1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1

Analysis

max time kernel
139s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1_NeikiAnalytics.exe
Size

713KB
MD5

42c01f4b6f22f05dd07c0d1a10887e60
SHA1

af3ed3e2963c1969b3923e934aa1968949d4b2e9
SHA256

1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1
SHA512

30b062818900b4d344003e4f32bf897505e7faabad331a7e3f114d14f4d261a0024ddf8fc95a823455fc463da712a5aba793378bd002c82b12756591100aeeda
SSDEEP

12288:O7xHpvyvc6IveDVqvQ6IvTPh2kkkkK4kXkkkkkkkkl888888888888888888nusj:O75q5hPPh2kkkkK4kXkkkkkkkkH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogaceh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qchmagie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbbbabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfoiqll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehimanbq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlnbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojmcld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adapgfqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doqpak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlncan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eabbjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qloebdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agffge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkhdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dedkdcie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahhblemi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajneip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcmmeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbceo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkhdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmacb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjfcipa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcagphom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkidenlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe

Executes dropped EXE 64 IoCs

pid	Process
2952	Ngedij32.exe
4784	Njfmke32.exe
3992	Nqpego32.exe
2612	Ojhiqefo.exe
5036	Oboaabga.exe
812	Ocqnij32.exe
3688	Okhfjh32.exe
2008	Onfbfc32.exe
4668	Oqdoboli.exe
2940	Occkojkm.exe
5048	Ogogoi32.exe
3588	Ojmcld32.exe
4244	Obdkma32.exe
2540	Odbgim32.exe
2880	Ogaceh32.exe
4528	Okloegjl.exe
2284	Onklabip.exe
4936	Oqihnn32.exe
5108	Ocgdji32.exe
2988	Okolkg32.exe
3136	Ojalgcnd.exe
3668	Obidhaog.exe
1120	Odgqdlnj.exe
3364	Pcjapi32.exe
1104	Pkaiqf32.exe
1588	Pnpemb32.exe
4796	Pqnaim32.exe
4004	Peimil32.exe
2440	Pghieg32.exe
864	Pkceffcd.exe
2524	Pnbbbabh.exe
4888	Pbmncp32.exe
4952	Peljol32.exe
3912	Pcojkhap.exe
2928	Pgjfkg32.exe
3576	Pjhbgb32.exe
940	Pndohaqe.exe
116	Pcagphom.exe
1312	Pkhoae32.exe
4508	Pjkombfj.exe
2368	Pbbgnpgl.exe
2072	Paegjl32.exe
4388	Peqcjkfp.exe
2632	Pgopffec.exe
4632	Pkjlge32.exe
2348	Pnihcq32.exe
808	Pagdol32.exe
4812	Qcepkg32.exe
4168	Qgallfcq.exe
4716	Qjpiha32.exe
4656	Qbgqio32.exe
3108	Qajadlja.exe
4920	Qchmagie.exe
3252	Qloebdig.exe
2104	Qnnanphk.exe
544	Qalnjkgo.exe
3484	Aegikj32.exe
2712	Agffge32.exe
5080	Ajdbcano.exe
3164	Anpncp32.exe
4276	Aanjpk32.exe
3524	Acmflf32.exe
2920	Ahhblemi.exe
1204	Ajfoiqll.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Onfbfc32.exe	Okhfjh32.exe
File opened for modification	C:\Windows\SysWOW64\Qchmagie.exe	Qajadlja.exe
File created	C:\Windows\SysWOW64\Aecqac32.dll	Cliaoq32.exe
File created	C:\Windows\SysWOW64\Jffldcca.dll	Dohfbj32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Qnnanphk.exe	Qloebdig.exe
File created	C:\Windows\SysWOW64\Imoneg32.exe	Ibjjhn32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Aolmfp32.dll	Pkceffcd.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnihcq32.exe	Pkjlge32.exe
File created	C:\Windows\SysWOW64\Pghdbegp.dll	Ajiknpjj.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Cknnpm32.exe	Cddecc32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Ojmcld32.exe	Ogogoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bdolhc32.exe	Baaplhef.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Hmabdibj.exe	Gfgjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Dlncan32.exe	Dedkdcie.exe
File opened for modification	C:\Windows\SysWOW64\Ekemhj32.exe	Dlncan32.exe
File created	C:\Windows\SysWOW64\Bkomqm32.dll	Gcddpdpo.exe
File opened for modification	C:\Windows\SysWOW64\Jpnchp32.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Deblhkch.dll	Njfmke32.exe
File created	C:\Windows\SysWOW64\Anmnemcc.dll	Acmflf32.exe
File created	C:\Windows\SysWOW64\Abngjnmo.exe	Ajfoiqll.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Peimil32.exe	Pqnaim32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcon32.exe	Ajiknpjj.exe
File created	C:\Windows\SysWOW64\Lnaendmh.dll	Bbnpqk32.exe
File created	C:\Windows\SysWOW64\Kgllfjld.dll	Pjkombfj.exe
File created	C:\Windows\SysWOW64\Aelcfilb.exe	Abngjnmo.exe
File created	C:\Windows\SysWOW64\Jnmljl32.dll	Alhhhcal.exe
File created	C:\Windows\SysWOW64\Hbeqmoji.exe	Hofdacke.exe
File created	C:\Windows\SysWOW64\Inpocg32.dll	Kipkhdeq.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Odgqdlnj.exe	Obidhaog.exe
File opened for modification	C:\Windows\SysWOW64\Daaicfgd.exe	Docmgjhp.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pgopffec.exe	Peqcjkfp.exe
File created	C:\Windows\SysWOW64\Qjpiha32.exe	Qgallfcq.exe
File opened for modification	C:\Windows\SysWOW64\Clbceo32.exe	Cdkldb32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Gicinj32.exe	Gcfqfc32.exe
File created	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Fgnjkdco.dll	Balfaiil.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9616	9488	WerFault.exe	447

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkgqfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Peimil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkombfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaepqjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacmah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balfaiil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcibe32.dll"	Bhkhibmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pegplgln.dll"	Oqihnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agffge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdbcano.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acocaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doqpak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flioncbc.dll"	Dbaemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okolkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Peqcjkfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhkhibmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcojkhap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkhdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcmmeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olihhh32.dll"	Pqnaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipaiqmd.dll"	Qloebdig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dalchnkg.dll"	Onklabip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndohaqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbohan32.dll"	Abemjmgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcbhjlp.dll"	Dkgqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekcnknf.dll"	Pkjlge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdolhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkidenlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjakp32.dll"	Ahhblemi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2952	576	1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1_NeikiAnalytics.exe	83
PID 576 wrote to memory of 2952	576	1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1_NeikiAnalytics.exe	83
PID 576 wrote to memory of 2952	576	1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1_NeikiAnalytics.exe	83
PID 2952 wrote to memory of 4784	2952	Ngedij32.exe	84
PID 2952 wrote to memory of 4784	2952	Ngedij32.exe	84
PID 2952 wrote to memory of 4784	2952	Ngedij32.exe	84
PID 4784 wrote to memory of 3992	4784	Njfmke32.exe	85
PID 4784 wrote to memory of 3992	4784	Njfmke32.exe	85
PID 4784 wrote to memory of 3992	4784	Njfmke32.exe	85
PID 3992 wrote to memory of 2612	3992	Nqpego32.exe	86
PID 3992 wrote to memory of 2612	3992	Nqpego32.exe	86
PID 3992 wrote to memory of 2612	3992	Nqpego32.exe	86
PID 2612 wrote to memory of 5036	2612	Ojhiqefo.exe	87
PID 2612 wrote to memory of 5036	2612	Ojhiqefo.exe	87
PID 2612 wrote to memory of 5036	2612	Ojhiqefo.exe	87
PID 5036 wrote to memory of 812	5036	Oboaabga.exe	88
PID 5036 wrote to memory of 812	5036	Oboaabga.exe	88
PID 5036 wrote to memory of 812	5036	Oboaabga.exe	88
PID 812 wrote to memory of 3688	812	Ocqnij32.exe	89
PID 812 wrote to memory of 3688	812	Ocqnij32.exe	89
PID 812 wrote to memory of 3688	812	Ocqnij32.exe	89
PID 3688 wrote to memory of 2008	3688	Okhfjh32.exe	90
PID 3688 wrote to memory of 2008	3688	Okhfjh32.exe	90
PID 3688 wrote to memory of 2008	3688	Okhfjh32.exe	90
PID 2008 wrote to memory of 4668	2008	Onfbfc32.exe	91
PID 2008 wrote to memory of 4668	2008	Onfbfc32.exe	91
PID 2008 wrote to memory of 4668	2008	Onfbfc32.exe	91
PID 4668 wrote to memory of 2940	4668	Oqdoboli.exe	92
PID 4668 wrote to memory of 2940	4668	Oqdoboli.exe	92
PID 4668 wrote to memory of 2940	4668	Oqdoboli.exe	92
PID 2940 wrote to memory of 5048	2940	Occkojkm.exe	93
PID 2940 wrote to memory of 5048	2940	Occkojkm.exe	93
PID 2940 wrote to memory of 5048	2940	Occkojkm.exe	93
PID 5048 wrote to memory of 3588	5048	Ogogoi32.exe	94
PID 5048 wrote to memory of 3588	5048	Ogogoi32.exe	94
PID 5048 wrote to memory of 3588	5048	Ogogoi32.exe	94
PID 3588 wrote to memory of 4244	3588	Ojmcld32.exe	95
PID 3588 wrote to memory of 4244	3588	Ojmcld32.exe	95
PID 3588 wrote to memory of 4244	3588	Ojmcld32.exe	95
PID 4244 wrote to memory of 2540	4244	Obdkma32.exe	96
PID 4244 wrote to memory of 2540	4244	Obdkma32.exe	96
PID 4244 wrote to memory of 2540	4244	Obdkma32.exe	96
PID 2540 wrote to memory of 2880	2540	Odbgim32.exe	97
PID 2540 wrote to memory of 2880	2540	Odbgim32.exe	97
PID 2540 wrote to memory of 2880	2540	Odbgim32.exe	97
PID 2880 wrote to memory of 4528	2880	Ogaceh32.exe	98
PID 2880 wrote to memory of 4528	2880	Ogaceh32.exe	98
PID 2880 wrote to memory of 4528	2880	Ogaceh32.exe	98
PID 4528 wrote to memory of 2284	4528	Okloegjl.exe	99
PID 4528 wrote to memory of 2284	4528	Okloegjl.exe	99
PID 4528 wrote to memory of 2284	4528	Okloegjl.exe	99
PID 2284 wrote to memory of 4936	2284	Onklabip.exe	100
PID 2284 wrote to memory of 4936	2284	Onklabip.exe	100
PID 2284 wrote to memory of 4936	2284	Onklabip.exe	100
PID 4936 wrote to memory of 5108	4936	Oqihnn32.exe	101
PID 4936 wrote to memory of 5108	4936	Oqihnn32.exe	101
PID 4936 wrote to memory of 5108	4936	Oqihnn32.exe	101
PID 5108 wrote to memory of 2988	5108	Ocgdji32.exe	102
PID 5108 wrote to memory of 2988	5108	Ocgdji32.exe	102
PID 5108 wrote to memory of 2988	5108	Ocgdji32.exe	102
PID 2988 wrote to memory of 3136	2988	Okolkg32.exe	103
PID 2988 wrote to memory of 3136	2988	Okolkg32.exe	103
PID 2988 wrote to memory of 3136	2988	Okolkg32.exe	103
PID 3136 wrote to memory of 3668	3136	Ojalgcnd.exe	104

C:\Users\Admin\AppData\Local\Temp\1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1534087f0f44a98fdd377c6d78d07385b4acac94964114ac3dce65ec0f5a28f1_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\Ngedij32.exe
  C:\Windows\system32\Ngedij32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\Njfmke32.exe
    C:\Windows\system32\Njfmke32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\Nqpego32.exe
      C:\Windows\system32\Nqpego32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\SysWOW64\Ojhiqefo.exe
        
        C:\Windows\system32\Ojhiqefo.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\Oboaabga.exe
        
        C:\Windows\system32\Oboaabga.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ocqnij32.exe
        
        C:\Windows\system32\Ocqnij32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Okhfjh32.exe
        
        C:\Windows\system32\Okhfjh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Onfbfc32.exe
        
        C:\Windows\system32\Onfbfc32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Oqdoboli.exe
        
        C:\Windows\system32\Oqdoboli.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Occkojkm.exe
        
        C:\Windows\system32\Occkojkm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ogogoi32.exe
        
        C:\Windows\system32\Ogogoi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ojmcld32.exe
        
        C:\Windows\system32\Ojmcld32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Obdkma32.exe
        
        C:\Windows\system32\Obdkma32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Odbgim32.exe
        
        C:\Windows\system32\Odbgim32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Ogaceh32.exe
        
        C:\Windows\system32\Ogaceh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Okloegjl.exe
        
        C:\Windows\system32\Okloegjl.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Onklabip.exe
        
        C:\Windows\system32\Onklabip.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Oqihnn32.exe
        
        C:\Windows\system32\Oqihnn32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Okolkg32.exe
        
        C:\Windows\system32\Okolkg32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ojalgcnd.exe
        
        C:\Windows\system32\Ojalgcnd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Obidhaog.exe
        
        C:\Windows\system32\Obidhaog.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Odgqdlnj.exe
        
        C:\Windows\system32\Odgqdlnj.exe
        24⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Pcjapi32.exe
        
        C:\Windows\system32\Pcjapi32.exe
        25⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Pkaiqf32.exe
        
        C:\Windows\system32\Pkaiqf32.exe
        26⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Pnpemb32.exe
        
        C:\Windows\system32\Pnpemb32.exe
        27⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Pqnaim32.exe
        
        C:\Windows\system32\Pqnaim32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Pghieg32.exe
        
        C:\Windows\system32\Pghieg32.exe
        30⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        33⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        34⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Pcojkhap.exe
        
        C:\Windows\system32\Pcojkhap.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Pgjfkg32.exe
        
        C:\Windows\system32\Pgjfkg32.exe
        36⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Pjhbgb32.exe
        
        C:\Windows\system32\Pjhbgb32.exe
        37⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Pcagphom.exe
        
        C:\Windows\system32\Pcagphom.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Pkhoae32.exe
        
        C:\Windows\system32\Pkhoae32.exe
        40⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Pjkombfj.exe
        
        C:\Windows\system32\Pjkombfj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Pbbgnpgl.exe
        
        C:\Windows\system32\Pbbgnpgl.exe
        42⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        43⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Peqcjkfp.exe
        
        C:\Windows\system32\Peqcjkfp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pgopffec.exe
        
        C:\Windows\system32\Pgopffec.exe
        45⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Pkjlge32.exe
        
        C:\Windows\system32\Pkjlge32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        47⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        48⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        49⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Qjpiha32.exe
        
        C:\Windows\system32\Qjpiha32.exe
        51⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Qbgqio32.exe
        
        C:\Windows\system32\Qbgqio32.exe
        52⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Qloebdig.exe
        
        C:\Windows\system32\Qloebdig.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        56⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Qalnjkgo.exe
        
        C:\Windows\system32\Qalnjkgo.exe
        57⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Aegikj32.exe
        
        C:\Windows\system32\Aegikj32.exe
        58⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Agffge32.exe
        
        C:\Windows\system32\Agffge32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        61⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Aanjpk32.exe
        
        C:\Windows\system32\Aanjpk32.exe
        62⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Acmflf32.exe
        
        C:\Windows\system32\Acmflf32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        66⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        67⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        68⤵
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        69⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        70⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        71⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        72⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1916
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        74⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        76⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        77⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        79⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        81⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        82⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        83⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Blmacb32.exe
        
        C:\Windows\system32\Blmacb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        85⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        86⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        87⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        89⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        90⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        91⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        93⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Blbknaib.exe
        
        C:\Windows\system32\Blbknaib.exe
        94⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Bopgjmhe.exe
        
        C:\Windows\system32\Bopgjmhe.exe
        95⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        96⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        97⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        98⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        99⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        101⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        102⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        103⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        105⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Cacmah32.exe
        
        C:\Windows\system32\Cacmah32.exe
        106⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        107⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        108⤵
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        109⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        110⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        111⤵
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        112⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2520
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        116⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        117⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        118⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        119⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        120⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        121⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        122⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        123⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        124⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        125⤵
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        126⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        127⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        128⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        130⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        131⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        134⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        135⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        138⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        140⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:556
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        142⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        144⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        145⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        146⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        147⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        148⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        149⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        150⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        151⤵
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        152⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        153⤵
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        154⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        155⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        157⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        158⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        160⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        161⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        162⤵
        
        PID:704
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        163⤵
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        164⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        165⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        166⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        167⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        168⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        169⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        170⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        171⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        172⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        173⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        174⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        175⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        177⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        179⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        180⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        181⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        182⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        185⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        187⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        188⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        189⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        190⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        191⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        192⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        193⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        196⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        197⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        198⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        199⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        200⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        201⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        203⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        206⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        207⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        208⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        209⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        210⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        211⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        212⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        213⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        214⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7228
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        217⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        218⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        219⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        220⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        221⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        222⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        223⤵
        Drops file in System32 directory
        
        PID:7616
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        224⤵
        Drops file in System32 directory
        
        PID:7664
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        225⤵
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7764
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        228⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        229⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        230⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        231⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        232⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        233⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        235⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        236⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        237⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        238⤵
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        239⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        240⤵
        Drops file in System32 directory
        
        PID:7520
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7624
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        242⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        243⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        244⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        245⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7900
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        246⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        247⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        248⤵
        Drops file in System32 directory
        
        PID:8120
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        249⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        250⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        251⤵
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        252⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7692
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7808
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        255⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        256⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7196
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        258⤵
        Drops file in System32 directory
        
        PID:7448
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        259⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        260⤵
        Modifies registry class
        
        PID:7884
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        261⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        262⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7248
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        263⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        264⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        265⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        266⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        267⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        268⤵
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        269⤵
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        270⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        271⤵
        Drops file in System32 directory
        
        PID:8236
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8300
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        273⤵
        Modifies registry class
        
        PID:8344
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8396
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        275⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        276⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8532
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        277⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8584
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        278⤵
        Drops file in System32 directory
        
        PID:8648
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        279⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        280⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        281⤵
        Modifies registry class
        
        PID:8784
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        282⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        283⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8912
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        285⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        286⤵
        Modifies registry class
        
        PID:9000
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        287⤵
        Drops file in System32 directory
        
        PID:9040
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9084
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        289⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        290⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        291⤵
        Modifies registry class
        
        PID:9208
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8200
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        293⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        294⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        295⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        296⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        297⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        298⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        299⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8776
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        301⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        302⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        303⤵
        Modifies registry class
        
        PID:8988
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        304⤵
        Modifies registry class
        
        PID:9060
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9124
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        306⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        307⤵
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        308⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8392
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        309⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        310⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        311⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        312⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        313⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        314⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        315⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        316⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        317⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        318⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        319⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9020
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        320⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        321⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8472
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        322⤵
        Modifies registry class
        
        PID:8756
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        323⤵
        Modifies registry class
        
        PID:7964
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        324⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        325⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8996
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        326⤵
        Drops file in System32 directory
        
        PID:9112
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        327⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        328⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        329⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        330⤵
        Modifies registry class
        
        PID:9268
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        331⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        332⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        333⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9404
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9448
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        335⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9492
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        336⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        337⤵
        Modifies registry class
        
        PID:9580
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        338⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9624
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        339⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9668
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        340⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9712
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        341⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        342⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9816
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        343⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        344⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9920
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        345⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        346⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        347⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        348⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        349⤵
        Drops file in System32 directory
        
        PID:10120
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        350⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        351⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        352⤵
        Drops file in System32 directory
        
        PID:9220
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        353⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        354⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        355⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        356⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9488 -s 396
        357⤵
        Program crash
        
        PID:9616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 9488 -ip 9488
1⤵
PID:8484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
713KB

MD5
17ca49e558c6d331dd2fbfc81a24bcfa

SHA1
96bb1967394daf5b559c3ea2eaa4b220d42e071a

SHA256
e38d2cd1f3cc5f183c43e78aa219c4d729c7ede70df669fe3a0755d1dec2e777

SHA512
1ee5ec8893d2d3539c77aee34c19daaf0997605838ae8261a462c19adc10cb21381d2a8283e5d8c76ea92a592c1bfa98bd1613dc562418b46d0053222b48d29d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
713KB

MD5
6555a610945dfb48397715a45ce4a96b

SHA1
9ba4ee36c6afd8273d743c9301d576c522556c27

SHA256
0299e04ad02ad079f72d811b35ed7fcb9c1712329a22fa5ceefaf4c65cbd0ce3

SHA512
16a0c318cf0a6438373ac1b11bf6a8a58c3497f8fc353d79e8efb3131538648f8effc87982e78bd1221165f5720b3b06eb7c4687b21912f268002cf3f56206b6

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
713KB

MD5
3f0dbf8a196389c674f29f7ee1e86f14

SHA1
c600b120289c2da008356e3b97b36847d47182e9

SHA256
d8e63101e74b2fb7170d7478995e6f072587d211e5a34da6223481183fe40f67

SHA512
691406e84cf425821c0634f617ce1fd1012b210987aef5a6f90a6a9a37740e698597f5ac9c4540836093e9e372e2133635a347c17dfc4cb38edef628417a7bbe

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
713KB

MD5
3eae2c278439336c94ffc8a7197470b9

SHA1
b0f08683b26bcde4ef78e4f64d8af4dba3520e2c

SHA256
78732005b4cca928b67c872967fc510ddd6245bd0a5111c8227aad007d3778ff

SHA512
239ccecc2ef8b980140627a09d02e0106a969a6c052b727f8cee8106ea930438268604fe4cd1267aa68fb2f30693adfe32282fcf9fa6aa22c9da8ea817c6767c

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
713KB

MD5
22891171e55e1fc838be717e966f115a

SHA1
23e8e0c162b1c1fee91ca274183bd70f799b1e31

SHA256
97e814cd6776efbb49c2345bd8b89fb482a5391d7a889624397a9c620e129710

SHA512
dd0bd2e809861b4783f9c06f725ef2de4b073803ae4e47028a23b6730439689f5f1e6dd0f3f9c23f0fbea4bc178c7fda9747999799cf483b590a8b9007c8c488

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
713KB

MD5
55b9e469d29b2bd6e18d97a78dcb11a1

SHA1
77fc7a5128fa3897770ec70e8c3e98a6b89e5aa4

SHA256
4128f7cad6b6070d92beb537d2edb7e4201b881d102aa654a82608dea5cf1aac

SHA512
c7fe0714b964b40d8ebbe7a3e24a8bad5329d4abb9d1248d0d2c3eefd34167b523c9ebe27534cf9a4ded0510187c12eb7fa90af8228fe9f9fa982aa084310056

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
713KB

MD5
dc7edea2219a52c4d5fd9881056d9699

SHA1
60f5463b0d4d11cd7ccab44b73ca67f38dc13be5

SHA256
cf77d91f39432eb994fafe9e4dd1079d585f019bd5d92ce0826f246a7ca4d896

SHA512
26916149092ef3db8f4ea6edb9be439a931608591a7cb82ca389a5868028aa4cab822ff9d9ec79ee931f6de72c2b55566460edb2da3e909c2414640e19baf737

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
713KB

MD5
81b79263100d36c190fb7494e9e7108c

SHA1
2eb537342e1a93fb34cfa57b884f59c377d38299

SHA256
5bac63d9837f6b10b5c3591964049bfe8694718bfcb24933f45d12e5a05eb5f5

SHA512
c691f290e011aa9322c18056126ca1a434ba5b1fd5c56f68f8f0e19593aa7b27458d8d0875902c388af97dd888e902372649c53ca7082b5a0c8848777236db73

Download Submit
C:\Windows\SysWOW64\Ehimanbq.exe

Filesize
713KB

MD5
f1330f429c4d6e9f55947c04d1508178

SHA1
c02e9eaa9b0ce296d99c636c5a35f469459e9c83

SHA256
8c4e4864b20bdb5d0f76953cb3292e01651556d459931f4fd03abcb64827db05

SHA512
af6874c041f354f70f0600b5f39de20c7c30d1000f749023187a3b2d9d5de100d0e16f308e0b0627a815e3681e9910cbd503e269ddbd002f0540d22a1302b752

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
713KB

MD5
061070c25e3cab9bbc009eb3623417eb

SHA1
5acc05004771253a5cbe212b0b16d2566a9916d3

SHA256
12dbd2e1143df247187263b00fd048dece5929de2b9cf6deb4264253ce1eb9e4

SHA512
738d66a82b526dc6c9970f6b5956201d64dc5d65bc9180419494d18af717f1d689c9c9a08b522fd09affd50d7d02341d6bed4eb6d0f98d273b5648625f6b77c8

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
713KB

MD5
e0fc6db2a15692d4878de9a4e83a0bc4

SHA1
7980c236af8c583bff3197b6f0a1bb8cd9742261

SHA256
2ed454096595d216ff10fb969fc7842f8872934c470ee1836bded477cb2a7919

SHA512
eac4cd988e14ebdc07d48bbd15058f6ab75292bab0829fa0abb677cbd6b5f1be770e33090d6c41ebea89ac1de2e41390a7bedecd2fd9c681a3c3e5effdcd70cf

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
713KB

MD5
dccd8e72ab4abb0c657739e9928787e3

SHA1
4d12933b2b1185ac61cfe0a7b19557ee73775888

SHA256
424f3948181bd09ec6991a44af0a48cd185fecd24161167bcec22111cf9de560

SHA512
2a781c9497d6c372c66f507a1f0bb4641563091b3f41205434203f7b3993f0783864a21ef613aa9df9116b38deedc54179a2f58cb87dcef62334e0e13c4e65ee

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
713KB

MD5
a13f9999990ab72c733a48d3b3f77ba3

SHA1
eb1ed4dba42fd8dbb4248cc18e244909083ad11f

SHA256
f4d6db01dddc2cd5172e2a141b72f0ba8f4e7dd634283381187f72f97158b6ab

SHA512
45a2025ee4a88441fc251e6f920672e010f6ca69d042f99c91a29ef5a21b8939343c6e2a4d88f5a186532aef5399a7295f0b971ee23b7cbfd3306962f86115b9

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
713KB

MD5
62cfe012e6f996cf02eb4b533c8c9013

SHA1
cc4421d00ec3f2355cc6a10f849573ee0dd5a62d

SHA256
8f390dbaa421408058d630c07aa98865c9a2f41400e520dc5f5109f1012e0945

SHA512
35c515f218aaff3482bc2c6e0c33d689af9411331c5a3e98e0457a9f2ce8b374280a026521b58b5d9dba4c3e9688853d34cafd57206b18fc922722c2156e85ba

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
713KB

MD5
d7a265c1c8e07f73dedf78892af1bee2

SHA1
ff2561d70e6b2047ba177fb53dcb43842ed2713a

SHA256
e17481d262932bdd8befff7d6c65d6193b9b96fdc8ae46ed2b060a03e2a905c4

SHA512
1ded89b85490a06ddd8933bc6b3ebb4347944e29b45076f0a99ab57552167892b8cabd093768f5e7a0336cc4fbd992c16a005baec932f0da3339911ac12845ba

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
713KB

MD5
ab50bb6494af45513dfdd27fc8c7ea8f

SHA1
4e785fbdec1c5cb0a540b712048c438a917cbfa2

SHA256
33936c22c39b23899d004f0f5f4be79c37813bcb442ae8f55a91126ffb54eaa3

SHA512
6e911a4e86750110195f72c832360d0f59a74af64e6fdeb736f7c403f2faf1351a715abc2e9dc6f1b1b72e71bf99c801c27123ec9e47eb15c4b502f4e2d1babc

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
713KB

MD5
25e94bc2f0d2f21f4b567bbd00bb2f8d

SHA1
c73b2b098d1c95c4a02beac2b4a334ba802954b4

SHA256
c2bf30b45c45489b7e262a0f07372f1458053668f0e7162c5f0de24d6aca0f10

SHA512
fc82f006b850317501cecc0bc59f8b3e1ea7b194d815e526bc306a3fcf3d527d42fb0b2120dc9173c870189e3ac8c0ef58d9b1495a929ac6398ef410fb94c6bc

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
713KB

MD5
21ec23af2aa49e2990c0089b7872ae4a

SHA1
7e415c87f32f18b2e37684e34f63c5e4d20f8f8b

SHA256
117af47ab84a5663ea4602873e5362a1a471ebff9523ad1c2928644d4a4cd41f

SHA512
480e2454a5cc02aa17ba2b141511d23117c650ef250a281bb9515be56443129fb4370565f79547beadf13842063a16a57fb46ac7476931278455b1384a8a9086

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
713KB

MD5
0b24f7c2f42b3e6473303c099941bdb5

SHA1
72ce58d2c9443ac177a9678e867c00da9d299b2c

SHA256
30ec77a16a33d8d2dba2de8d822284db1d3289f2494f70e7ff804d967e27f152

SHA512
351dc079c68d8e121e441e3c122b7c16ac048a1ff5b122e550101a2f00fe7633d6059e064c62e3383ac73b89c976346edcd7018020e10d70147d3c5e316ea3d5

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
713KB

MD5
6d619f67d007d5228ef9f53b5c78a2e3

SHA1
175fa99f2f5ef7bf92e9774a65d81f8b0701f8fa

SHA256
97d35a479664fa80ddce01d4503754ffa5d1da49b9b27d2054a6c29df9608332

SHA512
cd1d4fc7837b613a8bde6ab151519c31faa082a21c6b498db73671d868f45621f63d90595fa2a635b8ff79b114d90386338515c868e70a51b23156e56eda4ce5

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
713KB

MD5
47baea946aef971543512129a7cee1b0

SHA1
b5093e72f616177d10e068f6a292b9436ee47583

SHA256
4275db27c0f6b0b5051988453f202f9270e3b30800b06cb8c91f215461cb9b54

SHA512
37d981ad0b1d4c680beee3f180293a13abe813453ca7c337ffd33f7e8ed5dc1e1bc2cf859ee1b9906e137b92df8787c43a5c5e85218d1c7af38b1ba0b601a4d0

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
713KB

MD5
02ee48a8f6f167160cbd295dace74337

SHA1
f999d7fff1884399bdf38a5170fec20787315fdb

SHA256
b86cdfb305a65ffc0c33fe1f93ed0fb7fe0f526ba7060ab29a2f024dfbc96fda

SHA512
b5134e07963353ae3486ec642f7dc56a00db0aae8566c033ef5f256dc83ee2b7592cd77133b5a53fbbbfc1671de88a2e20d2d7979ce3d74aaa9f5772edb7c397

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
713KB

MD5
06584073d9669d6cb63d91e6bf107593

SHA1
7213b44461d7590638b404758ab85db814af51ae

SHA256
5850519580821a65441ee423a28bc9ea4ead47e5a4d036caf64747fed3bebd1c

SHA512
90eb898865bf9613df73e1c7c585c9b501973e68fc41c7a08dba05273669cf6878d7326725b64f965b707259c1d39662ec499a57492a2cce81221c53762da8dd

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
713KB

MD5
f0a63992feedf009765fcf6e32cd8f45

SHA1
83e2f5c59411ebb66966773190f164538751794d

SHA256
59f341e7c448d308ffca38c5ecaf4003cb36c7b6e0197adac82f10a8d364add5

SHA512
df217d41448b7f5f65900861f00527b654454c7541a79276441a2066a47f360f54f066f22ddbb509e39d7a433826fba239ebf3424c531baebbece481f0764e01

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
713KB

MD5
104c3eb5c7170b7aa801cfa8f3204bba

SHA1
7f74004abc6b69d3140eb2988ce971c73e1233dc

SHA256
0bb224f31982556cd361e2d6affbc082cb11f9831fc7765de8c93952b43abef0

SHA512
d7f0c078172c05d8f8bbe301c379b2e53708aede44c8b4d60b17bc207bae374084e22ed4530b0afc9f5a4caa56aadeb7a25efeb032b5da09964628a975f500ac

Download Submit
C:\Windows\SysWOW64\Njfmke32.exe

Filesize
713KB

MD5
f5206dcdaf3d41205733391ad7f0b067

SHA1
6dc43c3f3b33e4ae731d964a2e5f0d802daea869

SHA256
95921724ec29e208ecd5a6aa54472dac0141601ff8caab4a9ec8277519304636

SHA512
161c2c204f97545c70ca502e602efbffb7cd3574900eef7b8a45093a43f552fcc251f4619aa8cd4b9476facf1daf33c6df4f0feebd8011b7c0bfdccd13783818

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
713KB

MD5
7c37b926448ba694c8d4086f4bde5fc9

SHA1
44aefc74cd758b94f5526a5f60f5713296652135

SHA256
b526a5dec75b83544c2127237f339a87b3d839e31fc959594208f0632d53a5e9

SHA512
0918e90d9d578df0ee5253b05f50d65a6af7ca6bd46de54acf69fc491b7dda18be7d297eb1f04ee1fd25f1f0a8d3fa17d305eb812fd371641ecf0a8dface331b

Download Submit
C:\Windows\SysWOW64\Nqpego32.exe

Filesize
713KB

MD5
875a89b09a37e08e91c770b77ac4b9f9

SHA1
130951d98a709b4f4d73fe507922d02ff6962663

SHA256
565b6c8e4aabeed57b9080c24ea7514eb5cf8c17ed96b2e7f31830ef8e74da96

SHA512
4d2843e97d7bc7400521df52846789f6c57e2fcccde42b9f933cd54bce483123604c4fae1d5364379a994d26584e86180a80cfd1fad7274ddc0dd1cf9f1cbdc8

Download Submit
C:\Windows\SysWOW64\Obdkma32.exe

Filesize
713KB

MD5
f45681a75f6532a84d626ff3ff07f88a

SHA1
1c7af69974dad796f49eff8c540ec6dbaf4e12a7

SHA256
fa21ad2cb790f84138f814473f1eb0e8e66aed489ea0c06df75ad487e985ab5c

SHA512
616efdf2845aba92f0416cd5aa3b1cc4dcb2663ee7e0ceae500c7b634f90cac3af83af35e971d14a8256efc86535e19d5d374b51fe9b6389e732e9c59b0374a9

Download Submit
C:\Windows\SysWOW64\Obidhaog.exe

Filesize
713KB

MD5
2eb8c6c1e8d0aa3211914eb317f5bf4e

SHA1
66e6ce8ac8afbc19ba64c88e6c0965c5fb4fea70

SHA256
85278cb685bf1f329dc6bba55e58eca91110425aad50833d3bee052f2ba78c6f

SHA512
29082cebfcf4a16ec32d3c1a105c6e6cefce53c1cf8e8e621c083dc2862c33612d5a240f5d9ba07ddebc2f5b19a67c2271fc12d84e2124eb5190736826bc6c33

Download Submit
C:\Windows\SysWOW64\Oboaabga.exe

Filesize
713KB

MD5
f1e6aef0019becdba76a4c4b778fec53

SHA1
eeaa68fcd5172fdb3c3fbae63b947a388abc3e01

SHA256
f5a051f881582e7f73684715f3c6e51400469a2d4e9fa8c683385eee04dd996a

SHA512
fded856814eb429b3ee57b25787525d0eb0203d5a22cfce6995e24cfb409c866a0a1cdf9e6fe6222f3a4ac851e7a45997584687fc091ca52d260d9e3148f078e

Download Submit
C:\Windows\SysWOW64\Occkojkm.exe

Filesize
713KB

MD5
054cf6696f07d79ecfe644c2ed3f9876

SHA1
e1235c05e46396cbd997cc631bfb04ce1ba9bcc9

SHA256
a15db39cd9bc9d5bccd0bc67b32b5e78b3065f861a4a4acc7101414776ca44dc

SHA512
afd0e83f8095ac7cfdd994345578d090b6711aae4d7035e04a5e9b22a1cb64869e2339bd89cfb78552937e12f815b440f6429c90dbc7553cfd8b40628f77c2e7

Download Submit
C:\Windows\SysWOW64\Ocgdji32.exe

Filesize
713KB

MD5
b6aaa8003ee15f5e37f3c6ec5fbd5469

SHA1
259d08c6b915cc1fe3004e86ce9ea5de5417b2e3

SHA256
f5a33d3a815c852e9e559b0ff40cb9ff91e4af62a230fe541124884cc00fed50

SHA512
e6a71a9e48ae8b36ff8e75f1ad5153a6aca1099bd3fc122c404ca88f4a8d040d0ed6891c05e49a3613eecc1a63d0362ac23fa7396751bb4127d65e338a6b963e

Download Submit
C:\Windows\SysWOW64\Ocqnij32.exe

Filesize
713KB

MD5
f9f267c78aa21866c7e056f063a26fa6

SHA1
1f517e835a4fc6de9ac31724833538ef71bd7227

SHA256
51be7fd24f49b9ab095a3727c20250edb819a73bfa7fc93fd288be890c57a8d1

SHA512
451ffdfa9f644026eb7869cb1fdd101c5643c2fc9ec707103aaa65fbe97a5c0f3fc755a3cc62e583dcdcb3eeb9f47a6fdb4faa3f214daa62f5be8a4d30f8688a

Download Submit
C:\Windows\SysWOW64\Odbgim32.exe

Filesize
713KB

MD5
497e22b3657ea847e9c8e8bfd9a58e8a

SHA1
34c4f690276537ec8ea7451fb6b7675a0680cdeb

SHA256
b8333e885e94450dc80c6fe80856458993b864cea67fe6c40e4cd4b94ceb8474

SHA512
b6b71086314b363dca6210bc8d7ab9d9f9465a6b75e1cdd678ca9cc6e20bb4bf145299e58103c86c26149a3bf01defe1f702d520097ef89b149614aa854eb3d2

Download Submit
C:\Windows\SysWOW64\Odgqdlnj.exe

Filesize
713KB

MD5
41520d1327896379c7eff653879b6d90

SHA1
7d96b9f4d0734bdcea695439f06d3b680ac7e31e

SHA256
beae9de5dbc9c1122afc95406a71cc79532f28936f038f650f9394cff7111eff

SHA512
3aeb3ceea731b11b7bb104f0fa6587b5c5dd953a8ae78f35d2658546ce35007f07cd485b0eff394ddab3fa23ab16a167af4fd76b234833403c9d606a48712ac1

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
713KB

MD5
19cda0b0d7849e3d37a9be0593142bec

SHA1
c376d656ec5f8ebe4a0db8049e85fa0fdbe3fc72

SHA256
6d58de1e0fd4743085e0587b20b124f1b9297f493906a8e6e6f056dcdfafde64

SHA512
cb0dff03a6e4b602f802c9257d1c6523bc9f4f44f1d5b87c4b84152ef48d3b61e485e52ba885e9dc1a08c34ebec7e0543ef58454b0230506e88f5b5974f7393e

Download Submit
C:\Windows\SysWOW64\Ogaceh32.exe

Filesize
713KB

MD5
911ac07de75a49d21c4aa41fdf23f7e7

SHA1
981198743f9ff427d538adb870c644b154c5323f

SHA256
47dbc22562c0f078a5a8f451f3c9fe812394f397084ddabc95801c8958549723

SHA512
8f61b046f0cb0b86f32f457687dc08bceed9d9d44eb4fafe34906553d02104afe94636a2a4377dad3ec28671d10b6f6da8398de3225d630de618732da9b96c44

Download Submit
C:\Windows\SysWOW64\Ogogoi32.exe

Filesize
713KB

MD5
574c59562788cf48291a224f6c388a6d

SHA1
a201a69b54a3d7a618433b5c97cc140eea228ef3

SHA256
036fb6fa4413114f8fa55e82ce181278215e4e30db86dae52612e224bd5237b0

SHA512
6daf861beb86472374516d0a56af91f51372b9d620c46cf56d237949f51008622697a0405defe22a57a4ef5d57f86ba017564b02cbc4b2c81f8e223ebf5ea16b

Download Submit
C:\Windows\SysWOW64\Ojalgcnd.exe

Filesize
713KB

MD5
a934fbc7b4cd4194ba89d5a4ecb1b770

SHA1
2f6b4081772673fd27bd18d2eed5585dd38ef407

SHA256
86d99a35981779efe5243189dd0cc446633a6da7d911e69c353a265e5e64305e

SHA512
a16be702c6881f224d7de1f1d157469454bade23f28e6711632cb3fa271acfb8cb99fab3e536370adb89f3237549fbc119d121abde7ef5efb88aaaee46582f8b

Download Submit
C:\Windows\SysWOW64\Ojhiqefo.exe

Filesize
713KB

MD5
baa9da27d6b766b8a57c9ef91eba7ea5

SHA1
88c0ac4554b7c68354ac9ca855f913efc1858666

SHA256
995113e110330e3e5ff0a039aef9c950eac1a342b8fc8de76bc68fa17c276769

SHA512
21ad41b53f99dc2354b58934f7e92ac44de0785691f132c3d33e52c0cce1c6a99d783fd6ce55128fe4a12bbe5e3555872a162820a680e291b33d2c4f11094537

Download Submit
C:\Windows\SysWOW64\Ojmcld32.exe

Filesize
713KB

MD5
bb617c5645ae3ee6f94048cacf3c0037

SHA1
24f1a726e792195f0a8e575de8b2a9a5d7059fe3

SHA256
e8dd65d19d7431db9c716f3cb39d9c51204e1acb08c2c2d756105b659ef1c21d

SHA512
18a3835e893980f2a1e774e2eab866778bf316f58e0ea2e4ce1f8a6ab7ce1d9b2878267e2eb2da6bfff1bc5181ba47f79d46a5df96169b92a43fc982eba43a8e

Download Submit
C:\Windows\SysWOW64\Okhfjh32.exe

Filesize
713KB

MD5
e6619b11fb4bbda10c9e60128006a434

SHA1
fd1c741c714f63c29711752fadb9f3087274f92a

SHA256
7c5415dec83d648d2b4d40846774faaf45b3b39e3f39ead26d6362f38844b0d4

SHA512
250bc45ffe2e9c31a24f43c20fe05bd24ad84756ac9ceffcdc71fc5b2d79b1d059f66b66c06ac093eb8dd302b7e3859f72d4a98ddb54af5fed522e1d8ca3faae

Download Submit
C:\Windows\SysWOW64\Okloegjl.exe

Filesize
713KB

MD5
3f4ad872450f6a2544eb61774d95adc3

SHA1
c09017c15ec1d95c2cec143fce7e86a90005526e

SHA256
a98335bf6bb6c954d3b1a56b6f725f2f25a8c41b7428a6dadfbd3c24cc441373

SHA512
3297eb3801b13a492cf57802cc87ebf58359897f1fd5ea6f84a0e27e45ba66d3ed1fc7235c79fcedacadc644f15926641017a3d51afe5f5f38d259f38c337ef9

Download Submit
C:\Windows\SysWOW64\Okolkg32.exe

Filesize
713KB

MD5
92c8b909f52b95056997f424a4807468

SHA1
a318f232185b25287fdb1149793c3f49fe99a85e

SHA256
4b8367542348a05709d025cdd1d7342a727bbdcaf449eb8e085b2f6b9e7db2d6

SHA512
62bc23af2bc8e0964bf38132d148ec1154b2194f6fb08500b27d699db8eb2d2db6aebfce390f735d1029b9f61cb662ffbd6c481fe463751dbfbf97eed66c802e

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
713KB

MD5
e7e6f190ff0bb41ff70e58313f16a23c

SHA1
a35a4af8f459adae6e9958b17b4ea2c4f69091b8

SHA256
b72cea07f029e2fc18707328c75a167ed4c0e0ba770454ba16a2cc62c34b4def

SHA512
0a5ef00e8a2cce20cdca91d7260860b53d04916402504ef7026b7b0cb2a2e395c9f0f87fff175d185dee1e21d8e743b53bcc689c29881005d40f4891d9aa0a7c

Download Submit
C:\Windows\SysWOW64\Onfbfc32.exe

Filesize
713KB

MD5
12ac1d2a8a27090b291c8beb5a2d822a

SHA1
ca6ea7c60d5854e55d223bd8f4f81cc8a6c12f10

SHA256
70bc5878ca9afe858f4e01ef4135798873eafef893573023fb705b3dde33bbb1

SHA512
22ddb31e9d0ec1b3cc494ee8b1f03b4b6fc249b7f70ad40e5ca796ce04aa1af33eb3c4db1cf143fad4159768b6da0d5856fce7685f90bdae82a43016441619b8

Download Submit
C:\Windows\SysWOW64\Onklabip.exe

Filesize
713KB

MD5
66bf32d67637612dc68c2a2003c57999

SHA1
5786f539e31cf894615ae9b39eef1a5cb712525b

SHA256
e6688397fbb860320d727d5a62266a50d2e238546253c8f1f1dcfcb5bbbb3f5b

SHA512
b21c9ce3fe2baece9c70e0a2038531414b443ff50a3d0d062e0a52b57e5afb1189f0a28002ea264f24b7606f6d20a7ad6eda64fedcb40e85ed3c51b92fc20d95

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
713KB

MD5
d7c0e5687d9f0fd2b07fd0713f2d028f

SHA1
68a48511e999b1f20624a70513b3e2bb5ed6fec6

SHA256
f4a0c1b07899cde9cc9cdb1c201a6df5638c87ae5b0353601bb1bc46981a1d1c

SHA512
aee5f3cabc871efe8a2884167bccf2083fccc989f2c19380878718a05718643ba6911d3149c22173635101226fb66aa675ee503185c33acda2ee85c3da72c4dd

Download Submit
C:\Windows\SysWOW64\Oqdoboli.exe

Filesize
713KB

MD5
4b0f0e811c40755b3a1a03190433cf5f

SHA1
a0ae6f6f24019bbd25265959c3ae400fb3e7e198

SHA256
7608d32500c8b61a8240e8a7a085a3311755ecbc4566adf66a0920573fded8f7

SHA512
704945b02101b195aca3ce1b62d46f81506da1970bd35a38c30dedf143406c57b1aa8a32f12a5e2e17dbb2129d8b79d2c88144321dbcdbeec6f88ffaed4ba56d

Download Submit
C:\Windows\SysWOW64\Oqihnn32.exe

Filesize
713KB

MD5
75c3a72d85caf706c1f3306b707f83cb

SHA1
be989849dd7dd6f463d11adca6699c9c2042e84c

SHA256
dfd8f7d8c794bb5db6cc0294a3d6d2a493a81e67ef3335acb9fb3b5b7d49f416

SHA512
56c454239cb2eb74e76e6bf722d87affde2be872d4c4be0145d1b60213396e13ecc99abd34530552642a2535b6be740dd97f106b047a3698be00574b9008a52a

Download Submit
C:\Windows\SysWOW64\Pbmncp32.exe

Filesize
713KB

MD5
64004f35076f3abec7cb29bf281b2827

SHA1
83980c7811e102c53b4769ef496f248d96ee1a8b

SHA256
5797012dd8d40f1e949213345abbdf95687a3a51b83e6582c07fd7b60440ffc1

SHA512
c9779634117f7b3c53e4bbca7e6b1923b92d9e71dddb02f105ed5499e61b56d65f703bf0cf291e48e0d81380521fbe283bd6190ada3fe2a9443d3662f4f4fe0c

Download Submit
C:\Windows\SysWOW64\Pcjapi32.exe

Filesize
713KB

MD5
88675630741c57bbf8707d60bd4421a4

SHA1
31b8aa5a2c9ce8ebef4a24ea33a97a096a6c42c8

SHA256
27a4d62345f0d0a260e4267ee844bcd1238ce27ae82c6c698453c31be867199f

SHA512
386d5d8b89ccb61e42f9083820fd6fe74e27e5b9c4d47edd4d32ae05c39f1280a8abd7b29f0a3c08e843fcf8798bceb197708b8b04f6f7a9c85a62a0962baa43

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
713KB

MD5
07e61f4510e9eb87004ba2e046dc2c7f

SHA1
3de25aa412045b9b6adcaf84d650e95c40231861

SHA256
f07c6dde28e3651e421759d2de7d1fd349e53b062770f1edb7fb08c47400ba60

SHA512
1bee1bbb21f1277c7f894c69c2a43fe6ac8e479edb1194631874d5ff1c9970a9f06f5fa5df12374635b179f1a651ff1f38c5d6a8a344f7b5624e3d439513a226

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
713KB

MD5
ff5c757edb5ae8abb54f34181963fa2c

SHA1
29cb9100b88759ac83033936de4eb8250f55c2fe

SHA256
c682e3a5ed0bdd78a2a5df18f1cb73d4dd23136dde604de6d4059e8d81810c61

SHA512
6a19723618d949cb64efd2f9472f2c1c4b95fa802fe8c22f0b0250de3ad929dadd1d2343fb0608f5c7f80d2cf61dc6c7248606f2c6cebd60f4b42b8a5d21c1cc

Download Submit
C:\Windows\SysWOW64\Pghieg32.exe

Filesize
713KB

MD5
fb95c86413833c0fe64cd7a6a06322fd

SHA1
977c6fdc3f2e3aaa77063ca2492dedd07f7ab81a

SHA256
ab0af56eec63db885707639209cb4f4d668950fce2efd94197f0bd064fdca242

SHA512
93187c96ee9a3eed7aeb02744f2da5c54445bad9a41f24e574a61040d0e21dc4bc1ef4fed153a8694f2b03c69f3119df734cedc82e939a389a5f18a5997e1ff3

Download Submit
C:\Windows\SysWOW64\Pkaiqf32.exe

Filesize
713KB

MD5
f1a1c3bc36523ec6991dc3c95ab66ba0

SHA1
f74fa8c89630900753abe820bb72a54357c1f50d

SHA256
e0e08f40fac18225306170675214e0a5cb71d8f3d5824fb5d0b342d2aaf19bb6

SHA512
8b74b59777e8145a8fd899db44f238d02d082f15a2abe9d7361c83dda27510a4739f3ed1e735f19629cf2bc4e420004223f0992fa32f53d3236bcb3d32d00f71

Download Submit
C:\Windows\SysWOW64\Pkceffcd.exe

Filesize
713KB

MD5
01716a1e8930c225ca78a96bc43fd3f8

SHA1
861836721789a6225026be1cd5c283860f971a1d

SHA256
d1b03cc2c0bae0903aaa0af0a40c31d62c45b6f97bb16b6c3b6b60456f020d72

SHA512
4339a12cb652043ff912ba19885e1aee162f219b50bcc969b6228412a99481817a43c9f2b1c82410c594d0a4ad5d5994ef7d1fcbf64ae0ac86d70d3da32dc48b

Download Submit
C:\Windows\SysWOW64\Pnbbbabh.exe

Filesize
713KB

MD5
32b48c32d7c8bc70ae460349a79cd17d

SHA1
702ecf43d6ac973a2dd6a194e5ae3e36efa3069c

SHA256
6d44fca0d37d5196e3933fb5230a43b5fd1f11403632cc0cedcc60258026a7ec

SHA512
baad26c068be60332f4deae1a406c2e66d0ecb9de9d6d338f9e8c7a8614bd8850fcd3e17998f18a5e12cb1b5eb2fb3ffb11334acb87c7c77012287eedfb3d293

Download Submit
C:\Windows\SysWOW64\Pnpemb32.exe

Filesize
713KB

MD5
07da28c7d3c45f35098627e8fca0928d

SHA1
3d3baecc324b1a92fa91c12560c3ef635c72c29d

SHA256
c091a319b1ac239e6f3eb70a534a2a2adb3cb6d98662a5d7f6296e2bfefcee36

SHA512
edc740b717e1d27a41f1a29c7298f92aeaa957f9691bb036efef54777af70c371918281fb768ff26bb8550ed9b01c90e471d12cfe8ff2002c88dbf112f0c49e3

Download Submit
C:\Windows\SysWOW64\Pqnaim32.exe

Filesize
713KB

MD5
9dd1fe7322f7e4871e268f38c19dfc1c

SHA1
376180bc5c6c98096fcc21b82548ea5756511f0e

SHA256
d035d83670cd0e20378f0edc3e57fbaf52a4859dfbd4e87bcd381eaffd0b02cf

SHA512
a6ccd03fd0c33aee999273839e1ffc9bbef765c56b7878ef0e377ad1a8955eb9181678e9220aa73e7ddd6a40a4d153dcecb5101fb9bb5d06201d540d6109646b

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
713KB

MD5
aa7cedb510755176ba3b27ec6ed90143

SHA1
6d9041978826dfb6b71ff8df0e8b355ee04af02e

SHA256
dd7271cf92ed929ed557752ac17d2f89a3420ad52ceadb2641a5f671a4d146de

SHA512
155c25cc10773b6525512a30499d958c00cf2cca788954a0c228f3f26a55b1622a41525aad57e0e12f23c2ce51877464b1074171ad15f8036ca449f5c164b09f

Download Submit
memory/116-653-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-783-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-676-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/808-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-644-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-652-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-684-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-654-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-686-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-637-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-782-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-618-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-657-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-675-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-690-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-656-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-687-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-643-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-645-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-659-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-678-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-785-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-683-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-620-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-688-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-671-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-689-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-680-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-780-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-673-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-677-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-682-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-632-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-649-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-642-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-786-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-667-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-681-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-658-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-787-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-655-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-660-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-670-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-669-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-640-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-664-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-647-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-672-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-648-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-685-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-784-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-679-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5140-788-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-789-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5212-790-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-791-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-792-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-793-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-794-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5392-795-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5428-796-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-797-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5500-798-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5540-799-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5572-800-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-803-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5644-806-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5680-807-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5716-808-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8724-2373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9536-2358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9960-2341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/10164-2333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads