55594be7db97c4411a334243be379d42faf125d62ec50cd89db88d9edee2018a

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45e513a30ee43b5db8ae97d35039bbf0_NeikiAnalytics.exe
Size

77KB
MD5

45e513a30ee43b5db8ae97d35039bbf0
SHA1

41cc003bf5fdd45c1a8902b0d56c93cf90a496a8
SHA256

55594be7db97c4411a334243be379d42faf125d62ec50cd89db88d9edee2018a
SHA512

cff4a8eee263ec6c60474e7af9469a772580b166d794919405079807aa402e7e55a881560882b296e19692e66ba742c3d7e8a37011727cdc5363db152f94862f
SSDEEP

1536:t/4swbrss2B3x28b9XwxCx2LtOtwfi+TjRC/D:xnwHAVx28b9XxKewf1TjYD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcojed32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbllbibl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmhgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcckif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifefimom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobcpmfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eekaebcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aegikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkobekf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aacckjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfoiqll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgopffec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkfblfab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofbch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgmcqggf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adapgfqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qchmagie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okjbpglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbgqohi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgqln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe

Executes dropped EXE 64 IoCs

pid	Process
2796	Okeieh32.exe
4040	Oqbamo32.exe
748	Okhfjh32.exe
3640	Oqdoboli.exe
4804	Odpjcm32.exe
2264	Okjbpglo.exe
2824	Oqgkhnjf.exe
2972	Okloegjl.exe
1068	Oqihnn32.exe
5052	Ocgdji32.exe
1584	Ogcpjhoq.exe
2512	Onmhgb32.exe
4820	Oqkdcn32.exe
212	Pkaiqf32.exe
1212	Pbkamqmd.exe
3396	Peimil32.exe
2136	Pkceffcd.exe
2224	Pnbbbabh.exe
4924	Pcojkhap.exe
4592	Pkfblfab.exe
2040	Pbpjhp32.exe
1452	Pgmcqggf.exe
1468	Pjkombfj.exe
4020	Paegjl32.exe
780	Pgopffec.exe
2320	Pjmlbbdg.exe
4912	Pbddcoei.exe
2992	Qcepkg32.exe
2472	Qnkdhpjn.exe
4380	Qbgqio32.exe
2808	Qchmagie.exe
3972	Qloebdig.exe
3712	Qnnanphk.exe
2056	Aegikj32.exe
2852	Agffge32.exe
2396	Ajdbcano.exe
932	Abkjdnoa.exe
1120	Aejfpjne.exe
1656	Ajfoiqll.exe
4192	Anbkio32.exe
4276	Aelcfilb.exe
4536	Ahkobekf.exe
3912	Alfkbc32.exe
4492	Andgoobc.exe
1364	Aacckjaf.exe
3216	Adapgfqj.exe
3596	Angddopp.exe
5008	Abbpem32.exe
1840	Adcmmeog.exe
4816	Alkdnboj.exe
2252	Aniajnnn.exe
444	Abemjmgg.exe
4580	Bdfibe32.exe
4684	Bhaebcen.exe
1108	Bjpaooda.exe
2100	Bajjli32.exe
4604	Bdhfhe32.exe
1608	Blpnib32.exe
5088	Bnnjen32.exe
4928	Balfaiil.exe
2128	Bopgjmhe.exe
3076	Bejogg32.exe
2828	Bldgdago.exe
1580	Bobcpmfc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Elgfgl32.exe	Edpnfo32.exe
File created	C:\Windows\SysWOW64\Enoogcin.dll	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Edpnfo32.exe	Eabbjc32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfcpin.exe	Jlpkba32.exe
File opened for modification	C:\Windows\SysWOW64\Conclk32.exe	Chdkoa32.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Mcgdgamg.dll	Cajcbgml.exe
File created	C:\Windows\SysWOW64\Manffk32.dll	Chdkoa32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddcoei.exe	Pjmlbbdg.exe
File created	C:\Windows\SysWOW64\Mgqddl32.dll	Cddecc32.exe
File opened for modification	C:\Windows\SysWOW64\Hijooifk.exe	Hflcbngh.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jehokgge.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Qcepkg32.exe	Pbddcoei.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Cpaqkn32.dll	Edbklofb.exe
File created	C:\Windows\SysWOW64\Fllifblf.dll	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ahkobekf.exe	Aelcfilb.exe
File created	C:\Windows\SysWOW64\Jfaklh32.dll	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Dlkhie32.dll	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Himldi32.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Elppfmoo.exe	Edihepnm.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Hmcojh32.exe	Hmabdibj.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Oqgkhnjf.exe	Okjbpglo.exe
File opened for modification	C:\Windows\SysWOW64\Edbklofb.exe	Eadopc32.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kefkme32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Ckedalaj.exe	Chghdqbf.exe
File created	C:\Windows\SysWOW64\Ocalcppo.dll	Eoolbinc.exe
File created	C:\Windows\SysWOW64\Nknjccol.dll	Edpnfo32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cilkoi32.dll	Cbqlfkmi.exe
File created	C:\Windows\SysWOW64\Jioaqfcc.exe	Jfaedkdp.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Docjlc32.dll	Iefioj32.exe
File created	C:\Windows\SysWOW64\Linjpeof.dll	Eaklidoi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10752	10648	WerFault.exe	489

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdbcano.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocalcppo.dll"	Eoolbinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnenbk32.dll"	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dceohhja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heomgj32.dll"	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnicfelf.dll"	Pbddcoei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogiek32.dll"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifefimom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnjlc32.dll"	Ajfoiqll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjkombfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbgqio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qloebdig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gokdeeec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmidh32.dll"	Oqdoboli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himldi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll"	Hfqlnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifefimom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaedkdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genaegmo.dll"	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdea32.dll"	Edihepnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fojlngce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Megkhf32.dll"	Blpnib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chbnia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceipnc32.dll"	Qnkdhpjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clkndpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aacckjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnchp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2796	4800	45e513a30ee43b5db8ae97d35039bbf0_NeikiAnalytics.exe	83
PID 4800 wrote to memory of 2796	4800	45e513a30ee43b5db8ae97d35039bbf0_NeikiAnalytics.exe	83
PID 4800 wrote to memory of 2796	4800	45e513a30ee43b5db8ae97d35039bbf0_NeikiAnalytics.exe	83
PID 2796 wrote to memory of 4040	2796	Okeieh32.exe	84
PID 2796 wrote to memory of 4040	2796	Okeieh32.exe	84
PID 2796 wrote to memory of 4040	2796	Okeieh32.exe	84
PID 4040 wrote to memory of 748	4040	Oqbamo32.exe	85
PID 4040 wrote to memory of 748	4040	Oqbamo32.exe	85
PID 4040 wrote to memory of 748	4040	Oqbamo32.exe	85
PID 748 wrote to memory of 3640	748	Okhfjh32.exe	86
PID 748 wrote to memory of 3640	748	Okhfjh32.exe	86
PID 748 wrote to memory of 3640	748	Okhfjh32.exe	86
PID 3640 wrote to memory of 4804	3640	Oqdoboli.exe	87
PID 3640 wrote to memory of 4804	3640	Oqdoboli.exe	87
PID 3640 wrote to memory of 4804	3640	Oqdoboli.exe	87
PID 4804 wrote to memory of 2264	4804	Odpjcm32.exe	88
PID 4804 wrote to memory of 2264	4804	Odpjcm32.exe	88
PID 4804 wrote to memory of 2264	4804	Odpjcm32.exe	88
PID 2264 wrote to memory of 2824	2264	Okjbpglo.exe	89
PID 2264 wrote to memory of 2824	2264	Okjbpglo.exe	89
PID 2264 wrote to memory of 2824	2264	Okjbpglo.exe	89
PID 2824 wrote to memory of 2972	2824	Oqgkhnjf.exe	90
PID 2824 wrote to memory of 2972	2824	Oqgkhnjf.exe	90
PID 2824 wrote to memory of 2972	2824	Oqgkhnjf.exe	90
PID 2972 wrote to memory of 1068	2972	Okloegjl.exe	91
PID 2972 wrote to memory of 1068	2972	Okloegjl.exe	91
PID 2972 wrote to memory of 1068	2972	Okloegjl.exe	91
PID 1068 wrote to memory of 5052	1068	Oqihnn32.exe	92
PID 1068 wrote to memory of 5052	1068	Oqihnn32.exe	92
PID 1068 wrote to memory of 5052	1068	Oqihnn32.exe	92
PID 5052 wrote to memory of 1584	5052	Ocgdji32.exe	93
PID 5052 wrote to memory of 1584	5052	Ocgdji32.exe	93
PID 5052 wrote to memory of 1584	5052	Ocgdji32.exe	93
PID 1584 wrote to memory of 2512	1584	Ogcpjhoq.exe	94
PID 1584 wrote to memory of 2512	1584	Ogcpjhoq.exe	94
PID 1584 wrote to memory of 2512	1584	Ogcpjhoq.exe	94
PID 2512 wrote to memory of 4820	2512	Onmhgb32.exe	96
PID 2512 wrote to memory of 4820	2512	Onmhgb32.exe	96
PID 2512 wrote to memory of 4820	2512	Onmhgb32.exe	96
PID 4820 wrote to memory of 212	4820	Oqkdcn32.exe	97
PID 4820 wrote to memory of 212	4820	Oqkdcn32.exe	97
PID 4820 wrote to memory of 212	4820	Oqkdcn32.exe	97
PID 212 wrote to memory of 1212	212	Pkaiqf32.exe	98
PID 212 wrote to memory of 1212	212	Pkaiqf32.exe	98
PID 212 wrote to memory of 1212	212	Pkaiqf32.exe	98
PID 1212 wrote to memory of 3396	1212	Pbkamqmd.exe	99
PID 1212 wrote to memory of 3396	1212	Pbkamqmd.exe	99
PID 1212 wrote to memory of 3396	1212	Pbkamqmd.exe	99
PID 3396 wrote to memory of 2136	3396	Peimil32.exe	100
PID 3396 wrote to memory of 2136	3396	Peimil32.exe	100
PID 3396 wrote to memory of 2136	3396	Peimil32.exe	100
PID 2136 wrote to memory of 2224	2136	Pkceffcd.exe	102
PID 2136 wrote to memory of 2224	2136	Pkceffcd.exe	102
PID 2136 wrote to memory of 2224	2136	Pkceffcd.exe	102
PID 2224 wrote to memory of 4924	2224	Pnbbbabh.exe	103
PID 2224 wrote to memory of 4924	2224	Pnbbbabh.exe	103
PID 2224 wrote to memory of 4924	2224	Pnbbbabh.exe	103
PID 4924 wrote to memory of 4592	4924	Pcojkhap.exe	104
PID 4924 wrote to memory of 4592	4924	Pcojkhap.exe	104
PID 4924 wrote to memory of 4592	4924	Pcojkhap.exe	104
PID 4592 wrote to memory of 2040	4592	Pkfblfab.exe	105
PID 4592 wrote to memory of 2040	4592	Pkfblfab.exe	105
PID 4592 wrote to memory of 2040	4592	Pkfblfab.exe	105
PID 2040 wrote to memory of 1452	2040	Pbpjhp32.exe	106

C:\Users\Admin\AppData\Local\Temp\45e513a30ee43b5db8ae97d35039bbf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45e513a30ee43b5db8ae97d35039bbf0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\Okeieh32.exe
  C:\Windows\system32\Okeieh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Oqbamo32.exe
    C:\Windows\system32\Oqbamo32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\Okhfjh32.exe
      C:\Windows\system32\Okhfjh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\Oqdoboli.exe
        
        C:\Windows\system32\Oqdoboli.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\SysWOW64\Odpjcm32.exe
        
        C:\Windows\system32\Odpjcm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Okjbpglo.exe
        
        C:\Windows\system32\Okjbpglo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Oqgkhnjf.exe
        
        C:\Windows\system32\Oqgkhnjf.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Okloegjl.exe
        
        C:\Windows\system32\Okloegjl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Oqihnn32.exe
        
        C:\Windows\system32\Oqihnn32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ogcpjhoq.exe
        
        C:\Windows\system32\Ogcpjhoq.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Pbkamqmd.exe
        
        C:\Windows\system32\Pbkamqmd.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pcojkhap.exe
        
        C:\Windows\system32\Pcojkhap.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Pkfblfab.exe
        
        C:\Windows\system32\Pkfblfab.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Pbpjhp32.exe
        
        C:\Windows\system32\Pbpjhp32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Pgmcqggf.exe
        
        C:\Windows\system32\Pgmcqggf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Pjkombfj.exe
        
        C:\Windows\system32\Pjkombfj.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        25⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Pgopffec.exe
        
        C:\Windows\system32\Pgopffec.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Pjmlbbdg.exe
        
        C:\Windows\system32\Pjmlbbdg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Pbddcoei.exe
        
        C:\Windows\system32\Pbddcoei.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        29⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Qnkdhpjn.exe
        
        C:\Windows\system32\Qnkdhpjn.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Qbgqio32.exe
        
        C:\Windows\system32\Qbgqio32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        34⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Agffge32.exe
        
        C:\Windows\system32\Agffge32.exe
        36⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        38⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        39⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Anbkio32.exe
        
        C:\Windows\system32\Anbkio32.exe
        41⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ahkobekf.exe
        
        C:\Windows\system32\Ahkobekf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        44⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Andgoobc.exe
        
        C:\Windows\system32\Andgoobc.exe
        45⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        48⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        49⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        50⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        51⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Aniajnnn.exe
        
        C:\Windows\system32\Aniajnnn.exe
        52⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        53⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        54⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        55⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        56⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        57⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        58⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        60⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        61⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        62⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        63⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        64⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        66⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        67⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        68⤵
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        69⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        70⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        71⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        73⤵
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        74⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        75⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        76⤵
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        77⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        78⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        80⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        81⤵
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        82⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        83⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1752
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1164
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        86⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        87⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        88⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        89⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        90⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        91⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        92⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        93⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        94⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        95⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        98⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        99⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        100⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        102⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        104⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        105⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        107⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        108⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        110⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        111⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        112⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        115⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        119⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        120⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        122⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        123⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        125⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        126⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        127⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        128⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        129⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        130⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        131⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        132⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        133⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        135⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        136⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        137⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        138⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        140⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        141⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        142⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        143⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        144⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        145⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        146⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        147⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        148⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        149⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        150⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        151⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        152⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        153⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        154⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        155⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        156⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        158⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        159⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        160⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        161⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        162⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        164⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        166⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        169⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        170⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        171⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        172⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        173⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        175⤵
        Drops file in System32 directory
        
        PID:7044
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        176⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        177⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        178⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        180⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        181⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        182⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        183⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        184⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        185⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        186⤵
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        187⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        188⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        189⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        190⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        192⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        194⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        196⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        197⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        198⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        199⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        201⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        202⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        203⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        204⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        205⤵
        Drops file in System32 directory
        
        PID:7540
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        206⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7628
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        208⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        209⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        210⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        211⤵
        Drops file in System32 directory
        
        PID:7800
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        212⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        213⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7928
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        215⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        216⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        217⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        218⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8132
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        220⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        221⤵
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        222⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        223⤵
        Modifies registry class
        
        PID:7364
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        224⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        226⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        227⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        228⤵
        Modifies registry class
        
        PID:7740
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7816
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        230⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        231⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        232⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        233⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        234⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        235⤵
        Drops file in System32 directory
        
        PID:7268
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7384
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        237⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        238⤵
        Modifies registry class
        
        PID:7680
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        239⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        240⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        241⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        242⤵
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        243⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        244⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        245⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        246⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7808
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        248⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        249⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        250⤵
        Drops file in System32 directory
        
        PID:7576
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        251⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        253⤵
        Drops file in System32 directory
        
        PID:7948
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        254⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        255⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        256⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        257⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        258⤵
        Modifies registry class
        
        PID:7624
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        259⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7432
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        260⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        261⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        262⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        263⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        264⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        265⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        266⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        267⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        268⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        269⤵
        Drops file in System32 directory
        
        PID:8516
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        270⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        271⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        272⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        273⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        274⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8764
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8812
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        277⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        278⤵
        Modifies registry class
        
        PID:8896
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        279⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8976
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        281⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        282⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        283⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        284⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        285⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        286⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        287⤵
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        288⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        289⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        290⤵
        Drops file in System32 directory
        
        PID:8460
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        291⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        292⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        293⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        294⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        295⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        296⤵
        Modifies registry class
        
        PID:8892
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8960
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        298⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9092
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        300⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        301⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        302⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        303⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        304⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8672
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        306⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        307⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        308⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9208
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        310⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        311⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        312⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        313⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        314⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9008
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        315⤵
        Modifies registry class
        
        PID:8808
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        316⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        317⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        318⤵
        Modifies registry class
        
        PID:8924
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        319⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        320⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        321⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        322⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        323⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        324⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9268
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9312
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        327⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        328⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        329⤵
        Drops file in System32 directory
        
        PID:9432
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        330⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        331⤵
        Drops file in System32 directory
        
        PID:9520
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        332⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:9556
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        333⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9652
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        335⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9696
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        336⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        337⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        338⤵
        Drops file in System32 directory
        
        PID:9820
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        339⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        340⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        341⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        342⤵
        Drops file in System32 directory
        
        PID:10000
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        343⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10080
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        345⤵
        Modifies registry class
        
        PID:10124
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        346⤵
        Modifies registry class
        
        PID:10168
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        347⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10208
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        348⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9220
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        349⤵
        Drops file in System32 directory
        
        PID:9296
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        350⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        351⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        352⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        353⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        354⤵
        Modifies registry class
        
        PID:9644
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        355⤵
        Modifies registry class
        
        PID:9692
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        356⤵
        Drops file in System32 directory
        
        PID:9764
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        357⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        358⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        359⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9992
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        360⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        361⤵
        Drops file in System32 directory
        
        PID:10120
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        362⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        363⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        364⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        365⤵
        Drops file in System32 directory
        
        PID:9452
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        366⤵
        Drops file in System32 directory
        
        PID:9552
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        367⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9664
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        368⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        369⤵
        Drops file in System32 directory
        
        PID:9892
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        370⤵
        Modifies registry class
        
        PID:9976
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        371⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        372⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        373⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        374⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9516
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        375⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        376⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        377⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:10068
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        378⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        379⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        380⤵
        Drops file in System32 directory
        
        PID:9888
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        381⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        382⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        383⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        384⤵
        Modifies registry class
        
        PID:9596
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        385⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        386⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        387⤵
        Modifies registry class
        
        PID:10264
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        388⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:10304
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        389⤵
        Drops file in System32 directory
        
        PID:10340
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        390⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        391⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        392⤵
        Modifies registry class
        
        PID:10472
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        393⤵
        Modifies registry class
        
        PID:10516
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        394⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        395⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        396⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10648 -s 404
        397⤵
        Program crash
        
        PID:10752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 10648 -ip 10648
1⤵
PID:10728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
77KB

MD5
bc5728785e63e11a17a642a7f2befd3a

SHA1
45ff78a5540babb6cb2bee6270a759a100789bfc

SHA256
eea6e7800bde873b07525bbf180bcfce950ac13d92d6420726c7fce24fb7efee

SHA512
a55aec6a7c02f6041d2784612f956eb6e32bbd7cbfe8a51e048e8919ca581af87e3ec9c6bf95ce9527a46610ad367ad1b8fae1fd0deff5e8b2e2a8744a0e08c8

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
77KB

MD5
eec23d1aea7509cce6681b1d7279321b

SHA1
6ba8c8ca2a381ca21a19f049fda696d0b7a96e62

SHA256
38607d7bffacbf77978b99839786672238d38bcb821dca62e38f370849310865

SHA512
68d79320ea540f53539f93eded7f0c4bdc37fc52ad28d535c4418e93d77cb064dd080b4a828eb25b76c6a6bbe47dd7f8e171f3008b012d8428d28444038efa9f

Download Submit
C:\Windows\SysWOW64\Balfaiil.exe

Filesize
77KB

MD5
e4924dd96ed5a34a81f0e1b80de9934d

SHA1
17684d4ca1327c08f4d28e3a87bbfdc441a625e9

SHA256
d72ba0f6d547c706d0d4dd7561f7b284f2c1dd8857a1075892d29ade8933d331

SHA512
6f9259b39340b1c60db0f24bd569bb2dd7fbbeeccf576212345d80a32271355ed01ed58f58b35cbc3d81b1ff8dd9508121f626d2e040392bb5562ae349c35d47

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
77KB

MD5
82cc36f82886414d52228a04e29e96ac

SHA1
b1dc2ba662e9472e2def4f9e5a096369f7add05e

SHA256
bd300a69d13bb736ed84013f0d741d89b07bf3126125e9369583d555e133218c

SHA512
993e36d47cd7715a4d6fad745c2617a2efbafff47e57b4920e73b726fea0bea327779254c5616d7bb1d87b6e5ee5adccd452ebea2bc385e80838c6b010bad566

Download Submit
C:\Windows\SysWOW64\Bdolhc32.exe

Filesize
77KB

MD5
b4ffa0260948de96f98ff0e5e87848d6

SHA1
7f3f22c2077c0f6cf58615f21c3b417254f0eca5

SHA256
a8f165cd2aa9678cf9b0f77251f724cc51366648c522ac8e1f2bcf39e1e62958

SHA512
e27d550bff5cdd362102bbc69cf84bbff74052156fe3b9db85c30c64eb9bc3e7f689d721ff176b3e8f7a8254e4185bc78b49a02960b3ca668a42fb62c1434949

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
77KB

MD5
dc83c026d39eac203d6663e6f6db47f4

SHA1
5e5aff1c8230e95256c3f97f3aee7f145e5fefe3

SHA256
b6703f5ed114a66d8488ac182872aabe6cd3861fb1178ce6fd0a9aeb2c70ca56

SHA512
d7687e45b676753810f2cdaf452dbcbb20223ed1ef148e649cf28f76c806ec4be3daf12ca0d79932fd9a72fbb1b43290a54d86825b298e23ae9a051cbf873eb4

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
77KB

MD5
e5e1a0f98040bf257bd5995353893739

SHA1
9da1b773716e5c12ff596a264ecad9f514d51eba

SHA256
99dd6bc15283effcdd39e662cd85d5c19d435ee723c04e46da88f6d20e4daf64

SHA512
67ec0aafe8c4234ed05c6253e591211dbace0b44460c8019f2a80113ebe6f2c64e04689db98637d15feb408902f2c4750300cfa0527cc91b5d8487ab1a629690

Download Submit
C:\Windows\SysWOW64\Cbefaj32.exe

Filesize
77KB

MD5
0d79e9649b26fa54d252dd8714c954f2

SHA1
0d64b5ef09ed0e66b2d12e49bd3b5e1acc1d8a3b

SHA256
b2dcc9ba2713a01f47ddb2206c548ac3a62443e9658d3589eb7535aee7503fa4

SHA512
9175864b8f35abf0545130a9401d59c0803881b86dd11d3820b650f4d0735d0411f5d0e2ac97f7404a53657c5811121d56367bbdc8092be82a5ae71edbe419d5

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
77KB

MD5
c47ae49e943a00d8bb8d72b2d2ff13a2

SHA1
28067ed3794338028878ab3f0a568a88922a1840

SHA256
728f100f15afaee17ecf9c37c028a239226296601a82f9f7158f375cc78cca16

SHA512
081470874f1a289c837ea1fb91c77befccbce794bd2408d1ea735072922863755591634226bb963fefb0d35887947dc91c5f01e557686da56d417abc709f1e70

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
77KB

MD5
582617d0c6efb8fd452e7ea282d46e7a

SHA1
55186876b83e890208136226e1baedfd2569ec4d

SHA256
ea096ec863aba0dcf5b7d25c8dc49fd51229f55d2ac9d80f8a0afc19fbcd6742

SHA512
516376deea978052561a205d81a53fc306f537242d3e42402edf454d14bcbbaa622650c1e982dbfd8f7c37a2ca0d637662cb9150228b2ac7fbdaca3ca634b92c

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
77KB

MD5
c5690943c1c7c1aa636ff22de75d450a

SHA1
de4ea07e95b9bfc8ef99ba2e68808c36ec2eff71

SHA256
280873705c2c88220d1b479177f59220293ff7b8111570d91fa8e4b77cf7ce53

SHA512
c06e13142246a16ee1a10c485ae263d6ddee24cd4cec7825a81d58968ec88373bbe93c0c8571a4c155347b046b900120243fa4ed5b27d10788bd79d457689ca9

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
77KB

MD5
202db74a995d0deff5a48932079b9281

SHA1
1d1c04dfd63dc9755085f8e57712eef678870acd

SHA256
5da1445207f434225ed8340229b5ca79148d0e3f5531773bc8d0556350d1ae0f

SHA512
9f7421a8925747cfe5b3033cb31830f04fe73447965c165d27a5aa15de36e2b0eb13de2267728d54f5ef1374694d189f256a22ec1443e545ddcddc4ccd66b2fd

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
77KB

MD5
52d981bff7ed7a11f70f24326e2f27fa

SHA1
e9197bbe3b08c9c39c8424ae0a083490a6ab8b57

SHA256
7cfd8b799585597875d869d520f053b21034d3dfe5425e3f10ed925c5cf09230

SHA512
bc8ee9def3cfa3e0be90e5d9c2ca9a5058cc4267fd7803b05ec84c42c4f0af16c616d8f4b698d5bfc3233acebc6a33bb3315de175ea45e6b1f5c001dee54475d

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
77KB

MD5
442ea92ac3fcf9f088dc9915fc305a9e

SHA1
f252da69ff915a4c6a805dabf1c854160f8c90db

SHA256
d24bf8e2f45dc4a04ada9f68e6213512b5a6c642983ef1d644b15e56c93bf030

SHA512
86b547dcec8da9ba787aff41da6b1bedb54ed52043b371bf0de2b8c485d19d054ff1caec9be7b7c6e2c97dc4882c1f699401a18f84ab9bfb3d3c8150cbc979af

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
77KB

MD5
befbc9a7367e5f12a00121895d8cc7ed

SHA1
c558447f96389b638965fea70b68ada96cd897a0

SHA256
68b3ca02a9f3119b083e6c00d20aa1fe44b733eb9eff556009f4bc427c271a18

SHA512
ff030324adab88635b2ea3a535d29c298b4064b0dfacd9e63785440a9867d40587f4096e99e4856ac9bb2950942f4410effa023fc89c66555e00590d4c1b2b6f

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
77KB

MD5
5a9c4c0f199fea7ea6f0e7052b48bf89

SHA1
9a4f845b627da58912ec4ee38195980f9bcd5e13

SHA256
7323f587d7f9ced9d791a32796666acc387d8aaf20fa720f3b3a3942e966201c

SHA512
b99b3762433c92cacb4af86c097d2179574ac315657e2a6c407d385f686ed35fd76c48baa25b5ba94fa7a91fddaa68a7efcb78c50e91ddeb86d18a3d263172e8

Download Submit
C:\Windows\SysWOW64\Elppfmoo.exe

Filesize
77KB

MD5
c8713d097f89466f009c4e5313e1dd59

SHA1
764cd0714aaccbe21ac1c2eb63a5c705c71c730c

SHA256
755c6a738e068abc0e12a324c4b1bbafeb1b7dc4928e5a1371362c692efc8cad

SHA512
ef3cbd93b14f0bc8482d141f365a39bfc98ca3815393ad023580a2cfbe7fc8d976697c6c9718dcc530b4c175cb257c5f1c01eaa1552ac185ad2c34a3bf524754

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
77KB

MD5
191b2f8361867a53cedb788d0a9f0506

SHA1
53e5c1f92b917b9a711f25debdbced24dddbacbd

SHA256
21cd790713ab02ac388f72d9dc4b9e939d55eb43592aec5da84be322e8018d10

SHA512
e8c50928927e724bf8c50419f4688a09b6130758112e4bc199dc6121828e0eafa5e2b58bd2d7291819f6fa29f02b1df508825413544e339812bfabc031697636

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
77KB

MD5
a2cebe2ca5fcb1077fd4c42aad92b122

SHA1
4ec3261d859443718526e81bd972739716f54b99

SHA256
1610bc8a18beaec0ec6e02e383f6f7bd1899ecb95187debcbe849c99cf6d40a7

SHA512
8319f95d5f7a221391025f6421c673e2846f46cc43cb0db6bf4fa58a3c0c4845400bcfb25bbe1e3832c3c14e87592ed44a06ed3a18e784bd4cd1dd55e14c4314

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
77KB

MD5
1f95669f9e84a482715118de7e041480

SHA1
a11c58cec59ded4f5e5f1fc9272128c9ff22ae88

SHA256
9f607a93fce587228dae384298475c5198575b7bc0ac06ef19f24f4d52c4b7f8

SHA512
345968ac40722f28c337419edc44ec3e6e48c6008cd2bb4a59724da5982e81c096f954f65c1c7bd164b020361f6fe0b7f28e640a79b59904027ceac425e804ad

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
77KB

MD5
63ae4b51e329ce07148ea6f048411709

SHA1
a12710735df243dac5fdff31182bdd4f0e45fa28

SHA256
7ced9d69f9126ba747d161b27abea54371e1aa12311354d1c2946fb658f8774f

SHA512
56479b24043162063d7da4fb72dea972e7e296d0b6cfdd629e8dcda8ba6c46c9013bdc38d196313dcc8ed6ee8858f5e93ca729fa8a52137f631066b74d9e9106

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
77KB

MD5
a1633eea118db57e3c230b1232d9ca0e

SHA1
ddeb11e15185628b62bbbf7a439bc0bcab8d7ce8

SHA256
91d08ed31d4e6150663f8f89f4985012436ecaf24e68a1cc63dbabdde2a10ba9

SHA512
19a9b40afd7b299de9c15e8ff0dea29a28aab840f465b01971f58519cffd7209a45fe3fcfd0d8e0d98c99972d5df538e6ea0a2e7698c78db92a6df0e94d38805

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
77KB

MD5
f0acc12ce930ab82c5c03db0b2743e9b

SHA1
52afbf3142e7fe7c39d78f73559a2b78c8f23a53

SHA256
db332ffe07d1dc9a1c19706278e6b94a439282ede2bc74f82d5c41c8d91db869

SHA512
ece3994f567ef73dcbe30454f93b1ccddd6feaf5e832d5ae6e4335916c7fc9866e0cd5640d80d0769b2405377b9737cdcee84b0d6528d63d7f8ceacebd1e1919

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
77KB

MD5
a3c5b82b2ea9b478ea0bfe7a7dc28fef

SHA1
aded801460c8dc6a2180a4d0d62c3654dd434b15

SHA256
563c4e8a06d76dbec29b88fa8a0843c211803b720c733a136a67184b71a2a8a2

SHA512
03a61e95c103b4b4a69df84ffe85bf19ac74e86a15cea08a65e569382164c6d94b5843d2e90c82dc8791cc328f9736ae0551f0618f1a5a0badcb721da8872554

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
77KB

MD5
faaac9405b2825c8ed4dd4000cf5da73

SHA1
991857f545e93b546f8d048ca845244539e38118

SHA256
304c86b0fa9ecea300235f1fb1c84aa0e9dfea467fb4270c2d684fba39d07b68

SHA512
bd8f78ae048e0048b051ce35ab176d17998a9b8c0619f906ea0ba5c165d2602b9bfafbe0ec469423a294c449a171c82d90a865eb5e2904e7359fb01e3ad7ec5c

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
77KB

MD5
e14300ec498b9970f7ef8ce925873184

SHA1
72ca3c7f6d664440a556c56fa720bc2e37139441

SHA256
b05dcdc1a54ea2d804640ac18c5609c0a3a5dfd2e6f46356302c3cc11d2ddfc4

SHA512
fa2f9434a398482914599a086a8699c44e5696700ea45141f945c70c04cf89d8ea3dc58a3f5677ca4e4a5ddfb4e1182c554cea7753a1085d06bd7e69d71a05af

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
77KB

MD5
82c1f48b50429af64138d94ab0f3f2f7

SHA1
1ef8264b7969186aab88637abc99d3b70bf0c2b9

SHA256
42b9e74fe1eb209bdb234a16420f7efe5f631727a645b99f0b4d57d5d0101956

SHA512
450894c3916b4b3cec21bea7317613c790146ac5203503044ffac673ccf0ef2f4c1cb171be1922393de27cba359e1df9f37c88010ea333acaae2c1067d936da9

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
77KB

MD5
2992b44b803a91c8246d0862ef68e7eb

SHA1
41404f4293d075e66e5362076802ae4e4c5952a8

SHA256
6038913ac14e6ef5ea9a201e5456605fb14dfb43a28304c72b76580fc0c3418f

SHA512
ee5aba0232d756a51d96455203da8a65d397d3ae355d95f4ef3642c40050a0a547a87b7e919e5c1b431115e644c04601319580984e75d422f315ab54d521fd2e

Download Submit
C:\Windows\SysWOW64\Ocgdji32.exe

Filesize
77KB

MD5
931ff5f9d47cf58390a7c8adc7c6514c

SHA1
293d25daea8392b011dd8056c039636978075168

SHA256
61aacc1b95dad95bd9b20d5d6ba17bb6151a303173a0ab64aad6eac44f79331b

SHA512
d627c130d745796e4cc457c34f92b5de285969c7663435302e32aaa48c0bd810b575e01b5357c959dc422c85d98ac1d6bebad57d9ed9c9e22c49c7e24a1815b4

Download Submit
C:\Windows\SysWOW64\Odpjcm32.exe

Filesize
77KB

MD5
9d8d14309200e84fdb0cf6ebad1afd83

SHA1
dac2aee76fef35174dced4c22eb817186c7b0de7

SHA256
182d4f8ab151b90d66d31e45c4f6860216f3acc0a59a352a72fa5daca0a693d5

SHA512
58d4d64453d0c8a0a76c8afe62d4b5e5bdc945c04cf3c1816eaa34e0a5eb5f24b2b058b2cd15d9bde944765239c92cad054eecaf53fc65b829fd783305194c39

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
77KB

MD5
f4e4027ad8bc4726c8139952fa24fd27

SHA1
5a864d2c90e6538922e5766fcc615b8a21199b0e

SHA256
7e790acb23a1fbbcace5723b70cd53aa39d2876352815f85541635f2c9bde6ec

SHA512
9443e65f0a631209a2db87f07bb07863753aab47211db399d89ef6d151191510afe03f20405ac18c269e03720ee30b71050b919ac68af8ebf7992f98ce48083b

Download Submit
C:\Windows\SysWOW64\Ogcpjhoq.exe

Filesize
77KB

MD5
1760718fc8930591530f342414434e09

SHA1
6593d34a6b6af1fad7a03e4eb3de55bdd3a59b75

SHA256
5923cf45b87cd823a7ca542b775ee72c8cb477f02766a50c9afddb65ba86ef1c

SHA512
3fe03f5130f2d5bdc214ef62b210deb6decfae61d618510f3526a818e669768f01f453f7ea078be96bc9236e92ad7dce94819454d048d16c64c31625118fc815

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
77KB

MD5
bf1c3d90d433b1ce1958e630051716ec

SHA1
78b4387610ec2f61d02497a787e9d4e6d5ea6e8d

SHA256
f284f5c077b90cf223a1351c936efec97e65472fb283c525c2f24476eec349f5

SHA512
2b0f0c7846a417c28159abdb18d1b639f21f5a3c037315d267ab4394565d637222e50baedf039e35c20a614b67177acc51ac6d410e45dcaab575aefa6df44f12

Download Submit
C:\Windows\SysWOW64\Okeieh32.exe

Filesize
77KB

MD5
e93165d2b3ce58ceb979a1124c8afcee

SHA1
53d0090bb31b162eaa7517cd98d7e0a66f6bd109

SHA256
fbc7b9c6a684d1f628e8573f1567b1fb38a8be2be93a8ba1948285db67915a27

SHA512
cb7bd201bdaf22385dfa4018855751834b1a8609034d4faaaae916b739f8e0adfed007ef081132e5bdbf0352bbf9ed3e1ffb741b0dbf8535719123826bfffc05

Download Submit
C:\Windows\SysWOW64\Okhfjh32.exe

Filesize
77KB

MD5
85fa1852ec2acca7c02c610aa4a76cf3

SHA1
bd47292811dd1e7a1fde2c221198b7172c7c5d91

SHA256
0bc44f55b4418550cf874e68332b2a31c8350abdc4c6dd903034bc14cf120ea4

SHA512
0cda3c2ec61901d17de12654291487d6df903ee87deacd6ab56c2b9bdfa0d4ebc75743e100c765f9cc033d137072d7206464340ea3157599167a706209fca051

Download Submit
C:\Windows\SysWOW64\Okjbpglo.exe

Filesize
77KB

MD5
402af6674902364a71c5041bd6b57d7e

SHA1
131d201affe1b4baccb055bc22b7637328592a21

SHA256
cf1d8d22b2288628ff306441e0578dbede59ef03b833df9dd257b2f14c2d1903

SHA512
eef980f468019f7ebc36eba0ad61df325f539f4c086aa6e42f46d2007de9e077982ba3947fb275d7e5cd8646e9e2542cde4804652ae47cd66b31ff5acbbe4d40

Download Submit
C:\Windows\SysWOW64\Okloegjl.exe

Filesize
77KB

MD5
1fcda688f5f090fd85a8e6d0fbb7178f

SHA1
3f58a7065907d6a31c4f1208728e322cbaf80d6a

SHA256
e4d911048d63cf1eff76209882f3cad25a6d3775322f175a12740c7f8bcc24e6

SHA512
27da9e8302623be22105d4f5455d1ba0377dd243e0e379423d73d5f590ced716a6cd9b5f7931f1faa07b21a222bee1d08cff732c5c485f102f9e3a9ddabb1e63

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
77KB

MD5
9bfba947e8dcd63fef4fb1fd7161ed00

SHA1
c57c1ca08c443fcaf1035f17e11e8e3bcd908f82

SHA256
4539d8dea383e6562b969e8d1201bcecab0ce23c59d3b51d767bdc7cfd1853ee

SHA512
26a9687a80189f6dd0529c71e5fa7fe5d00bfcf814907e8730754c0c6cad31a458506e6bb8e4e4ccab8b3f1675abc7c80203b0f44222f281201486048425f3a7

Download Submit
C:\Windows\SysWOW64\Onmhgb32.exe

Filesize
77KB

MD5
68f4195598b00e94dbcf4c7d8c9b0df9

SHA1
252fbf4e7865486927d9e78bfe9a2d31a6854dcd

SHA256
3d24c614d52294b163bf84df3663bcb3e21644a06b4b5b46e437f0ba8f8a96bb

SHA512
7d3e5ba269e7dc0e868c5e1ed4c66a63f00d35da0a973d242eac1607d66351c96cc73ad89cda0cbef8d2ee50f2d1ed0f3754dedcb117e23d92924985d2de8445

Download Submit
C:\Windows\SysWOW64\Oqbamo32.exe

Filesize
77KB

MD5
f7f41576fc465760518752c2c1e80228

SHA1
def4f31b8a426058c92488cdae0db1173857f12e

SHA256
ac7d77158333deb2b97c6059e24bae524a57248ee15d4f93a504a44bc7897a4d

SHA512
a632c02eacaf4504a278b6ef96969de03f1d81db31abc73e75d95583e11fc851bf3bdcf070641435a4c6c27bf33bccf27ae81ba6ee2446adeccc269a41845611

Download Submit
C:\Windows\SysWOW64\Oqdoboli.exe

Filesize
77KB

MD5
f7bcd416bf15c573c072bd5059482baa

SHA1
82aa0234a1392fead70c24ff82a6ae179ac9a0eb

SHA256
73a06ba6e1337d7206737b82710dcc362c9adf4df0e6c7e39f015626d09b8aa7

SHA512
4ba504e735790a329322a281213b418015f4aa50476c8708d52f9a1c9be3902386a5d1af14603d72c2466d4af61ce6b9f2bdc599e4c671624ff1c8a6a6008020

Download Submit
C:\Windows\SysWOW64\Oqgkhnjf.exe

Filesize
77KB

MD5
ce0c2fb93ce3f8b3c013d5b772d68595

SHA1
19d50d2ddb82fadc8fa99a2219496cbadda7e780

SHA256
90cf41724d399a7d3a943a763715f340db497a7bec3ce3c2c7f600510927aca4

SHA512
0e9bd28aa919407da14b7e20694cb7cb051bd7df90dab60a25fd899a59097a088a76c74051df20b763217a17f807a4cae67a06ca1847a1ecaaa00ce3c009c859

Download Submit
C:\Windows\SysWOW64\Oqihnn32.exe

Filesize
77KB

MD5
f8e323b265487f50b8180b0a6cda3b30

SHA1
028355c6156f04897d65099e534ce7abf5f47136

SHA256
295d173ce5fd672a9026ed188571fca2bdc111a2483631d60cbe33e14fb5b3bb

SHA512
d8396cfbaa4f007fddba83c7cff556c3ccf0f86566879c04ba7d95f08144a00bfec098b3697ca3126318e692270830ae7ad8b2d5f8eeacc350eadc8acc94f08f

Download Submit
C:\Windows\SysWOW64\Oqkdcn32.exe

Filesize
77KB

MD5
93492e237064f9d4a4b50cf5701a746d

SHA1
0643d15991f9f49c4b30e60ed5bd713fa2736841

SHA256
90a1a233d0b47f7c5507e91b3c1d7ae40b152b0a7490fbd351145acf49c0b71f

SHA512
96dcde3caae104c9a1ad67037b7d49455ec464dc0e6e79bd9e711d0c8a0ba9805711adaaa4ee2855e60bc179e03d6ec7e635e3a75e0dd52972b658210b0a22b1

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
77KB

MD5
95d75e53d38d9304acbc4ff5afba3dc6

SHA1
be643c7168b798208695f2a1141cd1bf084f3e95

SHA256
bbae2e700f30f022d6efa5c8f7d0966cbb66b1db6af7b458b0b4ab072e0cf493

SHA512
d9228252ca67f174b5f2d77020001e2e1f9ad1cd70ac949a0ba3f407e822a20b8e6455c1420b3c17f9429231c16041e2ceb7dd55b6bc1cf01a5f69e68420636f

Download Submit
C:\Windows\SysWOW64\Pbddcoei.exe

Filesize
77KB

MD5
70cf45b86a9848aabbcc74d0144ca3a4

SHA1
3dd19b7b9d31ca7301688373e7e60634dcb1668a

SHA256
5b8a3c4b37b9ec045ce5c945b9e3869e7179e1ca304ca6684789f333d0c20715

SHA512
d7b6f88629295432407f803bbe7c932f4b61b9a9f9c8d5900b6431df4b3b34e1334a6690416bd6705568f0518d558aff79229fd774c22ae9c10839f7a586105b

Download Submit
C:\Windows\SysWOW64\Pbkamqmd.exe

Filesize
77KB

MD5
34a936bd8782d39acf48a5b54eee2115

SHA1
82de9bc5d280857c2cf359c8760cadf6f2ee44cc

SHA256
c90278b987545e2db705b260fbef7fb4142165196aa7e479c88d3a2e2df54a8c

SHA512
8b8453dde5fa74abafcca8ab2aad1b4fece12a8b97309c07a05850344f8e9101390600327294060d5496f697d9dd751a3bd266f00f1e442c00ace46cdec74c8d

Download Submit
C:\Windows\SysWOW64\Pbpjhp32.exe

Filesize
77KB

MD5
2489a75c55d8a56ac7b3aa1ba222cd55

SHA1
33f0bad6753a904ea304bd3c54452f6ccb22269f

SHA256
670af02acea76497f2ac1ab0c64836f4b1edfabc486a1052a08b630f0bacab87

SHA512
e1e124974b82d4e6dea5135897fee97e5c741ebdd474b840179f41b2279bf8919c04aa6c1a7a9a1570ef41955ff9a88e05c9600574462c1e6cc43bdeeaccd444

Download Submit
C:\Windows\SysWOW64\Pcojkhap.exe

Filesize
77KB

MD5
3070efb36b6596419e2f98dd9227a15d

SHA1
39d3299ca2886be89f450c060eb67f7c187e0443

SHA256
628cbd67a39a38d405248f02f18bc6a9e357e0e59e76ce2f7b26eba99ac9c0c5

SHA512
1ea12b0e2b98b2f7b12ab40c91b4650b78341f24a49871feee3e03004ffd4d84829fc2b44b81eeea6bcb92d0b3e77a637b58702966f27b9a57aeff6cc4a725e8

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
77KB

MD5
8fef296ac312488e2a7f898647f63826

SHA1
5967af744fc8e10c927427f54a27ba2c33150c30

SHA256
a4172135dbd0259513916daae79782caa4624f5e9d4aa1416860581a08ce2b2d

SHA512
fed9a2da395fba14702b8946163552d34e8ae9916a5570af45fd15af44092a850cd8cdc44296e58fe59cd0d0a46300470b50b0d5ed82f8654bd4d066e0673584

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
77KB

MD5
a05f3d07aa3364e327294191ac83a0a3

SHA1
deeb1a3cb27dcda7eedae9a107a360e2cabd4cfd

SHA256
9b8dd652c6d43842800006a37cd2804564ceb106525dd469b68e5138804856f2

SHA512
fbcd3c9860edf896b85c88c8ef966e4c32e62b647db8efa86dff4a58f36bc06f1e04e467411f1150357c9f8cf501202384d779a322b1917ba991eb83d9a62054

Download Submit
C:\Windows\SysWOW64\Pgmcqggf.exe

Filesize
77KB

MD5
861fe0cd0a70211e9a29c8d4678af778

SHA1
4d5df910fa45bea1221b14ccdfad2ff7e8941682

SHA256
e1e91d6532ea25b42ab66cf028ab799f3dea0a2a86f5982de145b2b2a223ccb5

SHA512
a6a3b6ac675564139c1cb558805b422dbdd633d0449fade94c07cb59501395c455c78934c84b8265639b80867e967fa3428b0299ededcd753e5461ec4574dc12

Download Submit
C:\Windows\SysWOW64\Pgopffec.exe

Filesize
77KB

MD5
66be650bd6e981e320641a0362755d42

SHA1
6893f2fb34bddbdd4199db567fc11e708bcb6166

SHA256
2a100318a68286fac3a95a13b188e5b0b3d11127ef62e17561b973a6571673a7

SHA512
d1eaa0b9f39534df45b169d7904cc49fb646d86205d06c19ece49de5c4d525e0c67b30ab2b27bbaecb8f917600f29c3bc15f8e2d19af4f4260dbf51e3d5d8ae7

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
77KB

MD5
bb8fa040c6738c213b94f0ccdf523753

SHA1
e50d5b24a97282996022c2cedc29d2870fd70c04

SHA256
a89257766c6ea6aab364ff3ede9c776c4763699ad2139808069deb0c832b2380

SHA512
ea9d0d8e561064ec36ec10e62804f98723014b7b8177d8724c95fe89c77e38469862332605058e99e3a3a1bc9d7bcf5e208e89ca13977596f1cdc00e76ea6c52

Download Submit
C:\Windows\SysWOW64\Pjkombfj.exe

Filesize
77KB

MD5
69ad99e33848c86f7fafc375bcbdd731

SHA1
6373b13d2aa0be80d9aafa9c70be53adb69adaae

SHA256
04528677148d30c15f18463b7c967a89482e39ee52e470faa4c00bf1aa7e4a9f

SHA512
e8c8430b45aef94ec6dabd42ff3373e4315505cb46cfa34854a05546ef233a58feb252090416cab9190827b9200de6547714601ef52d57579f188accf85f423b

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
77KB

MD5
1e9fea7de7c818f0e567e24031c7b1ad

SHA1
e9f6ce30188a8ad4b435ac2c24faf178d56a4b6a

SHA256
a623f18efa441df7b9af5e018f5ff6898d4ce0c13e01a14aee2fb665e056a8a8

SHA512
29cb3f29e52dd24a675bbe4cf109639aceae67429e9f01748a85ab3910591b33aa597b8b0a3b7e4befe4b8091284c420cf5ab48f6474b30a5675a1f0500e68d4

Download Submit
C:\Windows\SysWOW64\Pjmlbbdg.exe

Filesize
77KB

MD5
67feaaa718507c1c41d9b77425a09246

SHA1
315d1c2f4b6a3e731f47805062aec80c755197d3

SHA256
b54e8c383ecb9e860a9a84e8d56cd96d0f2aec2fd0b40a9be2225a7cdb2198ba

SHA512
812c4e020772a2a34ef8aa98096bca3fa5d2034b67168c21e28fbd38f18338f5cea4f5e5c9df24f88c85c6490e5e6a0a05c228efafde5b27956288262dadb334

Download Submit
C:\Windows\SysWOW64\Pkaiqf32.exe

Filesize
77KB

MD5
4efb0dada7f5a766dd152a9bd4f8fafc

SHA1
e472fecd59ece31cabbd3c8bcc2f3d6286577eac

SHA256
75b18b3bc44f66c916c628f5fc36951c86659257ae8cb57b2ac5727d6ca9e7cf

SHA512
408d155eae108b6bed617c1cc1e4d98c2a692053ca6da9e5505732b2cb603f66bb016839d1d29ef0f36f9ffce709ea2d9ffb5fcff6103766e2c90ff81ce2e187

Download Submit
C:\Windows\SysWOW64\Pkceffcd.exe

Filesize
77KB

MD5
d4a0333f1eb530630e2082f86b7eb561

SHA1
b39ac84462ddb23030a4d30c7c11124c56d748b9

SHA256
aa71c8a733cb593844d44784e2bb51269082afff993e874fbe263415bb911a7b

SHA512
80eea740239c14dc58a76fa871814a27a220d968a05bbf0cbb7d84441561377a61ad3db93d64909936207c068f6afe65dd09ebf80c7008787f4edea5d9a9a59b

Download Submit
C:\Windows\SysWOW64\Pkfblfab.exe

Filesize
77KB

MD5
d60077670f585acac67b0d13586220a9

SHA1
81f642020afdf05f838cea92a0069ebec1fdf893

SHA256
69651e1f74986fa9a5c08ed1fad84e9f6a80ef4220dd4dc678829ddcd76debb1

SHA512
d0b78c6cec18871ba297600ba1cc9cd09489dc8c748a2450055db5b1be7b1f73785db3dfd64b5826d5b17b2ec5a90fdef82df2ef5da8bc1c99c39c2bfc382fc9

Download Submit
C:\Windows\SysWOW64\Pnbbbabh.exe

Filesize
77KB

MD5
112cad70ddb13e123c9660d062a33168

SHA1
3699623061a1f92e549f3528352a485e171cc0ea

SHA256
e9cdff2dd3a600428c178f93d1d94e2d72965d4d67236b94179aa6916c18892f

SHA512
59df795576255a8a5ffc30d99ae4b83512c254163b2d702fe0770764648bc37ff51186a739f916fb20ca0b719988767d865f70179392acc37118be2d5b26f34d

Download Submit
C:\Windows\SysWOW64\Qbgqio32.exe

Filesize
77KB

MD5
482049ac6766650b182fe84a00fc9b04

SHA1
47e0e4f5d4f972d164051016169fa452faae8d92

SHA256
9289969adc65328a563539770fcf64436f930e647ec5eb1c2722cf286bcb0dc9

SHA512
546ed720a3b5676e9dfd964dcd1aa812ffe133ee4679dd14bb99812a92cacfe56cd0a131c9729fb2b20ddbc3aaab4a63199ea9547c22d55b9aee14582258912a

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
77KB

MD5
502804ad7fc66989318a2a475dfbcd16

SHA1
bc07ddfc7a88a61aa20246bb187ebfa7d06f81d1

SHA256
ab72177990b6de48f7f316d2e64e910f81b3cef3e8cf8fb13e5b248cd9193258

SHA512
014983f407acaea8460f22b7d798ff0466a62a47af6fa8460f6684c2c0843501f51abeef18d5e0d6959b9aff2c0b49a1cc323e3fb1731648271f1ab7a7adb96f

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
77KB

MD5
b73dccd9ae4c43f148ff33a87b01d4b1

SHA1
ce4ac5c09cabd013abe37674d83b333f7bcf6eb4

SHA256
8303c7f04d5ca6c4b352779efde8ab1c7172f24c5d29d57dfa7d254560f777ee

SHA512
9b3f206bac5919d28df4be24030cf45d9a8db229f0ea22a4d99fe7e8c94169b867bfe2dc5cf2ec16e3d0076548fe0fad40699c9ff00d4e17dd43d32a6f7e8478

Download Submit
C:\Windows\SysWOW64\Qloebdig.exe

Filesize
77KB

MD5
b42212f013fbff91cb2096a049301c45

SHA1
8ec28e6da55fa4a011c3f0d022e6211c51dbdbff

SHA256
4e2a099bfafe92dc0cfb84ea301530520872f978820dc7481756103aa9866a7e

SHA512
ace53006175cfeaf8387efc4c7eb813566b99976785e2344336474d6d5a9a534082ab86e124db76f9b21e8b0ec71f6c0e0225d5610f8b16b2f1ce75a1af23e21

Download Submit
C:\Windows\SysWOW64\Qnkdhpjn.exe

Filesize
77KB

MD5
3185721c451b4bbae195fd30e25a86fd

SHA1
99cb89ff6e92bbea3c161d4b510df0f110d4b3b3

SHA256
c744601f4025ae90843bafc8cb16eccf5681a2023f40760f27c6413c0437bea5

SHA512
07f7d79809158d080e93180e2b1fcd226401cafad128a5a682f591e89bf1000fa891444ec1970829d91f0bda5b520c6de9a119a039d037d05d26f958cde99c58

Download Submit
memory/212-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/444-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-570-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/848-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/932-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-585-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4684-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4800-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5168-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5244-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads