5c4530d29cfbf2fa19f84faa10c307fa7cd0cbf51d6a83a4e6fb90a3c805b101

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5256205b842157c3ce9ca0407df3afb0_NeikiAnalytics.exe
Size

359KB
MD5

5256205b842157c3ce9ca0407df3afb0
SHA1

49ffea8bc2789631c01316bdd279d99f72f1a5dd
SHA256

5c4530d29cfbf2fa19f84faa10c307fa7cd0cbf51d6a83a4e6fb90a3c805b101
SHA512

eeedb260b4ed6ef463b2a1d52664f73a4c9dc409cc2c010acf31fc7bbed248c6afd8546b29b9cf4285b5282ae5648fe71b5d0d57e99263b2040fa6648c171414
SSDEEP

3072:K7Ano/XuUi0z9gk28bI20kQI8Va3CkfUVuyelbvP5lkzmQ1o0Otw44KmfpKivFMf:KEQD9gk28bI2prba4Yb31/do

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peqcjkfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eamhodmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcpclbfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdcdbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgoobc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddpeoafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnihcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clpgpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpnkama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elbmlmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklaknjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbbbabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daolnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdqgmmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgciaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elbmlmml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhidjpqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eekaebcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajneip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdbhcck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe

Executes dropped EXE 64 IoCs

pid	Process
2332	Odbgim32.exe
4208	Ogaceh32.exe
2300	Ocgdji32.exe
4624	Oqkdcn32.exe
4404	Pcjapi32.exe
1084	Pqnaim32.exe
4896	Pghieg32.exe
1440	Pnbbbabh.exe
3200	Pgjfkg32.exe
5044	Pengdk32.exe
4596	Pjkombfj.exe
4332	Peqcjkfp.exe
4748	Pnihcq32.exe
4556	Qcepkg32.exe
2248	Qajadlja.exe
4076	Qgciaf32.exe
860	Qalnjkgo.exe
3688	Alabgd32.exe
4344	Aanjpk32.exe
3812	Aldomc32.exe
3080	Anbkio32.exe
208	Aaqgek32.exe
1596	Aelcfilb.exe
3936	Acocaf32.exe
3988	Alfkbc32.exe
3628	Ajiknpjj.exe
1144	Andgoobc.exe
4632	Aacckjaf.exe
3540	Aeopki32.exe
3000	Adapgfqj.exe
1964	Ahmlgd32.exe
2992	Ajkhdp32.exe
1272	Angddopp.exe
4776	Abbpem32.exe
1148	Aaepqjpd.exe
1748	Aealah32.exe
4768	Adcmmeog.exe
5100	Alkdnboj.exe
4672	Ajneip32.exe
2308	Aniajnnn.exe
3948	Abemjmgg.exe
1624	Bahmfj32.exe
1228	Bdfibe32.exe
3968	Bhaebcen.exe
4880	Blmacb32.exe
2268	Bjpaooda.exe
2644	Bbgipldd.exe
2704	Bajjli32.exe
2588	Beeflhdh.exe
3312	Bdhfhe32.exe
1720	Bhdbhcck.exe
2068	Bjbndobo.exe
3776	Bnnjen32.exe
4648	Bbifelba.exe
4860	Balfaiil.exe
1656	Cklaknjd.exe
3032	Chpada32.exe
3652	Chbnia32.exe
1668	Cefoce32.exe
1576	Clpgpp32.exe
4660	Conclk32.exe
3196	Cdkldb32.exe
3532	Daolnf32.exe
1936	Dhidjpqc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcjnop32.dll	Iblfnn32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Flceckoj.exe	Ffimfqgm.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Aelcfilb.exe	Aaqgek32.exe
File created	C:\Windows\SysWOW64\Mjdgcbkb.dll	Bajjli32.exe
File created	C:\Windows\SysWOW64\Oqkdcn32.exe	Ocgdji32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Anbkio32.exe	Aldomc32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Fqqlehck.dll	Hbnjmp32.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Lhibca32.dll	Ocgdji32.exe
File opened for modification	C:\Windows\SysWOW64\Abemjmgg.exe	Aniajnnn.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Kebbafoj.exe	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Pllfhkno.dll	Bhdbhcck.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Ilidbbgl.exe	Iikhfg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhidjpqc.exe	Daolnf32.exe
File created	C:\Windows\SysWOW64\Dafbne32.exe	Dlijfneg.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Habmmpbg.dll	Ajneip32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Dbaemi32.exe	Doeiljfn.exe
File opened for modification	C:\Windows\SysWOW64\Jfeopj32.exe	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Aldomc32.exe	Aanjpk32.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kfmepi32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Eekaebcm.exe	Elbmlmml.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Eelcja32.dll	Eamhodmf.exe
File created	C:\Windows\SysWOW64\Dkcfedla.dll	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Eeijge32.dll	Abbpem32.exe
File created	C:\Windows\SysWOW64\Gfpggnan.dll	Ddgkpp32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Phfkqkek.dll	Acocaf32.exe
File created	C:\Windows\SysWOW64\Pengdk32.exe	Pgjfkg32.exe
File created	C:\Windows\SysWOW64\Nggdeh32.dll	Aanjpk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8788	8672	WerFault.exe	380

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajneip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbdco32.dll"	Chpada32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbpem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdegandp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjmp32.dll"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doeiljfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoolbinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffdjk32.dll"	Bjpaooda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadbk32.dll"	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdcdbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiigifj.dll"	Dojcgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaqgek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaklidoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll"	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgoobc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfembo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddina32.dll"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmlbfod.dll"	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhilj32.dll"	Gbbkaako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcobhnfc.dll"	Pcjapi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffldcca.dll"	Dlijfneg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhidjpqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fohoigfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll"	Hbnjmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaooda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpfco32.dll"	Cdkldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnjlc32.dll"	Aldomc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeijge32.dll"	Abbpem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfibe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiggphnk.dll"	Aeopki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcojed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heapdjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilghlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aldomc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlokddim.dll"	Fohoigfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiaephpc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2332	5088	5256205b842157c3ce9ca0407df3afb0_NeikiAnalytics.exe	81
PID 5088 wrote to memory of 2332	5088	5256205b842157c3ce9ca0407df3afb0_NeikiAnalytics.exe	81
PID 5088 wrote to memory of 2332	5088	5256205b842157c3ce9ca0407df3afb0_NeikiAnalytics.exe	81
PID 2332 wrote to memory of 4208	2332	Odbgim32.exe	82
PID 2332 wrote to memory of 4208	2332	Odbgim32.exe	82
PID 2332 wrote to memory of 4208	2332	Odbgim32.exe	82
PID 4208 wrote to memory of 2300	4208	Ogaceh32.exe	83
PID 4208 wrote to memory of 2300	4208	Ogaceh32.exe	83
PID 4208 wrote to memory of 2300	4208	Ogaceh32.exe	83
PID 2300 wrote to memory of 4624	2300	Ocgdji32.exe	84
PID 2300 wrote to memory of 4624	2300	Ocgdji32.exe	84
PID 2300 wrote to memory of 4624	2300	Ocgdji32.exe	84
PID 4624 wrote to memory of 4404	4624	Oqkdcn32.exe	85
PID 4624 wrote to memory of 4404	4624	Oqkdcn32.exe	85
PID 4624 wrote to memory of 4404	4624	Oqkdcn32.exe	85
PID 4404 wrote to memory of 1084	4404	Pcjapi32.exe	86
PID 4404 wrote to memory of 1084	4404	Pcjapi32.exe	86
PID 4404 wrote to memory of 1084	4404	Pcjapi32.exe	86
PID 1084 wrote to memory of 4896	1084	Pqnaim32.exe	87
PID 1084 wrote to memory of 4896	1084	Pqnaim32.exe	87
PID 1084 wrote to memory of 4896	1084	Pqnaim32.exe	87
PID 4896 wrote to memory of 1440	4896	Pghieg32.exe	88
PID 4896 wrote to memory of 1440	4896	Pghieg32.exe	88
PID 4896 wrote to memory of 1440	4896	Pghieg32.exe	88
PID 1440 wrote to memory of 3200	1440	Pnbbbabh.exe	89
PID 1440 wrote to memory of 3200	1440	Pnbbbabh.exe	89
PID 1440 wrote to memory of 3200	1440	Pnbbbabh.exe	89
PID 3200 wrote to memory of 5044	3200	Pgjfkg32.exe	90
PID 3200 wrote to memory of 5044	3200	Pgjfkg32.exe	90
PID 3200 wrote to memory of 5044	3200	Pgjfkg32.exe	90
PID 5044 wrote to memory of 4596	5044	Pengdk32.exe	91
PID 5044 wrote to memory of 4596	5044	Pengdk32.exe	91
PID 5044 wrote to memory of 4596	5044	Pengdk32.exe	91
PID 4596 wrote to memory of 4332	4596	Pjkombfj.exe	92
PID 4596 wrote to memory of 4332	4596	Pjkombfj.exe	92
PID 4596 wrote to memory of 4332	4596	Pjkombfj.exe	92
PID 4332 wrote to memory of 4748	4332	Peqcjkfp.exe	93
PID 4332 wrote to memory of 4748	4332	Peqcjkfp.exe	93
PID 4332 wrote to memory of 4748	4332	Peqcjkfp.exe	93
PID 4748 wrote to memory of 4556	4748	Pnihcq32.exe	94
PID 4748 wrote to memory of 4556	4748	Pnihcq32.exe	94
PID 4748 wrote to memory of 4556	4748	Pnihcq32.exe	94
PID 4556 wrote to memory of 2248	4556	Qcepkg32.exe	95
PID 4556 wrote to memory of 2248	4556	Qcepkg32.exe	95
PID 4556 wrote to memory of 2248	4556	Qcepkg32.exe	95
PID 2248 wrote to memory of 4076	2248	Qajadlja.exe	96
PID 2248 wrote to memory of 4076	2248	Qajadlja.exe	96
PID 2248 wrote to memory of 4076	2248	Qajadlja.exe	96
PID 4076 wrote to memory of 860	4076	Qgciaf32.exe	97
PID 4076 wrote to memory of 860	4076	Qgciaf32.exe	97
PID 4076 wrote to memory of 860	4076	Qgciaf32.exe	97
PID 860 wrote to memory of 3688	860	Qalnjkgo.exe	98
PID 860 wrote to memory of 3688	860	Qalnjkgo.exe	98
PID 860 wrote to memory of 3688	860	Qalnjkgo.exe	98
PID 3688 wrote to memory of 4344	3688	Alabgd32.exe	99
PID 3688 wrote to memory of 4344	3688	Alabgd32.exe	99
PID 3688 wrote to memory of 4344	3688	Alabgd32.exe	99
PID 4344 wrote to memory of 3812	4344	Aanjpk32.exe	100
PID 4344 wrote to memory of 3812	4344	Aanjpk32.exe	100
PID 4344 wrote to memory of 3812	4344	Aanjpk32.exe	100
PID 3812 wrote to memory of 3080	3812	Aldomc32.exe	101
PID 3812 wrote to memory of 3080	3812	Aldomc32.exe	101
PID 3812 wrote to memory of 3080	3812	Aldomc32.exe	101
PID 3080 wrote to memory of 208	3080	Anbkio32.exe	102

C:\Users\Admin\AppData\Local\Temp\5256205b842157c3ce9ca0407df3afb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5256205b842157c3ce9ca0407df3afb0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\Odbgim32.exe
  C:\Windows\system32\Odbgim32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\Ogaceh32.exe
    C:\Windows\system32\Ogaceh32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\Ocgdji32.exe
      C:\Windows\system32\Ocgdji32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\Oqkdcn32.exe
        
        C:\Windows\system32\Oqkdcn32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\Pcjapi32.exe
        
        C:\Windows\system32\Pcjapi32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Pqnaim32.exe
        
        C:\Windows\system32\Pqnaim32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Pghieg32.exe
        
        C:\Windows\system32\Pghieg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Pnbbbabh.exe
        
        C:\Windows\system32\Pnbbbabh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Pgjfkg32.exe
        
        C:\Windows\system32\Pgjfkg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Pjkombfj.exe
        
        C:\Windows\system32\Pjkombfj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Peqcjkfp.exe
        
        C:\Windows\system32\Peqcjkfp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Qalnjkgo.exe
        
        C:\Windows\system32\Qalnjkgo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Alabgd32.exe
        
        C:\Windows\system32\Alabgd32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Aanjpk32.exe
        
        C:\Windows\system32\Aanjpk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Aldomc32.exe
        
        C:\Windows\system32\Aldomc32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Anbkio32.exe
        
        C:\Windows\system32\Anbkio32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        24⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        26⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        27⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Andgoobc.exe
        
        C:\Windows\system32\Andgoobc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        29⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        31⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        32⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        33⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        34⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        36⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        38⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        39⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Ajneip32.exe
        
        C:\Windows\system32\Ajneip32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Aniajnnn.exe
        
        C:\Windows\system32\Aniajnnn.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        42⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        43⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Bhaebcen.exe
        
        C:\Windows\system32\Bhaebcen.exe
        45⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Blmacb32.exe
        
        C:\Windows\system32\Blmacb32.exe
        46⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        48⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        50⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        51⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        53⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        54⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        55⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Balfaiil.exe
        
        C:\Windows\system32\Balfaiil.exe
        56⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        59⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        62⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1180
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        68⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        69⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        71⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        72⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        73⤵
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        75⤵
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        76⤵
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2892
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        80⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        81⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        82⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:736
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        84⤵
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        85⤵
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        86⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        87⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        88⤵
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        89⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        90⤵
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        91⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        92⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        93⤵
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        94⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2180
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        96⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        97⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        98⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        99⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        100⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4620
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        102⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        103⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        104⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        106⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        107⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        108⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        109⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        110⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        112⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        113⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        116⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        117⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        118⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        121⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        122⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        123⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        125⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        127⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        128⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        130⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        131⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        132⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        134⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        136⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        137⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        138⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        139⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        142⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        143⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        144⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        148⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        149⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        150⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        151⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        152⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        153⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        154⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        155⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        156⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        158⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        159⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        160⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        161⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        162⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        163⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        164⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        165⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        166⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        167⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        169⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        171⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        173⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        174⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        175⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        176⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        177⤵
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        178⤵
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        179⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        180⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        181⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        182⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        184⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        186⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        187⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        188⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        189⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        191⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        193⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        194⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        195⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        197⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        201⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        203⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        205⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        206⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        207⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        209⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        210⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        211⤵
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        212⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        214⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        215⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        219⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        220⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        221⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        222⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        223⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        224⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        225⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        226⤵
        Drops file in System32 directory
        
        PID:7184
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        227⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        228⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        229⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        230⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        231⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        233⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        234⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        235⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7720
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7764
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        239⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        240⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        241⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8004
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        243⤵
        Drops file in System32 directory
        
        PID:8052
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        244⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        245⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        246⤵
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        247⤵
        Modifies registry class
        
        PID:7288
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        248⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        249⤵
        Drops file in System32 directory
        
        PID:7472
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        250⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        251⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        252⤵
        Modifies registry class
        
        PID:7684
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        253⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        254⤵
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        255⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        256⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        257⤵
        Drops file in System32 directory
        
        PID:7992
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        258⤵
        Drops file in System32 directory
        
        PID:8084
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8160
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        260⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        261⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        262⤵
        Modifies registry class
        
        PID:7476
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        263⤵
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        264⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        265⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        266⤵
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        267⤵
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        268⤵
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7460
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        271⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        272⤵
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        273⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        274⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        275⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        276⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        277⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        278⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        279⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        280⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8096
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        281⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        282⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7296
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        284⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        285⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        286⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        287⤵
        Modifies registry class
        
        PID:8360
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8412
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        289⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        290⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8500
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        291⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        292⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        293⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        294⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8672 -s 400
        295⤵
        Program crash
        
        PID:8788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8672 -ip 8672
1⤵
PID:8736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aacckjaf.exe

Filesize
359KB

MD5
399daf21d497bbf400567c5f97e5f656

SHA1
21a72e1d91062290071c8b8ee1260dd506a81924

SHA256
f1475a7cb1e65e2226422aa538a43c82f9ba1be0ac07535a8f9ff8d82ff05ba6

SHA512
cb5d37c2ab88ef9e5a570fa0d76073c88e36322db194e3d800cf13ffe004c70706f8a03f3905a08cf805ad1e9be7d01121afdc90fcee5448e2366857d4957e0c

Download Submit
C:\Windows\SysWOW64\Aanjpk32.exe

Filesize
359KB

MD5
8a4435d937158262dd4be2b04ccee4e0

SHA1
261a647510742a0540b72c94bbf8e6979b076264

SHA256
42ff7b526ee9befe466499d5b24576bf99f85b234bdfb325d705d8cf3319464b

SHA512
ef23725114e1532561ac0e1b96c94bd60d535ef16cd65f845fc092b5e60c19584c99c58dae7def41e3ec39077925efb12f8bf1a840f7699a3304775909162df7

Download Submit
C:\Windows\SysWOW64\Aaqgek32.exe

Filesize
359KB

MD5
7cd507ee352dc64ef440035dc4bdf655

SHA1
7a568b7424e8ee7b116e3a6816de185bea53d2bd

SHA256
8465d6a4ee16188fbf599fdf929e936f0127374587c971bee3b08ed17a3c7365

SHA512
a93ab3b6655a446b3e1c6a1c343f58af0ac218450d85295764ca3d2722dd83f3e1551a49a2ecb0a47f479076f6ffc0d16e63b5ab807a7faeaeb31749ce6efbe8

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
359KB

MD5
056b4fec42e06fca945b2f66e466956e

SHA1
7e9e75667006d51bd1869495c6466b732659774a

SHA256
4ec25f8bcf5a5d09be22bdc09a2806f2a98c44fe959e02cd89a9b857810b3f64

SHA512
f925ef829c45c13f5e215397783dd245d5a2b70bd95156f7c8f2d343a1c74e74329799dd36761b3cc66c0ab48361f82cb32508c58bd143dc7cd573d759463f66

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
359KB

MD5
ca32647f62c7a633dc9a69a4f0544dda

SHA1
55188dfbf7ed004761e2b77a7999857674915048

SHA256
1d522ed5b061e261edad0c255dfb018cfcc45773e6097bc3ee6dcb8cc3a92d12

SHA512
ba5a68f8490c4b028998d708860ec0a6d5ec0065eb4111bff00787dff198059fb87a39690d274f6dcd060697e4810f89c84670e3f6049ef71b80db6d2b6b7b7e

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
359KB

MD5
52939547369e2bc1c3395d89a7d7ad61

SHA1
ab8e0e780e294db54e910d794fd3e22b53fea0c9

SHA256
2e22e5c8200f3b7b2f1209ab44285074495674cd95502fc4f40272e2e7ad84d2

SHA512
93a9b09aaf8fff6181e432dd34093239578bde11b7a666d85f01be516e3bac53216c9e0e7b0e2dfb6413219d9bcd2a5e1a6498ab97aa1362d0f1ed64b0316193

Download Submit
C:\Windows\SysWOW64\Aeopki32.exe

Filesize
359KB

MD5
83e35e4e078dc32bb98d0f6180e69084

SHA1
258b81fd398309151d8205db67142cb05157781d

SHA256
ecc913e67dbe7b9e1534835912277fbb3eabf65e861fd3a67ddef688e9abdd38

SHA512
db1f603e5892a355647057dd2904e5cb7f64eb267fcce63f9769dcd29f7b1a3d38a9e7156da06339f6ef8555d95d2b986dd154e5f0766c40c869eae10d32269a

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
359KB

MD5
84773f715ce62c1c21d56f068d4cd0ea

SHA1
a3a966334a20d8378b46c6d1ba539eebac3e2f85

SHA256
58178b974a9cce5100ad70f4a694e1013fb072a09b8ec863abde395f5c9ea05b

SHA512
9dc8be977fd6be0774fe0fa5a17e5fc19dabbf26b819c202d91da1a652f116507dcd53da4bc5bd1a60e764edf2eb2ca5e00d1dacb641458db512cb6d0d70b1d1

Download Submit
C:\Windows\SysWOW64\Ahmlgd32.exe

Filesize
359KB

MD5
1ac9b1cb5913331e83303fb7d9379819

SHA1
fd3cf327d84e47a36566125cee34d0c5531c66c4

SHA256
d36882c8b3777edc6b5daeabedd5fed3397c684add9b50bc6ded9c6e7de776bb

SHA512
15a66801276c0ca930ef74baef35d7e7c12856af42a940de857547da14e24705077f446841b3fe7b977e81961f61b86aab95c03307b4517ff10a622a39dc8a12

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
359KB

MD5
1633f891c5716a1bf2062d5ef661b984

SHA1
a1ecb9b09165062a0732209eeb62402eb884f2fa

SHA256
c954441dbac8c245bbdf08f39d7ed7aa498c2e019494d088d37a335c81b839ca

SHA512
0c0fd33649bb4263a4ef289640f74e8d77dcc8fa3e05cf0f5046531ed3d639e033375dd1cb1436379a5a8b18a8eccc8b89c3fa0abed792a01b75b7d219483318

Download Submit
C:\Windows\SysWOW64\Ajkhdp32.exe

Filesize
359KB

MD5
1842859de09ddc1eec99f3555b19eebb

SHA1
0c09a2cf4feab27ded6c19fb1255d453c8f9e5ea

SHA256
5b4f6fb3ff7d0f4178fbeb183146a72d3510b1fd17333c83852409152fdc9eb7

SHA512
88cc4eda80ba67bae4299625593916727cf7b2f9d7042dc9a5feb6386435bb0be67cde9140df67dfd3435ec6a5a16bd1e5bd7cca3810af024b2461cce97ac2cc

Download Submit
C:\Windows\SysWOW64\Alabgd32.exe

Filesize
359KB

MD5
67f82ca58bd335b31eea2999a70c7d10

SHA1
23c389eb632bae3ca6e28caca01eeab6ee644bd0

SHA256
7add88ef7aaa5f5797df893a22ec0f546ceddb062bb033bc3401676bdd4243c9

SHA512
20e1b680c31aa4f4c448cc1549cc12f2eced37e60de5e4472710751a75afb3e567fa8fd9a7a9126c1fff1982ecdecf5de676dc0afb66c2abdf11455a84e23e03

Download Submit
C:\Windows\SysWOW64\Aldomc32.exe

Filesize
359KB

MD5
e2508eca7c014b67886d5c96a3666af7

SHA1
8f621b81aec395bcdebcb8e33f7c312da331921b

SHA256
3b8971a5039823d1c3d519ae911d0fe010881cbd8d0b5197ae9c76a4fc33cedd

SHA512
e84189c67eeb7e5fcef10db1b37f61eec1e66e9f6b78e78a98d5c60d5d8e045344257c9b78e93b7df0480f200c588647e3204c663c814a16a5c5190627363e02

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
359KB

MD5
320ce019bab55218d80fa370294982aa

SHA1
7e5615be0317f835298e2fcf65e92682e02cc971

SHA256
089914704c0f8bcda04af7215c75686322d7b8ca117413ecade9e204e0706c76

SHA512
c53e729e7777e0679f89dd044bcf54af2e19ab214fe8f64ba7e2709dba123987ef7901806d81fd30601c8c44df1d8f2fb32681346eb1481474eb9bdde88b6014

Download Submit
C:\Windows\SysWOW64\Anbkio32.exe

Filesize
359KB

MD5
a6e0f7e104834327cc64bef776b857b3

SHA1
69ee909d1397dd23daf2ad37bb3db97e30e4ceba

SHA256
bf07ab5f70f9fd0c1ad360f745449b9cbf4a07c449cca3faaadc2b0fad2f5e70

SHA512
2e799e32bc0e3441a3772d5a358c3f39f7cc228451923533bbf8a33780165ff5eea612311d1dc0b1ee9edfdd30b235560b84f968d2397c1ac2d3144cc99a893b

Download Submit
C:\Windows\SysWOW64\Andgoobc.exe

Filesize
359KB

MD5
2151a549b677bb040d1c3e162b72d221

SHA1
9964960de473980c34e3588b126c21c7789dccdc

SHA256
14b16f3cb7d2f97fc314a89069c3b8fb6990cb9e644c25536888f4b2e33406a3

SHA512
7f610af8d49cfdd59e60b03ab21e6fbf7fe465754c54594a524b2244443021677af3fe6eb73cb5cbb91e45cd2be7abd4571a1219a1447c2d2e7fd8620274675a

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
359KB

MD5
283ac8aa8a87abd0e7d649103208f1a3

SHA1
824f1901d34878e1d0daffcb769d2637ed621b4e

SHA256
ab90e3e5387e476c954edecb618ffe592eefefeaf1de8c8774cc63f28a858db6

SHA512
f2d96c21ab0177843d5e6519286e4761c5bf78d4129ee40c95f492cf0798a9810da7f92fdfd581e996f87d5b204638748effe0c8f29dda982112dcf7d4f9ad53

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
359KB

MD5
bed2197bf51d1a5529b5d106bd26f691

SHA1
d00296a9295803095ef752c7f7d1fcf2fd005013

SHA256
060af7167c02119715dbd151e46b5d727932a158a2a2f6bffe330fadb995e7ae

SHA512
92c5ac2508c4b82723a9350d32351bed58eddc0a241ab9c883d68b2456d6b80ce61655822498b9f33c4161b22b2b7be3a87525ce4912d118123c52aa8f07134f

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
359KB

MD5
fe3caaa400e966213e45c92498872ff5

SHA1
56c2ddb2126527e7a5e6b4dfe6fd38979a554c27

SHA256
0b9e6e7473eb6fed5d7001fb24d014cedd6f1d1cab85b0fc392471601942efa3

SHA512
2e556c520ecca8ae3bb4d2219b81860089d3ad003fb65870dfe8c350ccfb29b63694ac07c33fd0262e376a8d61219f6152d0c9ee60e54adb47762e4d3efcf659

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
359KB

MD5
dbc8709f2a2b2c7dadf558d2e770bae2

SHA1
751fd4db21b12e1048303855c9e7feee202ead69

SHA256
27bcc967dc191217f245cb3b4c4c97967d49c371421867167a42999a23f31caa

SHA512
154ab14cdbfcabc17b0da1543ddb10ea2a007caef53a90c376fb07f0ec7bd95ab1c73b19baa2d64da4ab10b12ced2a3be409103bfdb7427de9774256c01b405d

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
359KB

MD5
b1fa970e91442fcfa5378316d84f65f2

SHA1
8d1c13dd6c356930969b31a700f2ffa86555c97a

SHA256
9428d710994f4d2f261cd6515a4127a11e153e8dbe9a3515832b92afb4040132

SHA512
43fc38fb010fab28ca732e3ee0b43de7221b988f856d2732a25e322f909ca31783cf3094555d2c11f470b1cedac7c511ed55bf2d7fad03ef4b19a9e6c2b1f134

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
359KB

MD5
7a2bbd6d7802e24cc79fb979acd9719e

SHA1
910b3987c5643ae064a82d2ade0b52cd1820389d

SHA256
a2a61e89ee81fd9cb9766b1103b07fd7a48fd9adb65ec932bdf6ca41880e6d9a

SHA512
5fa2c26f44acb32ef4836f6c63452e6e641ce14ccc1d6151911acc5d018bdcc11be2844b1576699ed7841f0844b0bd457434611c86b2d0370b32a1bd047e10f0

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
359KB

MD5
4022272cc5d591381df8dc8d674743dd

SHA1
da1eeb2e23b58737658adb08a1a9435df27ddae9

SHA256
c57db06ac5bba8ce78e115b27177a158082dd0e192b61658c1ba7b8a794ae551

SHA512
ab34338a122e0d9bf84e412c9ea1b0a6b15878f7b27541baab5401d731bf4dbe5a48e5fc359cdaff3ef5451cd3c5516cb1bd384d0e12e058c3407c6a93da8742

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
359KB

MD5
164fef17478be904c3d53c685c713c0f

SHA1
98128f74695d516eba610a5d3a4897a7c2cea0fa

SHA256
8898454f9fe4ecadc4a4863c4a81488c63c9ce8415accd302ed2b92411f2c5fe

SHA512
82d9796a70d80ad3254d6ba8ca45dc4fa615fdceeffa7fffc6bd2970c464f2eaed2dfcdc087cc01170257982e33bef499fad78f0970d533a01a7044d784fb556

Download Submit
C:\Windows\SysWOW64\Cklaknjd.exe

Filesize
359KB

MD5
4c93a600b3360a5da82c015fff0cdc14

SHA1
d7d27c858f3cc2bf14c74ac8e7c4541f526ac3e6

SHA256
9bba3130079cdd90aaef708ef19ee7a67d33336749c62496a6fa5a8a25d74220

SHA512
4ee110e34d72c3289c8eaee59908ba8e51fd7fc14b27d1f60a186d2bcc28eaa0f6f0da44a3fe3e2412b13540bb74abbae4a5aefbc4070d90111b22318e7e76e3

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
359KB

MD5
1b7aea784f5d2aac522236663cc36e6c

SHA1
eae69607a02f0e97b44c7504b15150f0df686f55

SHA256
f5b7bffde960686c5ff96f4f0696e3733a4049a985d1594ca79d351d7ca7e7ab

SHA512
2d7d9cf0d3b4cbdca28bf42e345021727392a426f73556144a04cd34b07302dcf14fb3a120f3c4041dda99cd17e7f20562a6a55e65a6487aa691a227e4ff1cec

Download Submit
C:\Windows\SysWOW64\Dddojq32.exe

Filesize
359KB

MD5
5f1df85d9e67f4a75eb6164f541c2b68

SHA1
b59083ab67af9cb8b698e830daf997965da1cdbb

SHA256
efee893106b70450f9a0299012196e58daea628cbba7c8b65e7575d2d84a0aed

SHA512
3e78cd9e8170acc4a8f47ffb1d533d1586357046fc49b67b4674e9df1a7ae1d7879e903bf6a192868193c6c9ee4295a266c51a54dce3cfe21c7b3401f10caa70

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
359KB

MD5
2f8e4cf1d06ac18caf7abcf4ae294858

SHA1
eab380d08288b5fc0232ec10d22c0723eb3defe4

SHA256
ed31039000788ddb5b9d02de453a8b37bdd0f9c3216bf254a4eee8ef75f6d493

SHA512
635a4f498ec345e6fe056a83e06ec49b972d0370777b3a97603da9e4dd13e6e47eca414734448aee6e2d70179b9e805a7750964584f2d3d5a488ae285ae0d246

Download Submit
C:\Windows\SysWOW64\Dhidjpqc.exe

Filesize
359KB

MD5
9f28dc2f49461e921fdf1ff2da9371f6

SHA1
1b73d865dda5230b011fbae5e10ca1efaf7cc4cd

SHA256
0581d7520c08f61fc4b992230b7f2eabaded755058a077f1c113348f05f0a2f2

SHA512
7cbd77e910c03350c1f3c6f10a94805b3afe5b1355a9e27d589658f792169ecefb4e172287f3d7c8b24b0357890a329e608fde8500871b317ac8d2b7dba7d74c

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
359KB

MD5
9d460170d134a932adebbca39ecbb6fd

SHA1
2fa57c3e455db52bf4d7e45d652bd87b0e19f116

SHA256
8b9018eece1805eb86fc0f953d8791f8307f69fe6a76b1b991a6d25df9c0263b

SHA512
7a67d3eb55a889303db129bfdd780f4223ec6ec42b3a8b861d797cc82ed09dc84b9ee5ca91d33a0c483595fbc5d3fec3afc506c10d79216f3090cdd1747cdfba

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
359KB

MD5
6ab0fcb62bfecddfab0c5b25dc30ca6c

SHA1
3670810c5732cb1790d3b8d86164422e20ed9056

SHA256
dfbe54a26178519248b950d3370f2fe7bd2e11e739c9d87baf35a019ac5c2825

SHA512
1a5ce9d56984ec8942f3bc0f453c89da2a524f0fc603875e1b2e732a18b2a7e848b62349a732166eef4ab35265dcb1a827e0f39931f8683cebca0a0bf0a08fc1

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
359KB

MD5
d7725b5d7f062e8b61a4d2f7dad0a4ab

SHA1
03b008024e079abd24f1e42f078e97c749229000

SHA256
3c68bfee6f2251203060515790da4a3d59189051461866da40216df96cfb7172

SHA512
d34bd15380f3b258438ed2e33f079b28c6349f16a13dc7e63585a6f58fc468a2578ad9a2f86253132ddbb376074daea28b7dd8af8bfc3983896a7086d7044b43

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
359KB

MD5
65235eccdd435389436be232d1eae1ea

SHA1
f045dcc15e8dd530f10961b74526798d453a00fe

SHA256
a311adbbceddbd818cb3529c3c605922401bf24edd65bdc4c77494477c9611fe

SHA512
98fd53715c6bab019efbaced31b06ba7892197950d89267ded9b8ab7ca4c126af840d81cb1b7d9fc4ae31fb19c7d3862cb39ace9aa4be30e762737c038f0d371

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
359KB

MD5
141f3fb1f1bdf781a0d4f88229d117b0

SHA1
d7e9b7b51c94cf6bf38a84d6a2d7356ffd704818

SHA256
a8f7a0f1eebae21b2f2ba802de56b34514d764b6e0dc45b09703b2fa51452367

SHA512
e2686e84d0e0dcbefefdec43c38a9007e30601550756f4ed6ba5f6d6bf489d29af66707077d856c77e4fde408db35ff5d804e672674d68b67a3e50720b4cfa73

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
359KB

MD5
45f019351ee7542556758bfbd6ccda45

SHA1
df1ffb9897fc207561fd6b92e28a2d75869afe7f

SHA256
3d5719f4a29c33dfb5cfadbb6a9806d5881c27c3e9c3b1a0353f32f068980b92

SHA512
e128566b21d525e05739d0c88bc968abbae75a5a4744ad62b6669be04b8e52399426ccb4e0d88a4a477bd247655df9f1061f88a4d6f180ec4c3709cb450e7d75

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
359KB

MD5
9cfd83018e8731ea724c0cec620b4d90

SHA1
c2f1ff00330e384cfc67041cbbd8fa2f8e52a276

SHA256
78c3bc56006c881c45dc52b3510753ef1b8dadbef1bf8daa3317c013b95b8142

SHA512
2ea39e09d773eb836130250045f467765a54463a1ea55f221835f6a837c814f9e0bb7da31f31815428abf0fea44364541d43d0b64e913d2bb839b6c122a83609

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
359KB

MD5
4550d91c11f206087e84a1d67b5b584d

SHA1
436d54ebd91b084fbaadb99673a0d9cf4b671077

SHA256
39481968a62cc285f44d1a7614fac46d81ce12b67d37d1cf278562c161799a31

SHA512
da0e19555de75b09a6cf5f2b2a7d18a4d96ea621fcd4fff4972ef83d810d48b707bd2dd19b030d48ee20227d4ebb7ee815a535f7f6a0e0c4ba7299ba036116ab

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
359KB

MD5
c36b2467be5f6270d0a5d1e7a6a08c06

SHA1
29917178da9e41f9a36264468b04ad9f5ea93452

SHA256
83096d0df2a3c84c2ca8c3f16c36d389b6fbe51d3cf9db3b7a3bcbbecf0bd348

SHA512
35b34f6e0519fb82d93e0e60ef24c4a806e755ed8d73f35b3ccf92dfc073d8e498ddf61163855ad33f396f44c52eca3b82b44bee51b88c22a42f1b41d074546d

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
359KB

MD5
d001df94c92499750d8216038b3242f8

SHA1
6fd9ee4ca40b9d5328104e90e2d585d742338314

SHA256
c460f9a38fce2728aa7b33a3c6d32255d4853a73ec79d404d098d00b805dd471

SHA512
0692037cdcc34857faa3309b094bb658e2277484c3a6a40a835cbca53cc0a340b24a9690e0ca6e00fd3de237a789d5e7beabe5e6471a0617e9328eb0ee01305c

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
359KB

MD5
c70aeefb69b1fbc7a0b443caacf03294

SHA1
0db9bc8af0f591bfe44bc71be01e95db27fad5f0

SHA256
dca7facc0c07e83b8ec1529b77c78cbb83b90059a8ed300d39df589aec37b11b

SHA512
b2fc2047dcec49ecc3cbdc8aa0e7521330f2558daa8f09f122a3ab1acfe8c8b491e20681da4c21ecf2dff9141d90a510a2f4961870d7434e0fb57eb377d78777

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
359KB

MD5
3920097b1766d46f7af5d91f06269074

SHA1
e6836304994888397c66073bfb9051319e168984

SHA256
49911fe402cc06b85a69891e152f15ab7fdce2201625a00880e650a5b64fbe05

SHA512
787f418fd9436f9713b410b107574a5e7c05210bbaa575cba8599c68b85c5ab5d5eea9be3d498e504e5022b1b73c65eaf3160b5a06e2cc413127c8862858e8ca

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
359KB

MD5
135e566ffd4c1a44b8e567fd061d3057

SHA1
6b3a11c1397e28fdbc8e22dfd712265d0162afdc

SHA256
c454d61cf9e77e1b43737a1748924abc3528fff3a5e58fa28754fad57fbecfe3

SHA512
dd7c063a7e57bcf50f6bf80a8b5c1c529df8ffd362585c7125720e03411718a3f0d859e56fbd9db0ebe20f820bdb9130ab663623388401a388a299ad4d201cd2

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
359KB

MD5
7f58a76e3d3602bd79956eb0a9cc08dd

SHA1
03347db0eba79379ad71ed8140d61fa31e146bf1

SHA256
5e246cd8a1a044ca01bdaa0cf55518467d6f130f8415ae6b81d5815ca9c5eb8b

SHA512
19b19830ddf450e7eac1a6f42abfaa32dce186aa22364bdf40e1c62be6a50a0b7dcd9b732d70ad706162942288830ef3fbec6d12c88db3cd96abbcebebbee1ee

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
359KB

MD5
fbd5ca3d519baf6ec6039890b27cae20

SHA1
970be0f474d2933ab559071a8836712870912dd4

SHA256
ad692348e10f91aa4307afbc98bfa6c3dadca70f3bf1a18470556144ee4dc2c4

SHA512
7320fd5f41d054315d09f956a999dd03ce003b3381e7f62de908fae529b919e7471e6668584750b74a334cd8e0e3d7b08624b6154d928ac3ede3306ef83efe04

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
359KB

MD5
1341a78affa836e40049ce1be096a24f

SHA1
ba69ad2e54a0c9e7ac8b1fb53e88ba4453045713

SHA256
376e52135581f9c30dfd4b186ff4fd9bb9cea8409ca3809a08f1fc04d084d2bc

SHA512
db3d7e840814d138942ca01ab54c9afda7752e0eac33291809b0743e97ecac7db574eee500cddd32e0e0d1788f84861d1e813ae8586dd8a312cc01d3b1381b7c

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
359KB

MD5
c7db9020a5a19927d1caaf70d4c1c0c1

SHA1
316b7dd6edfde6fd9608571c37b951209df1c9bd

SHA256
bb364611c0d566c400d355cb048d67cff1a0d7aa15fdabfca84fbc842dbde76e

SHA512
21131a9ac4cec05993c09c1ef463ae9732a2742c452fa320753bbadf0b91f4cec9756698848727df8867a798f1c534fb1627af31f51bc4f85cce569b47e12799

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
359KB

MD5
046ae1527e769710de958cc7763e78c5

SHA1
ef6be92842e0e8b80393fd1f29ce3f9650fc3a74

SHA256
9054ce6c46f049915323d5586b8b42660258440625c754b410d66304979d5c71

SHA512
beec4b776113b44681a1f8a69684e831ca96b00c8e2ce9f0c894af740fbeeded0c2d03db629e7216d797b9afec9ebe27aeb04a2580fb37c3a929c1ce3b3ed3ff

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
359KB

MD5
6385091539822acdb0dbaf8f7b701fb8

SHA1
62d7682ecfd6d41cf412d1106ec97fd34fd373b1

SHA256
523a03613436cacb1b84a1eb0c2c9268ca913b1d9ffbf106af337ccf83172e98

SHA512
0b8ffc336e52099ab30d6d48ff079e1cef23462828eef8a66559a04854023dcfcd37606b187e6bb5679d37e8d6dd7666201605529f47f85ea2aa9a196826d9ca

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
359KB

MD5
2675eb76be26969ac2a8149bae2caaf8

SHA1
31c60a589108a37824f58eb9635ad2b8bf44caea

SHA256
447635834aa2c05164e7e3ea4bccf1d2771d11e8bcd279a2958bc079a0b77b89

SHA512
c671f3b49204a6453f9a017112342246b4367c09668681b895981903fe486f7a3becd42ca56eb94eff2e2d56ade0760ea350c00cae5adc6a0b8c502ecb6e93c7

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
359KB

MD5
7ea94c8bb1edf6e212822090f302f1fa

SHA1
caaa1ab1bf402a50b7e313c881d8a89601e04e5b

SHA256
18b3d2b170e3890b5f1bd3b6b74127701d402992628804a970d672dfa7e17d3e

SHA512
e025622970a8534737190dfe8233b485fb12578bf87c5fdc3e6a9c3be74a2a09792c17a1a3fa942a222197d348755fff1e2bddd3b056ed98b723a964db58d18d

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
359KB

MD5
78654d3b02305898062a917551b1af02

SHA1
a24fafa2f3c68e43a1e136241a1dcecf01027078

SHA256
7c14dbb5bfd0847411cd8525f6a223ea6ab025d514c2b545d8bb0d8794dd6565

SHA512
c902d3c5b050f2216e7c57999343723e64549b0041494512b43c9052e4e9152f48fafe8d087f934724f802a38668609b03b638aac87eb8adeed0f1d48b556b0e

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
359KB

MD5
fca268d3cee71f5e6b80de23476f4485

SHA1
2e0ef59e872798b3a7c891af7f7a77b1cad2c749

SHA256
e4dba3fbf9839e4fc61b265fa8c2072295fc4897039580dd1db1305192e1b751

SHA512
8460ddf18f6821674d58cf40947e91924eac2d3345b247d8ee119b7ab5eb02bb64e95d675208686fbd72a9acb7baf24b7b573ea521293ef5c5068d78740a05d0

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
359KB

MD5
d8b4ebafc265c3d32ce4d3ab86b7f3fa

SHA1
8dcb6e7ae75b6e3322d5dfd1f5bb4a258ffcc5c2

SHA256
ea657b9027e856f288e82dcf7075199c0c6731b87b339d57a504cc7659e849a5

SHA512
64d2a8a67e1dc8e8062f4ffd38552d044f42b7c39d51b6ecdf1724dc3fc1cbe0dfafb6c5d4c11153b0b55f2e76ac79a422028e048e36df3cd8e06c32c53fe778

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
359KB

MD5
4a3688b41f245a60ac69b33897ec9a87

SHA1
f456dabb682f59c1b1d8d94ae797b5980e9c1b13

SHA256
efa0dc73e28b57f3b809abf4500e26fc327a60bce22202b83ba6cb7a805d3767

SHA512
0113d9ffd0311408e97c552788187531a64ed80a553830d61d69613895cd8c2d2b1a76c1de3b3a41aa7127136c8fb94327d0951640c8f2b95007515db9a549c7

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
359KB

MD5
bc57b578de6c7db9cb95421b79973cbf

SHA1
9f058f98df6066d87a34cfdd7612e1201f258bf5

SHA256
40aa09f53dfd6f86accd39279eb8f46a90b7e0717d2e9efde0e8a2dcae477395

SHA512
f21fb86dc6ebff6811db73ff42d4387037e91bd710bb8d45605c9d5a98f1f61d65c7bfb8997f45c16251046a7fbb7f24de67119467027738526803b6a0829465

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
359KB

MD5
97a92cbdc04f9505066b2ff132b486e1

SHA1
4173c94a95ee8bb52ec28cf532c8d6a6edead360

SHA256
a31462e5e552f6d14d9165249a13ed1bd4e3f1550a1560fffa72bcbc57f835fb

SHA512
a70c52784031a18c5c454e928c28aca063508dbdc64d84b68203713f609e7d30acc5fac324c6db7488401da36cc1dd0343a1ddf2031ea303a418b7a0829b21e2

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
359KB

MD5
9c40ecb78f3eccaab2ee53ba9959c7bb

SHA1
9e75a6a016de6b267c2381871f7e31fed6f0c82c

SHA256
f752c8b49f4948f77e45ed2fcaf021a8649e9c2ed3e4c7d1f9ea13e14682f184

SHA512
aabc493147b0dfca2c38598f8fe2ef25403e37b8177060b24f8d7eb01cc1b6160514a774c3d68c0f39f416306df8a46cc8583cfce406f93565790f8ffb789524

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
359KB

MD5
a69dcbbaf3ccc52559b69acb099ed4ec

SHA1
da356a7d7d5541301d4ca017b4980d63947fe7e4

SHA256
3b7ff023a56d589d68711227ec6dfc0398dac8f3dfc17d759e318e9125919a80

SHA512
b98ca35db95bebc07fb39c53e917646aee427fe187ff6e31ed78282877e6d5794159b5d417eabdf88c409cdf3d5656d3aecc3326bb28c208a9fc40aeb1ee6e1c

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
359KB

MD5
1273c386be9013b1efc4e93a4544204f

SHA1
6c7f7971baccb854f29b311b173c59e23c3ee6ce

SHA256
48f870fd71cf82a23041f88984dd84463e8e333cc6cf27908952e6b3e9a490c8

SHA512
eb3f9ed39bf2ed46b1f0d648aa53f0ee76efbc303bc6b137138b42114c1b60022e57d1ca9afb099fc5b3cc800b82134efb2e77c5b07992a4648f6e171e087bb1

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
359KB

MD5
3f160485a6f570495b9e4266cd2799ad

SHA1
c61e214687b2bca04db01919e5faf455bcd1ff52

SHA256
82610e1edb7b5302e8838cc9510eaa02e9f444bb45b4ec766711ebae8c5d131e

SHA512
da6e0742d4d63e01377ac7c7850b287fe4d266839c830f57f8a5a1389af82afd681d47c244d5f3a9967a35d4532d28bba39308fc51e7a85b7ffe6cbf147f18f2

Download Submit
C:\Windows\SysWOW64\Ocgdji32.exe

Filesize
359KB

MD5
e0bd29cb3dd700b4e2ed589d1bf45470

SHA1
c8bb578a6d321ee7838f8f48d689257b157d2c5e

SHA256
6664e2cb709fe5343ea2ba7731d95f7ea81e12fecf43d30d6e85641ac4763a65

SHA512
415fe13cb0db60db1c9e2c93a0e280a1602f97559351349adff6cfb12dc7967b2f19d78a5a3f9eacc0cd2af2f184032094f092b071b6d7f7c2b6bd0dbaffec01

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
359KB

MD5
216d3e90ef1ce978513dd4844f841748

SHA1
ee978088f3a3a1b2ce5a33e14531047e8e9d0736

SHA256
189ad8e99c586e01c7b3bfecc06d41b020a5810694a80818c7a1931cbbb4d956

SHA512
a2825a698eb812d077011e681178f0d8cb52c6ab5cba5b95fb918ab703bfe896960267b264bcc3f78c7a2fda64c4a0b9066dc2bcb5c380dcdeb98932679165c4

Download Submit
C:\Windows\SysWOW64\Odbgim32.exe

Filesize
359KB

MD5
73917e5b285c2f078bf5ff334893b99a

SHA1
a13b66b7fdc8818d1b65f61271377f55fd144975

SHA256
8f8b46f0465efff271275fe257169fd996042aa3cc182992e78068ca8c1c30d0

SHA512
24776f0c260be4faefcb701d61d05cff5c87a6916a44e63bce06bd7f9896652c2d4c7ffb0f6131bd3e7b7f1346a4da515d6a66307ea716f915622fb9c4a43d60

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
359KB

MD5
cc5f8fc72bff79b22fc8a135c1716f00

SHA1
91f505bf6223db0714f3f627f66da02f4dc263c1

SHA256
3534d810258ebacf0f89121e120fd728ef75d99293ccfd8de5ce9e07f52e106a

SHA512
ae3f1b394f6d01d022b172e00bd27e48dfd73b1690f4bb89ee853a29f5dcfa87a48cb0e1b08fc53e4dc1b0a555b97e99d039340149d667aae4dfb3132a3fe3e9

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
359KB

MD5
212eac5e80317ee9e4ff7cc22f204e95

SHA1
1ccdd38c06a506f98f4539ec02cff3471fc1bfce

SHA256
2f827980f0f1b2915534f3e8c4bd058af2a2a5e1b1954932767fe3186fd810ad

SHA512
e183056ef9a8789ce97698fe737aed0587bc47037d7cb10e482572e82dba213529dfdc56a60377e69f38eab224b6d46199e29257d63c4db6d7755e129bf31be7

Download Submit
C:\Windows\SysWOW64\Ogaceh32.exe

Filesize
359KB

MD5
c34175fb02f164f130ad775f4969274e

SHA1
3b59fa55abc56c1561b5fd64ca9880263bfa0e6f

SHA256
c4beb99c747cc82621dac08581b6a51a020ab9f5139a9328d8bfd60f9c99cf90

SHA512
72b6ae31f8bca341f182fbb5f4fbd8d0ebb5c4c1678ad8ab8713000c1809479ae2b3270ef27b83c774ceb3b2442783328302293f8937ce232f2a052edf9d8f22

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
359KB

MD5
56f14cd8df807b2a466a080608959c68

SHA1
3faae113197592f94deae8835ff741f7bf0537ed

SHA256
2e83f15e1482203ec09259537d56c6d7c4619568c91317870652e3fab599efc2

SHA512
72aef5675ff4d9d18183a9af0b92a58d01d28814afafe7a44b6192ffe983c944ca3eb59808c02a6998776cd1cda6f618698bbdcdf0bdb9c2a3e9b01f1a2f9557

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
359KB

MD5
39598a4d58ddf95a2a8a46b27d1892dc

SHA1
82f777490fc6241af30cd0535caad9b068827158

SHA256
4e76a2a33175d4f2d1903f322625b037e31386df7ba8899078909f30d6c49e4b

SHA512
8f4cef96876e364e29ceb4f96398a04f8ee3c6e2f5dd692ed80d41ed9f711992ca5e463333d07b05034dfee47979a90d583d3a2af001c4f07daeeb56d44daa28

Download Submit
C:\Windows\SysWOW64\Oqkdcn32.exe

Filesize
359KB

MD5
f37374dc0224da825e5acf67dc928cb0

SHA1
8538e5cbc155cd2135d0b62389848bdcf874f235

SHA256
3dfe261e6db7bf088cac9dbacce620ed9cafa91c0f0854ec3dcaaa6194b497a4

SHA512
263178e4700da6f349c8045eb6e6834c084624a557d0f5349914de44dc0bdf93583a73def50d971dca9e158a8885a414f18280d8a02f55fdfde2b24dc6dcafe1

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
359KB

MD5
1527ae02ddf505d839d7d4fe1dfb849a

SHA1
7a2f1090a32943c4ae181f8cff6f7541856af0ab

SHA256
39d6e786b190b47b7504ef090dc9792581406f1320b526443fc45ba1cce4f782

SHA512
6ea6076e98db3d5253ea549df80b76af2ffd9dfe130c5ec75b47b0fbe9787613afbb0ba7cc2452dd903190a11ada03a0d1de4cdecf1529a9a716b4431625c867

Download Submit
C:\Windows\SysWOW64\Pcjapi32.exe

Filesize
359KB

MD5
7fdf7de63bf96e6c804e90c61e23dbd3

SHA1
2a8372892240c7885edf3194364869d60c5c7921

SHA256
c9c12f4dec2eb02e35d31e25d53c919e65ba5078392134bd7ac7e42eb576343d

SHA512
a056815d2d72132b1ba985d561272ca1f46861b5fd3bc4388ca8d7757031c3035e524990144a4c0a3b5ebb7d915eca788ef849b3e14a3b3d49fca80422438e97

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
359KB

MD5
a604077081748f3e4e6f745386b299c3

SHA1
89b0d08905f184931080bf711829bb571cd09b96

SHA256
77ad35eef5c781434a44b7dce560c5dd8d00f07fe7f9703966e4760f0c2fedbe

SHA512
fde736144f073fd5cbf57089fac2cf4f9c22767346d72dd7812689c827681b5b75d689bc819002631069f9d2108b8f65633cb9ded2a5001f22ef6e519eb80e6d

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
359KB

MD5
73c760247b714d8700d9f0e8ad3b75df

SHA1
dbbc324fcb05dc8dfefda09a6b8826a17a4e349b

SHA256
98dd646a5fc929cf1342426ba6595ac31d2b0aa8fa4c24c2a5b4f76c70af4a72

SHA512
b784f3d1ed2bf499fc01bec7b248091d91a47da2e5a61b48ef1018854dcc14dcaf6a31329b29ffe07624259495ef3326e454a7265820c7d6883ca42f36cb9496

Download Submit
C:\Windows\SysWOW64\Peqcjkfp.exe

Filesize
359KB

MD5
289d1a756af55030e56f47ace903388b

SHA1
a2c51d0f47f1acb79c9479d73e846acf4af41e3a

SHA256
e1ccecbaa65f3ec4584b22c3ec03bdc42f67b3f6abce7dc768ba9abab8790989

SHA512
08f9630bc6668d705abb73763d4425ac21f869c4b657992778ea378d970cbb3030ce3967670dea4fd9d129e02d94f35ecb760a0abad5bbc1fa699a1b7b98c821

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
359KB

MD5
45c52564ba4c9fb602ee432fd36c41db

SHA1
cf0e586e3b143cab4e4fdd0acc2a317a2fff0401

SHA256
0d84e1784b4fe26add592fa5db046fb0125688b5c6b116a49097f83b952bab24

SHA512
19cd3d66f19c62bc7203f8c258c1ec83fe436a4b51353d139b915a352cd9c5d935d2aa8d13de30761ca8a594e40262bc3fdcfde861e407016b6ef1d2f42f7777

Download Submit
C:\Windows\SysWOW64\Pghieg32.exe

Filesize
359KB

MD5
ddfe14b6ccfa5f85240a4bec080a1d13

SHA1
4ea5e33a91e3bad60b5ffb2a8d14ae7fb419452e

SHA256
3270f59ed7ecced09a483836ca66489ddfab1db166a630fa91ffd8c5934a28b5

SHA512
ac5a587efd2cc5bae763c8d9385485a72d67e58bda8ffca77ae4b51aee7752967ab4d981ae101d59951be9bb43a2801664df218ad7c94263b43c8f93475ab622

Download Submit
C:\Windows\SysWOW64\Pgjfkg32.exe

Filesize
359KB

MD5
176de38bc40ce7f1d78c48be10608c64

SHA1
0ed8ce5098325d36bd54d9d63598adf02961be9e

SHA256
8cd6dc6bdc40d53dac70b7aab3e5ff05726ae83100a6ee8589c5bb8bf424ccf2

SHA512
e3c439d283df29021a6552bcf261e2bebea376f701681d303c710f11c0e86ee1b8f6935b6fcd2e586a5c1f048f4e0cb1116cf1568c65a9dcbe5451ffab197be5

Download Submit
C:\Windows\SysWOW64\Pjkombfj.exe

Filesize
359KB

MD5
87e774dee6df3f2abb238a8256846bec

SHA1
c9fe682e626e247cc69374ba7b04501730096b89

SHA256
5244b48b66c0797b884a2132e6ab8a632f444de4ae70a1b1577858048e7df2a9

SHA512
5b22e1c1ccb8e8fc59472e48c586007b0b4d1112f7b8ce8d5666ce59fd0c84622035353a3a52c45340dd5ea9e05c54924220caee20d406ec7817e0af49eabc0d

Download Submit
C:\Windows\SysWOW64\Pnbbbabh.exe

Filesize
359KB

MD5
0964baa7e5b3ab6126cd43f536ad3e6b

SHA1
04dc2873149d0ca1154a697d5bed056c0deb863d

SHA256
5857693b67a58974d81951efd9df713ac4eace90e9f9ec4e981ba498af7dd7cb

SHA512
62c40a67370677dde2cb7cc3278e5a9144361dd1dcec6bd7497a2dc7bce8111d028867b5423a052064f7cb14d5c28cce51380b83b556be0865ff39948851808e

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
359KB

MD5
fd6dfa6ba40890b2b62ed1a77d7f265e

SHA1
481cd3b92af6e4f9e4e01c13453b40e8b4546452

SHA256
842caa5f6f4fb351f67f4fd220155fe964bc07904e922b4cf0e9ff9e0925f2f3

SHA512
22b485f863f261ccb700d37c21dc2325c618448ee73147e04d4ad6858db93ae42df9c30b057638d513644939e6bc5caa531af93dc809eb54b079e4e1ee1088e7

Download Submit
C:\Windows\SysWOW64\Pqnaim32.exe

Filesize
359KB

MD5
0c90cb325b96385af5830a745ba9d925

SHA1
cee49adc573f4b385051f145050798afd7ab65e0

SHA256
7d0c653665b5efd0def13ee7d2c4ee2432d68a2dd866b3f1c30a457834e2d643

SHA512
98a5524b75600821c5d44d22124daf232300fc98a908caa03123937e4549eb6fa80e8a80f1e8531f7f04d83e22e7c5bf7d91e9e9ff04ede836bf70bcae11bd4a

Download Submit
C:\Windows\SysWOW64\Qajadlja.exe

Filesize
359KB

MD5
9d791bbb05785f7accdefb166d290961

SHA1
891d2bff7ab5360a90c7316dc25ebaa07edd257d

SHA256
6b52354971fd294a1bc4eeb7e91ece40939723792ee484047911737fa11574bb

SHA512
3b61ecf1c978595c5a50f5d678f14fa996bd1d102aca4fe25cd97534d13438159c1657e92cb664d3a719721240b2c024b38b6709e17e04c185dab6b9802615e5

Download Submit
C:\Windows\SysWOW64\Qalnjkgo.exe

Filesize
359KB

MD5
09b92b99458d80d1b8b36c5db1c800c8

SHA1
0d0fc35169442c5266e8daf4df7b7897d2b0f510

SHA256
0816f4f1644aa91e7619877ec2f069622745bb6aa8b315a525e23d85213ce126

SHA512
f099b3e64725801ea44911a8c080e002baf399b89119403df901fd019fe0c6b41db53aef5272d85fafdbcd882c6a8b4f610ee2af9e09d2fd053c1f96c613fe40

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
359KB

MD5
ba4b44397a713a0d96e36e1892758030

SHA1
27350d89d29c909778ea1feb08fc5840d8692b87

SHA256
ef81ef884662e2552d8b0e4883eba110ee5e5510f7e1bf9aef3a864d0e126698

SHA512
be780a55c25e88aa65d5166a44e19dcf826189629c43ce5043aa32fc0c54327e23d2c7bab681a3324c2493a9008ae05d716f86af38bde66118ba2750cb794a64

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
359KB

MD5
104db221ba36b5f2e6a27cd711e5be45

SHA1
95e28c1fe49b377874f22bad6683421f31f03c6d

SHA256
e64fd551b2ae56e9a4b0dcb2546857362ee5556cb6b5e69b422b3b5cef1db812

SHA512
989c5b48bca8bbdbd481b36ccb8578eb0284809fd3acde964df66f386f16dc6b0fb4ca086334e6c65efa3d9261fe8053d36e5b57959d2833c1c6908c835d8666

Download Submit
memory/8-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-612-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5100-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7576-2024-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7600-2053-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8280-2014-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8412-2009-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8628-2001-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads