ff574a9de466eb48ad2296

SHA1
c61c696da952cf5f328cb31008f09ebfb785e86b

SHA256
af910f4ca9153678bf7263096dae03884b944cbb4db980179755b51ef7f5407c

SHA512
02634a4e2f454544ff64fe4cb4d87702808656d5809761a9a0bb77fdd25f2d88642d48aa760648450e0e51128d755bea14624ccaf752d4ffe930868e814f7da1

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
64KB

MD5
a18aca520a6d5b38fdc82974a516f910

SHA1
54a82bc0da0e9cb7e23847be27e8b60812fe9a82

SHA256
3296db93debb57a8a6860fa94bb295b0ed9689606c36710e5d4a5c780a5af84b

SHA512
7dabb429ab4001c56589ef30927f602e190bf37260ea4f198c2d6f3b6cbd9a692411974d0b86a94caaa5498eb8cc991bdc73c81552ec55eee93c06552a6594a3

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
64KB

MD5
c997e23cc7a41af4bdc9388355742d60

SHA1
446a70e5c3e931ae7af4db8dcacf3e565d64e108

SHA256
9602b7a1120634825d6ee1e0d8168292ed5d4aa60a6d84cb6e297c4e3bd0adad

SHA512
bc6a6ce4eacd53de74e0152d5e9322533c9b9575aac07dc513ecc0441b97f3dcd96856179174458d9449e65efde6d3b965157c83a5a716e2cabe331223cb8695

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
64KB

MD5
54929b89d06e531b0cd55045592feaef

SHA1
91fdfdf29fb194b266bb09967389ae5a7aa882c3

SHA256
908d879c2b5055f020df702526b8b05600296a85aa22384c51bed974387df49f

SHA512
7192bd5970fde4b77447dcb51ecf9893b552587ecbb70259e29193aaedcff640ab8daf03f0477510ada5c9cb7663ff457a5a6863d2f3e4430a3b686a974e59a2

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
64KB

MD5
d3cb3c3726a4e6a06a75f57301cf9d92

SHA1
7bcc42e4751489130a8f268bd287c6b6c451778b

SHA256
620f5137040a797328bc35cdeaec0fd4cc78b2c6c2e5b24a0b69d4c445950f86

SHA512
c7d211857a1e0186505054074342ec95df3f4972ddac3eca89dd8849350b33d918e84f238c63c72f4aa7933ca52ade6ee81b80054c38f6cae4331bca8d92e541

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
64KB

MD5
fce875a44d5bb4061f189e81d559dc22

SHA1
fe071ee15dc8b2ee695247b858e3bcd7604f6af1

SHA256
7aebe7e8e7dd2f02b7f7c95fa2f77467fd761de1186507e9a959e90a3b533da6

SHA512
2fd5da49f0f16f0b1b15a4a19969dbd4ab68ac52a0d8e390fb9ac17dacadff7747e6adb3e644c22bbe58bebb5ebcb210a41b57651766b590f1957dbdbb51dec6

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
64KB

MD5
5b9e0a904b8c18f19ed98eb7941c6b0e

SHA1
29fe4907defecf443362940fa75a9bdc2e9fc5aa

SHA256
85700cb5d79e67c4ffc840977e6f12cc4f94bbee20449aeeadccb0ac55fab7c6

SHA512
af2960150350839aec499fa35e268d37491fce0cf3fac3a07adc9268e94b85ceed0d5f914d312e216c0453d5022b4cbff942324b9269f02cba9fdd9995d1ef47

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
64KB

MD5
a4d0f3d8ae6c5775231053b58a5d223d

SHA1
672d2b498cd868d183edf1d0ab76e4abec346892

SHA256
6759f78073aaebcdb718c8445dad97032fad9a62193c10d9103061ae6edbd205

SHA512
89915373859374f06be4c2a769c0cca0d2a520ce8c0cc69b5ddabe80df5c9789714e904d461b4e6ec59d0a8e3146e1641c71ee0a126247cbb43ac613462d316a

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
64KB

MD5
79023e7097191a0ae896a61081586e41

SHA1
8dbd2fc826b84c0319e62b41147d281f60f1ae65

SHA256
e7d097f92682b356501bb67ccf57be8d5853d2525d1e3c0721c56c118a499f94

SHA512
03dfe9161a77c8edc269bd74133e576b8abe1681cb4e2b63893010cd7640fe9b2a3c71177eaa1cc6805b30149b22ed52187249f40179656f57337f5e7b58ffdd

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
64KB

MD5
c33581639ff150263d0d488fc6dd1ef2

SHA1
325360010cf29ee766d5053f09ed05867c568b18

SHA256
5724221e8dda711e8da8cabb03c993dc181b4edf55266e812ee7ee81bbbb2683

SHA512
7f03fe3a8173ef20618fe0871fddf8e4ce88f4be95b7ad3a96addc6fb0e11b82ef287fc44803a2aac8c636c2df6c99a5f01e8bf0cb6a47b0642c49bd24e975c9

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
64KB

MD5
0c3dfe23c5b5210545495cbacc8e5a90

SHA1
aeeb5c393ba35bea35f21d7ce6ec819f1310729b

SHA256
f9a0d7fe9133ca390aeafd7344be0bb1fe67627d96c86dfe02b396e363dddcb5

SHA512
ce6ec3f2014576f76e1a02d971a976864cbc16bbd52938bf33106f23a487294e31e38ab640780602381c92193d3e53fa4c25958a413790f06535f480a9833c49

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
64KB

MD5
a27e3e7b1c4c20b7c5885f1810b010fb

SHA1
984b6f37051ef4e77cbca8305a52d26f518a589f

SHA256
fa4b6a5f6aebcfa7a81078c609c58be5c252017f091752343b3b2ac44b458d7a

SHA512
bd7a909b9de3786c3f9e6a751048f666ced2200de143355cda5981ccc0b8b11eda1c5ccdaf87269ff41468c6b8159bc83c53f17575ac22720438152418ac054a

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
64KB

MD5
4d129f7eeecb439dba405f9600f9a437

SHA1
9e230e0657eefb016babc4657af16bfad616e485

SHA256
85b82c0bd1f8714fb5abc65a512b44f5cda480aa08ef33a3574d4d372fd53bba

SHA512
0c4e9aa5af6ef02bdec9363528e359534ce12d23f61c6693c670118a3d2e644671c5f3b74821da87809326b4e354034f764e492e2995dfeffe01b647894a3ea6

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
64KB

MD5
5dc40b122731004a00f6240d2deac7f5

SHA1
f76c245419b93600bdaaf472bc86ee0b3c3a87ee

SHA256
aee85a9123dceb109a9322b76187824a52be4b7d0d2b99ffc620e7ff2731961e

SHA512
2dad0d1d3ff1b6fe2399dce4fa7f6c042cc308e3fa8f49d25a2835560c9fa774c224acbeacd79ea198924ed820f44b47f2c17013a6c0a10b2b7deccb02fb0767

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
64KB

MD5
09a8a61937ecb3663468e0b2b931cb1c

SHA1
2236da0a8b737c07dd17c7c849928e48fafc62d8

SHA256
33e701b93ab2311d82cc6c4170235206c479af99a8366d6f22ac231a1e436ae1

SHA512
df30b557c1695ba153e399bbec737e660c2dce9a6b4051fb76706588dc0ef128462a3ab217a21a21c01b834077e814d151ddf68c65c06fe81dda328f759ec002

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
64KB

MD5
862d05af99b62475d1f77a632e9810a2

SHA1
8548e1c3c7eba9a1a6ce34a76aa0e8d944fce7bd

SHA256
f57106c52a5272e853af62273ec53691b38b04663b749348697d17b40cfd6f45

SHA512
d2648f63b0f6789a70f42ccd52c89f054ff62e5b7babf82e0904b8ed091de25f8f93904a04813de247be16146e7829bffe14df785d7955e6ce70e08b0a3ffa51

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
64KB

MD5
30b829c861a14f852e235dac4b50ff4d

SHA1
6baa44de84d0b61647bf0a67e9ead1571a9dc19d

SHA256
77de424aa500697e7ac3bedf5e2f3863d5bf922e0bbe8310b32e1b08cc4f4c9b

SHA512
34511b235cfff36babed8f80fbf31b7d7bd3f6e69eaee28a8648ff6fa71b0847683dad9945e15a94d88aa77d08c7ef71bc01c13c60476d85bfa6e3f1a566d6f6

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
64KB

MD5
d29f5432b4852d45a92bc11d6fe89b28

SHA1
3576e289acdff6f654cb597eadb886e6ae5aa38a

SHA256
72425f175ded66f4cd78a278347fe9171dab417255e2177716f700b344826c03

SHA512
58759f3fd06311cc083501b2680e889901337a22e3aaf72df6c2ce3dbe47f31543853602d713ddceb4455de3f916d809ff6454c6548dce93805107c7bd7cfce0

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
64KB

MD5
7563dac6e9599b756f5cf80c5730907b

SHA1
218eb8e8d8170852bcb7fb9a05eaec31c710f71b

SHA256
56337ebf2cbb004b6bc4392fe05e9f996e5ef8425f4ab00695f39c4eb143ce52

SHA512
b59cd7ea5af6e394dbbbec898d5aececb5db1650b89edd413da435250e42a1ba62febe3380256cca676fe9e21f7001b709ec1e7a15af8da340c96b8681599cd8

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
64KB

MD5
bfba33367752245e60092da50c8f80e5

SHA1
d1e03a8993d93e666083125de9cb36c699e9f675

SHA256
09f0342702288fbbc0d1075297d3b619b47282a6cf4d3088d0376ab9e57235b1

SHA512
6128ae50b4f0b899aa4547f7771cf88f0eb6f01763eed6fe256ee0965c9fbbd7c3070091f25a0f8e335553ba34fbde20c65c0cf275e5e2c4980d44609fc72365

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
64KB

MD5
73be2ce8e5efd9e9b2822f4f6e4fb5ef

SHA1
a9ea508e2f05291b0104b5eed8900e5dec861cf2

SHA256
d4ac3b87147fb725b637d9fe0796e280f476a613e49b7ef62e9ecb0136591562

SHA512
75d590d1b2709bcfd610941868b96cc6b530148b4a022eaf7f75aacbb1e71ee7c7ba4990a56c947d0848e0c0395e98ff22e54089582713140f8339065b050b89

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
64KB

MD5
b050cdbf1cbe15e2c8a41541bfeb0cc7

SHA1
958d4039c8237fdc0de85a9e80650f4492719037

SHA256
f9f220e943d51731238b5bd4c09bb79b3405fadb5704b34ecccd4a221057a84f

SHA512
65efa3162a2b78666cb761a3a85daacd1fcebccfd36a0c455797aa828d1bc6ec911a8f519a5b198decc1821e420be4797d638a5f7789efe2f0669ef2f5091d43

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
64KB

MD5
7a9455a637d319a6827fc9e8d034ae83

SHA1
67dd105c00f120679a2ef864cd2fb5e3b7cf992c

SHA256
495f0a7809632c99659454ea2abf9d6796da03f71be5cdc4d0ec3d5192758a13

SHA512
c8c567b418d3ea1a11e0b87544c27d1906f9b685fb65cfc0a5caf059c44afd753aae9cde89c7958c908f5dc69d32b76487af8824ac48a3a6ee44e6d978a26922

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
64KB

MD5
436d0de782bc2b8d7eced5b77a294545

SHA1
5833f1119973572eeb75a26b5d40bac055c19928

SHA256
dca2669d6f6f1b196a2c797efd3a07f784ea9217acafcbf7d45dd43c4f2e67e8

SHA512
749b375f3946d69084ee985f2d7588ddc2f22a61a24988b2e05a181389c7038bfd3a8dd5e0b5d87f3730840a15de5c3d00b0ac9616d950f60ed82716e2d56b31

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
64KB

MD5
9b0a72b092d3b224842a386553398d88

SHA1
73a3bb08a1929954500ccd016c953602feace639

SHA256
32379d486dcd6534cac39b06c8595460e40b79773595d4ed68cf8705f07bf983

SHA512
689e539fef1e64297444761d7111b77d25443b60370667979903ab7d201c65f3a7b50e7950d32586f7f1f2b5910574146a9ed03a2e3a51ede834166bff16b9af

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
64KB

MD5
32915581319897b6687d8674ab394c37

SHA1
5e237a10f58b27b46ec1399c8b38dab3592a65fb

SHA256
ae68f505cc101c14e995344672d2206a25719d65594ad59e33b54471c3e2fb3e

SHA512
ebb1bd35b44e45524b6bebace59291f2a14c7604c5fda7b487c91a4d32d6d27e4993cac25755e31cf03e0bbdfac620c6a3fcf732ad4e287fcecfa6abb2a87461

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
64KB

MD5
6d7f02a4f0e6dce9f5b9e34b78bfcb88

SHA1
dbd5b400a4b6d51ca671f0dfd49e1fdcf00efe0a

SHA256
def8086534659668e10b98b27eb204ac694eda6fe0e6260c3299d0e57c9d04f2

SHA512
f22b0ef468a6f2e7f19e4783d6aaab6cbe7525a84902f9286913746178d9579023cc7576b54a05177d73cde687e4b81369d1f8403c3bae1a85db616c5d3e34da

Download Submit
C:\Windows\SysWOW64\Ogcpjhoq.exe

Filesize
64KB

MD5
1688386ee4745702c63e3b207bc5500d

SHA1
2c5065d3a9f617ac5976df35f7ffef52e4639e81

SHA256
2a39c5af6d461a3c47ec8ac40c316705f592f5a871917dfa6f3b6c6c13332e68

SHA512
0ceaed725a41d3cb0543c7e68a8d2c39d28f8dc464741767f0a2fe2f617e0b17f66c28683da8f10384e9871655f3219ca5dc4a5e65da49af29778b9c833abd9d

Download Submit
C:\Windows\SysWOW64\Okolkg32.exe

Filesize
64KB

MD5
db0dca2603dd3a11cb0705d672435cd3

SHA1
61cf588c9d88d88712fb2f4b267a371303184e0b

SHA256
7ab1857dba7109f3731d9bafe601ddf7d1cdfa8e2ac3cd292e64f2c583b17bec

SHA512
58415f8541d797ba2eaebf428c888832df161480dae53e46718e2db453ef3a85d4f5e29ac62fe81f43b9dc370c2d7a5817953429c5e3914c9b7b9058b481fac0

Download Submit
C:\Windows\SysWOW64\Onmhgb32.exe

Filesize
64KB

MD5
7b86bfbf5109aa1e63c9f18b0bc0b192

SHA1
82630f5341fc5c9545315bfe8c025f6a7d813c09

SHA256
161eb88652add48a284023f50cdc071fd72a4b4464fb59417b7c088233876d2d

SHA512
961e79f9a242b7a92145f5ae7b03ac764fa64db9984b527d465e52f750c7b87f53480f19237cb086ae3844166b32dd69706870ace78af361ebe9aa8e1ce09c73

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
61b3186b3a6db8f1a74bac5f16b73ecd

SHA1
e556c54e969fdc5be1a17279dcab6b04c6c9afd7

SHA256
137da835b6780ae36c488e39e667366cbaa56362e472895b6e2885333e6cfc3e

SHA512
1b6a5632fc41b34736276df0282595b3a12c40af9667ecfb4ca7ae2dfa715b3a60bb915ad4ee564d4be8fd7a85e79eb773a0d902dd6d7251636f9218c444f858

Download Submit
C:\Windows\SysWOW64\Oqihnn32.exe

Filesize
64KB

MD5
cecc76c64e1acd5bc112a4b36055aa1c

SHA1
cb8ff824a88a1b1d37a9cabdad47af4d5cd4d100

SHA256
faf78e3ad6a4ffe1e1337411dc2e4438cf2b61878e75c7cce0142093b0fd68cb

SHA512
4f82e9763efc6b6bfbb761ce9000e6996c60442067cba7bf46e2493e894ca53c349bf361f75c5e98d03a3b38d41b4e2e6fd2b3282c09eee98e9bd613a1abef30

Download Submit
C:\Windows\SysWOW64\Oqkdcn32.exe

Filesize
64KB

MD5
1176c9e774ea14ede4cdc797c8c1abf6

SHA1
c1c2955770e91165c82e8991ef612d2692e5e770

SHA256
5af2a88e0d429bd983a275ffcf193e231f69234b33b3fc7dffe8a2737fccff53

SHA512
61e8444fb77bee8ffb52589f364baed5a386f5fbee756f770062aeaca4281fb2ab159c6fed25db97e560316aef347affd7def5e6f7f5c67ccb98177f29207be2

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
64KB

MD5
914bf06353539813551085cefeb9290a

SHA1
44d12661415c06fad82388b10998fa35b1ba25b7

SHA256
a32909f1eb68108c99f17f19f390f7c97f3d8727ed28b6e7dd9298219c416ab5

SHA512
63da419bf31059ecf4b397c44c0b35236b3ad6b0669b08ba58e1d5557bdcb72b11aa3fa4fdaaffc63bbc8b9572dbec8fd439a02e19b3ad9c03f33bbe8223a418

Download Submit
C:\Windows\SysWOW64\Pagdol32.exe

Filesize
64KB

MD5
689d9d81ed61064169d8c617642444e6

SHA1
0835a1693d25f051e949a043649f3fd7f9ef04e4

SHA256
b3cbe37a70bdfc5b1f8e6fc28b0d2d05126582fd789ce476c385df957cd5cc5e

SHA512
a7def560c53fb366bcf7a86839bb853fbfa8572957607f989c4ac3526baa675101a6792a60a262a7a83ab74e5ff9e7c32c72d7962b697748c78cf78e0d03e8f1

Download Submit
C:\Windows\SysWOW64\Pcccfh32.exe

Filesize
64KB

MD5
c4ea9f9e1ab6adee85a68c95195265a8

SHA1
ccdfc2d8b16c7a42d6b23abc16143983acfa9b80

SHA256
c4d87fcbce154640a557dbdc1091f8800dc4fb25d8dfa3661076a94d26b73282

SHA512
897eddc97e2e87a5500588ec494423fe40ed7c36b66ab3eaa4d9642fbd0c92ab1adaffe7b3d66b5db95797ec35ec304af58eb0d5cb2602792db62c65b03d8957

Download Submit
C:\Windows\SysWOW64\Pclneicb.exe

Filesize
64KB

MD5
b2373eced583bb4670cf62fc567b236e

SHA1
1454f652494b412656ab5d4c25bbf0b903731fd5

SHA256
0d447b4130273d7f35909f49ff51820c76512a4eff6da72b6b72571fe73525f4

SHA512
ad56335c9936f6a8c49ed7e412e3ebf5ec66f5454d65123e29005f9d737213800bd3069e35e106de360408c8fe6bb0486a82e991653abc0ee78cfa9263dc235b

Download Submit
C:\Windows\SysWOW64\Peljol32.exe

Filesize
64KB

MD5
e38b151cd9030666c69a6981a1b64b30

SHA1
0f65efb3da865422483074858ccf659a34ee32f6

SHA256
ae1556b2bce38980a2f45323939d966a5370f33a5386daa30aeec938ae033f71

SHA512
e29ce567ff28afb4e940b8c9c45b2f634b7c23a9120380cccb681521b66739c8460e1888c4e407b94ac5c714c9e1734dec86926fd82c8de2ea44f9da6bc67d49

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
64KB

MD5
9f78d295745a928f9f2666c677ade1c1

SHA1
0d7fdb06d8befe2e9e947c15211eb09468d848f7

SHA256
e34ff89d69bd687066a6307dc8f57247e1fab2b5b6b1d1f2abc7227c9785d674

SHA512
34fdaa519dda8c1d96c1cb60d0467f293650d166bfc567504914e15c5f3b67774bc9904b8d2453db7a1d8e582b8b512446a9a47d9becb5a1f6ced7de50f0b863

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
64KB

MD5
5b7ed1cee6e52710c9c2d0d9174fce53

SHA1
ebeecea3d761ada260c9935672a8825e2a3358a0

SHA256
ee23725d930d6bd9b8fff1db68a800dab0e26d813f8ce23a6c616e55159809a3

SHA512
f5b0da36e1c608c1d965e088444a470c224c98fc63edac989b31ba20d33b8cde8cdf89d9207e8f5f33077b094afaff45ada0bde4cfc58656e4b31ef80c7755f6

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
64KB

MD5
8fa3fbcb33a4e7d5c3d636871b6a081b

SHA1
bd0ecce408658b4331c89e6ef5a7cccfdfa20fb4

SHA256
67d58f1d6629f42da60594ac8ca9dfe8fff7b773f6ab0bb4fcdf05ae5aa1d823

SHA512
94c26ff46cd0b23fc9faffde473d92d916354d370207c9879b1c34d3cd7cd03361ac6fc9a0b7a65ca7e1859e3b82c3ef8e8c5bf2b4798c5fd9c9f8142c5ae281

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
64KB

MD5
85707e6fc9ea90f32655d96c5c8e4435

SHA1
5d563de737ad4f4202b929760b977762ecc31985

SHA256
ea1d77a3934590630359057105725b61da5a247a8c9e3343b5d16f8630d75017

SHA512
6b331cb25a0f9abf12dc4141996227392bae34c72b2dd4889fb1a72caa6995315fb4d9e3cb96f3dd1d7bc9528c1dbdce0b55bde3493f689c88e708ee3f1e8bb6

Download Submit
C:\Windows\SysWOW64\Pjkombfj.exe

Filesize
64KB

MD5
0a74fc13e4f454d49aa55d1f86eff62a

SHA1
cfcb7679f821cfbe05a9d4942d52deb4dfb4d43e

SHA256
396503788d53f49f7c45c58921ba3e6da242d9cd6c99dc920ba121fbb765cd3c

SHA512
184296673b9a2e04626d8f9c53f485d75b3b7b7cb673c4adec3fc676992ee5a5b992e7c798e2a2562b0a19a6e6f30ad68f34525308e79b97779de02cbfca0153

Download Submit
C:\Windows\SysWOW64\Pjmlbbdg.exe

Filesize
64KB

MD5
280a51617f76b8282183d2f5da3f439d

SHA1
056d808937b4d9823576a28166692f2e387cce72

SHA256
589e5d3ce9a6df645b2257d3b34769745d1228aed17973bb91edccaed88920e4

SHA512
3b56619d614a31c1cf4e39a36ca618fd6de323d9a68f4f654307a981bad7b9ef38fa55a04a008ea2d27586ac94711af4811954175cebb41e8555048113b952b8

Download Submit
C:\Windows\SysWOW64\Pkaiqf32.exe

Filesize
64KB

MD5
a99e62a6c5a5605bee69fb4e6078e560

SHA1
2a2d1dd2543617e5d53a9e7f81bac73f92e24838

SHA256
435678f780b218aca8fe8eed90adb7c66038e02553d160d43b3fbd8eccfeac17

SHA512
9ac238aa40e2bf382d58d04198a5b736803786610b8356ed7caf480d24f52c45b205418de2371dceaada5300388f205c53534b61badd7fbd1482e8ceb33f2249

Download Submit
C:\Windows\SysWOW64\Pkceffcd.exe

Filesize
64KB

MD5
46fad1ecf0068a5c01217e575d3a5c54

SHA1
a368bb15642aae6309eede5a874578d1b09efe0e

SHA256
33ec6bd2deb9599318b276860809ed629ec300f47d55a92badca76b2ba068dd7

SHA512
ab2e7fb718cff7f81aeaf49c42c2e77b43ad276fd531f092583641708ad3e82375c07161abe7ecabca4810c6ab1885efbd76dd3eb989e8b23a48f41f3f559d98

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
64KB

MD5
2a0ef264f383b7891fcce8479b23765c

SHA1
29c2c23a35ce916c4128a6c3ff9e61ac3aa43e3e

SHA256
103ac4eb7de1fdba717293cfe24f29e04b6f8f94250985178e44dff91a55a80b

SHA512
dd0ef373af6aed29ab040651a17775403e55cb4224ea113f63eb1bbd55a23aac5f28f10650d58e0296872c9ab603109bd7dc9d155c9ad8f76f19796865200d9d

Download Submit
C:\Windows\SysWOW64\Pnbbbabh.exe

Filesize
64KB

MD5
beee760f0034e4d4dfe05364ad31f788

SHA1
84956e7341abf7cdfca06916dec987d3a8fcccee

SHA256
7765db7dd0950cdeadc2fad0a81a338477359fc5300aa3b3b4fb3dbc124f8514

SHA512
5135b8d93861de2f6c791f8dae9faea4629d57dc829066365e4e5ff09f09be002fa5ba05bdd2cd73c68daeb73bf5b80e97a2cfc6d8d4446c40c0ad88b6e615ca

Download Submit
C:\Windows\SysWOW64\Pndohaqe.exe

Filesize
64KB

MD5
a74bdbdfcc1c7b518c855f7959c7a330

SHA1
fc7c2b2d0bc1bd440e6849e7bd0777f7d70b1e80

SHA256
02eb275c32cebd1b0348cc19cb5eb6e4ab690657b50e0233a515ba3c1f106850

SHA512
702af86c9374d152c7417aa7cca8875a8e4188724fb05e6c168ba9e4a4cb350c1ec4a956c411989577859b3a68abc42ac48375a54c23ffbfd8f8ce1958607786

Download Submit
C:\Windows\SysWOW64\Pnpemb32.exe

Filesize
64KB

MD5
10696d048bbff2fbf107462f70d72663

SHA1
dfe446b73aa51d4d3a118c0a72faf7d34ee3a75f

SHA256
02f61dff6d3c896c5e0adbccec9a540b3faa035c06d5b2902d2aa2656a3f3705

SHA512
39f0246d9e91e15b38029d7cc29fa997e99dcb2152f286cf4dbd9b45c48497412e88a56cdc5a3cd002a1cf1dd9c158f110db49eaba660c58f299f8c636fc607f

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
64KB

MD5
dafdc5963b26d1e8ee43e61783b0ce6e

SHA1
0027f363eef7ea2bcd785ec55906fc33cb1e9ee0

SHA256
7a5056fe610932da31202a718d1717e349c19f122f0b0c126854c8f0a8602d3b

SHA512
cb3c04f90c624c646672fdf3f4240c660f8876abe01ce41047567c10d4c7eaebcfab172f02dcda5b51f41b8269074e4ce2be2e3e4a6df1282e3047551bcd02d1

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
64KB

MD5
6b9c8bd0f76b5d65b10d881dbb6b120d

SHA1
71aa2567778db97d1fa85536baaed3e3f7a186ac

SHA256
73998a48d77b54e1bcb3416190f24fa298fa34cf939543a2de81adab8611764c

SHA512
aa6ebc50a206a0107914add4262320f685ddda9dfc5151315cd57da50a2c294360deef7db4fe1d77022237a0f01b9089b592acc0c53d91b402b9cdd6cb72c950

Download Submit
C:\Windows\SysWOW64\Qajadlja.exe

Filesize
64KB

MD5
d17019defb8dd5d5f5722b9c09e24789

SHA1
dc5583e20a7b50a5d82e5d7130f18facb6f9cf40

SHA256
a4457feb59d2cc1ad36be4037c89fdcae98b49a6549aece9a89b36b4a435e7eb

SHA512
9db16b9090de95c028793d22085981c1ff912362f13e61a1414efc6b897b1a864278fc35553f7c4a1d5f0e69a619bfa8534820ac4488c3c3594a91937ba61873

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
64KB

MD5
a68ba1af6595bf8677424d9200c7615e

SHA1
d39d9a5e435fe685e5b8890b76cd1d3e63cbeb64

SHA256
775c7541e2e7095fa74ce71752ab1bc64efcefe657b132d0e9d977b03a7cf005

SHA512
11cc8948550dbd541983698258e5887fd47bc4a445d332c8bdaad9534b9e5b3de4ab1d22de8af4a91e9483dddee30dbe5f348d81dd40b9806aa09413455bfb4e

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
64KB

MD5
4e94743600d81c932770e077ed1b9e8d

SHA1
ccf8489fe7b4939c67fe19a00fde5a2a60220b36

SHA256
7c33b09fc989bde7f04cca16c0e859c05cc8a3463a59e83d95771e822a0bf273

SHA512
03147078729192839efec3a912677b0e2c432e487ab64257954655115ad3da063e11deeb7843504c6310b658b264060731daa536c56381d6a4a921033c2d6a88

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
64KB

MD5
ed8a70ed342f07ebaed97972d06e0657

SHA1
820b2c4fe4f7a207916c2a9f6fa80f33c7c28059

SHA256
72c45c50cccaa1e808b5575d9a706f8ce3cacbf544d21a9368d0ff5d995aef79

SHA512
891c3f83235f2fcbbefe3f0253c28930740693e4b99b8b1930eb925fbdd15d561923ed12d583d6b4e46426352f74b7a0dbd3e53b9cc8e1b3acf06e5a885c468e

Download Submit
C:\Windows\SysWOW64\Qkmhlekj.exe

Filesize
64KB

MD5
d0367ecd4fd81f20b8217d62c68e34ff

SHA1
733123006f97a3c9120971a8f50ba58c505b445a

SHA256
0a14f1798f0a7431cdf32b4f525d3fc89113507977f622ae93ccf3beb5adb094

SHA512
64b887383c6139351f4ef41c850137dbc6f64c4100ecb2d18c528aedb7c4c4214cfa27efdaeb95c46086a58c2da48fa4ced4ef0634779e1e67bfa3bc9127f367

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
64KB

MD5
60e3b2a1dd3ed86c3fda12611e7d15bd

SHA1
d9e989dbd4fd4457efeb69c69307885a39365a89

SHA256
ba9f9916198bbfda65bdc21986514674c688934870ed680651e4d98945682837

SHA512
f60797fa2f376a01a96fe88eb89837545b7764cbc77a2021e666fc52ce4b188475ab319323148fb4802b589085f0bb164e7711af22739589b920a53e8ac90b5a

Download Submit
C:\Windows\SysWOW64\Qnnanphk.exe

Filesize
64KB

MD5
06645c8746f2ac0d521d6584426c040c

SHA1
a37c6936358478447d822fab741181456fac1027

SHA256
29a005f8a75ffb059a203e5d080fc526c8e0486a329da544b56c909e1e3279bf

SHA512
06732fc9616f6e534bebdd3298b44a29ce6f2a4680640ea122dce21ed6587fe94fd23ed8e9bd9b670f840e363977ec0781387f8a24b78dc6236ed5ebc9795610

Download Submit
memory/60-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1932-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7208-2099-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7648-2101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8052-2100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads