81762be238353231ded7350aaebb53a35af90d7f8bdf281d28e90c7136e8ad9a

Analysis

max time kernel
130s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6b2e45e1349772bacf68aec0ddec90_NeikiAnalytics.exe
Size

320KB
MD5

2a6b2e45e1349772bacf68aec0ddec90
SHA1

fb650b4e06fe7a2b8bbaa099079409c26bb7207e
SHA256

81762be238353231ded7350aaebb53a35af90d7f8bdf281d28e90c7136e8ad9a
SHA512

5a828daa811f67204e757184cb2fd046c13985fec2f6df879b62b3b04d629331a0e12624099604904e7e2401a69be0108c2745656c8c8e3a08d1c118a5a2d0d1
SSDEEP

6144:30dnzoLrmD4EOkziPLAYCtE07kli0KoCYtw2B0Ddu9szWfx09UBIUbPLwH/lLOUR:HAzYJ07kE0KoFtw2gu9RxrBIUbPLwH9J

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ckcgkldl.exeIeolehop.exeJcllonma.exeKdqejn32.exeLmiciaaj.exeOgbipa32.exePcncpbmd.exeQmkadgpo.exeCnffqf32.exeDkkcge32.exeDojcgi32.exeElgfgl32.exeKfjhkjle.exeMedgncoe.exeNgpccdlj.exeNfjjppmm.exeEdpnfo32.exeFckajehi.exeJbeidl32.exePjjhbl32.exeCeckcp32.exeBnmcjg32.exeCmlcbbcj.exeEhnglm32.exeFakdpb32.exeKikame32.exeMelnob32.exePmidog32.exeBagflcje.exeAccfbokl.exeDeokon32.exeCfmajipb.exeCeehho32.exeCecbmf32.exeHelfik32.exeHodgkc32.exeMdhdajea.exeNcianepl.exeAgjhgngj.exeJmknaell.exeJianff32.exeCefoce32.exeKpeiioac.exeDdonekbl.exeLeihbeib.exeMgfqmfde.exeBmemac32.exeCenahpha.exeLdleel32.exeCdabcm32.exeCfpnph32.exeKdnidn32.exeEkjfcipa.exeHkdbpe32.exeOqfdnhfk.exeFljcmlfd.exeFcckif32.exeNngokoej.exeOdmgcgbi.exeBaicac32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckcgkldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojcgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elgfgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edpnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckajehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cecbmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmknaell.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekjfcipa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcckif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe

Malware Dropper & Backdoor - Berbew 51 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Cbefaj32.exe	family_berbew
C:\Windows\SysWOW64\Cecbmf32.exe	family_berbew
C:\Windows\SysWOW64\Cefoce32.exe	family_berbew
C:\Windows\SysWOW64\Clpgpp32.exe	family_berbew
C:\Windows\SysWOW64\Ckcgkldl.exe	family_berbew
C:\Windows\SysWOW64\Clbceo32.exe	family_berbew
C:\Windows\SysWOW64\Dbllbibl.exe	family_berbew
C:\Windows\SysWOW64\Dekhneap.exe	family_berbew
C:\Windows\SysWOW64\Docmgjhp.exe	family_berbew
C:\Windows\SysWOW64\Demecd32.exe	family_berbew
C:\Windows\SysWOW64\Dkjmlk32.exe	family_berbew
C:\Windows\SysWOW64\Dadeieea.exe	family_berbew
C:\Windows\SysWOW64\Dhnnep32.exe	family_berbew
C:\Windows\SysWOW64\Dkljak32.exe	family_berbew
C:\Windows\SysWOW64\Dafbne32.exe	family_berbew
C:\Windows\SysWOW64\Dhpjkojk.exe	family_berbew
C:\Windows\SysWOW64\Dojcgi32.exe	family_berbew
C:\Windows\SysWOW64\Dhbgqohi.exe	family_berbew
C:\Windows\SysWOW64\Ekacmjgl.exe	family_berbew
C:\Windows\SysWOW64\Echknh32.exe	family_berbew
C:\Windows\SysWOW64\Eoolbinc.exe	family_berbew
C:\Windows\SysWOW64\Eamhodmf.exe	family_berbew
C:\Windows\SysWOW64\Eeidoc32.exe	family_berbew
C:\Windows\SysWOW64\Ehgqln32.exe	family_berbew
C:\Windows\SysWOW64\Ehimanbq.exe	family_berbew
C:\Windows\SysWOW64\Eleiam32.exe	family_berbew
C:\Windows\SysWOW64\Ecoangbg.exe	family_berbew
C:\Windows\SysWOW64\Eocenh32.exe	family_berbew
C:\Windows\SysWOW64\Ekhjmiad.exe	family_berbew
C:\Windows\SysWOW64\Ednaqo32.exe	family_berbew
C:\Windows\SysWOW64\Eekaebcm.exe	family_berbew
C:\Windows\SysWOW64\Ecmeig32.exe	family_berbew
C:\Windows\SysWOW64\Gdhmnlcj.exe	family_berbew
C:\Windows\SysWOW64\Hflcbngh.exe	family_berbew
C:\Windows\SysWOW64\Iefioj32.exe	family_berbew
C:\Windows\SysWOW64\Icnpmp32.exe	family_berbew
C:\Windows\SysWOW64\Jehokgge.exe	family_berbew
C:\Windows\SysWOW64\Lfkaag32.exe	family_berbew
C:\Windows\SysWOW64\Mdmnlj32.exe	family_berbew
C:\Windows\SysWOW64\Odkjng32.exe	family_berbew
C:\Windows\SysWOW64\Ocbddc32.exe	family_berbew
C:\Windows\SysWOW64\Ogpmjb32.exe	family_berbew
C:\Windows\SysWOW64\Pdpmpdbd.exe	family_berbew
C:\Windows\SysWOW64\Qnjnnj32.exe	family_berbew
C:\Windows\SysWOW64\Qffbbldm.exe	family_berbew
C:\Windows\SysWOW64\Amddjegd.exe	family_berbew
C:\Windows\SysWOW64\Anfmjhmd.exe	family_berbew
C:\Windows\SysWOW64\Balpgb32.exe	family_berbew
C:\Windows\SysWOW64\Bclhhnca.exe	family_berbew
C:\Windows\SysWOW64\Cjpckf32.exe	family_berbew
C:\Windows\SysWOW64\Dfiafg32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Cbefaj32.exeCecbmf32.exeCefoce32.exeClpgpp32.exeCkcgkldl.exeClbceo32.exeDbllbibl.exeDekhneap.exeDocmgjhp.exeDemecd32.exeDkjmlk32.exeDadeieea.exeDhnnep32.exeDkljak32.exeDafbne32.exeDhpjkojk.exeDojcgi32.exeDhbgqohi.exeEkacmjgl.exeEchknh32.exeEoolbinc.exeEamhodmf.exeEeidoc32.exeEhgqln32.exeEcmeig32.exeEekaebcm.exeEdnaqo32.exeEhimanbq.exeEleiam32.exeEkhjmiad.exeEocenh32.exeEcoangbg.exeEemnjbaj.exeEdpnfo32.exeEhljfnpn.exeElgfgl32.exeEkjfcipa.exeEofbch32.exeEcandfpd.exeEadopc32.exeEepjpb32.exeEhnglm32.exeFljcmlfd.exeFohoigfh.exeFcckif32.exeFafkecel.exeFebgea32.exeFdegandp.exeFhqcam32.exeFllpbldb.exeFkopnh32.exeFcfhof32.exeFdgdgnbm.exeFlnlhk32.exeFomhdg32.exeFakdpb32.exeFfgqqaip.exeFhemmlhc.exeFkciihgg.exeFooeif32.exeFckajehi.exeFfimfqgm.exeFdlnbm32.exeFlceckoj.exe

pid	process
3728	Cbefaj32.exe
8	Cecbmf32.exe
996	Cefoce32.exe
404	Clpgpp32.exe
3532	Ckcgkldl.exe
1996	Clbceo32.exe
4652	Dbllbibl.exe
1196	Dekhneap.exe
3408	Docmgjhp.exe
1496	Demecd32.exe
3724	Dkjmlk32.exe
2344	Dadeieea.exe
2988	Dhnnep32.exe
4852	Dkljak32.exe
2740	Dafbne32.exe
2676	Dhpjkojk.exe
4340	Dojcgi32.exe
1756	Dhbgqohi.exe
4040	Ekacmjgl.exe
3052	Echknh32.exe
1376	Eoolbinc.exe
3260	Eamhodmf.exe
4372	Eeidoc32.exe
1112	Ehgqln32.exe
392	Ecmeig32.exe
4880	Eekaebcm.exe
2064	Ednaqo32.exe
4820	Ehimanbq.exe
632	Eleiam32.exe
1480	Ekhjmiad.exe
2892	Eocenh32.exe
2372	Ecoangbg.exe
1372	Eemnjbaj.exe
3028	Edpnfo32.exe
4064	Ehljfnpn.exe
1720	Elgfgl32.exe
2524	Ekjfcipa.exe
2940	Eofbch32.exe
3980	Ecandfpd.exe
1876	Eadopc32.exe
1028	Eepjpb32.exe
3076	Ehnglm32.exe
3380	Fljcmlfd.exe
4736	Fohoigfh.exe
1868	Fcckif32.exe
4532	Fafkecel.exe
4804	Febgea32.exe
5108	Fdegandp.exe
3224	Fhqcam32.exe
5112	Fllpbldb.exe
4420	Fkopnh32.exe
3088	Fcfhof32.exe
1144	Fdgdgnbm.exe
2960	Flnlhk32.exe
2164	Fomhdg32.exe
4360	Fakdpb32.exe
4416	Ffgqqaip.exe
1568	Fhemmlhc.exe
3544	Fkciihgg.exe
1100	Fooeif32.exe
2640	Fckajehi.exe
432	Ffimfqgm.exe
2564	Fdlnbm32.exe
3556	Flceckoj.exe

Drops file in System32 directory 64 IoCs

Processes:

Hecmijim.exeOnjegled.exeHiefcj32.exeJehokgge.exeKpgfooop.exeBjfaeh32.exeIcnpmp32.exeImoneg32.exeKbhoqj32.exeOlcbmj32.exeAnfmjhmd.exeBjagjhnc.exeEhgqln32.exeLbmhlihl.exeMgfqmfde.exeOgbipa32.exeOjaelm32.exePmidog32.exeAjhddjfn.exeAfoeiklb.exeBclhhnca.exeFohoigfh.exeFdgdgnbm.exeFdlnbm32.exeGohhpe32.exeLpcfkm32.exeMbfkbhpa.exeDmjocp32.exeDhnnep32.exeEcandfpd.exeFebgea32.exeJmknaell.exeLlcpoo32.exeLphoelqn.exeEkacmjgl.exeKmdqgd32.exeMdmnlj32.exeOneklm32.exeDemecd32.exeAqkgpedc.exeIbjjhn32.exeLekehdgp.exeHkfoeega.exeFlceckoj.exeOncofm32.exeDhpjkojk.exeJeaikh32.exeElgfgl32.exeLbdolh32.exeAfjlnk32.exeKfmepi32.exeFhemmlhc.exeJedeph32.exeKlngdpdd.exeQnjnnj32.exeDeokon32.exeEepjpb32.exeEhimanbq.exeMplhql32.exeNjefqo32.exeBnmcjg32.exeDaconoae.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Hkdbpe32.exe	Hiefcj32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bkblkg32.dll	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Ipnjab32.exe	Imoneg32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ecmeig32.exe	Ehgqln32.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Fcckif32.exe	Fohoigfh.exe
File created	C:\Windows\SysWOW64\Hhkephlb.dll	Fdgdgnbm.exe
File opened for modification	C:\Windows\SysWOW64\Flceckoj.exe	Fdlnbm32.exe
File created	C:\Windows\SysWOW64\Lbkdpj32.dll	Gohhpe32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkljak32.exe	Dhnnep32.exe
File opened for modification	C:\Windows\SysWOW64\Eadopc32.exe	Ecandfpd.exe
File created	C:\Windows\SysWOW64\Hlokddim.dll	Febgea32.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jmknaell.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Echknh32.exe	Ekacmjgl.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Dkjmlk32.exe	Demecd32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Iehfdi32.exe	Ibjjhn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hkfoeega.exe
File opened for modification	C:\Windows\SysWOW64\Fkffog32.exe	Flceckoj.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Dojcgi32.exe	Dhpjkojk.exe
File opened for modification	C:\Windows\SysWOW64\Flnlhk32.exe	Fdgdgnbm.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Ekjfcipa.exe	Elgfgl32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Paadbk32.dll	Fhemmlhc.exe
File created	C:\Windows\SysWOW64\Jmknaell.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Ehnglm32.exe	Eepjpb32.exe
File created	C:\Windows\SysWOW64\Eleiam32.exe	Ehimanbq.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

8744 9092 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
8744	9092	WerFault.exe	Dmllipeg.exe

Modifies registry class 64 IoCs

Processes:

Jpijnqkp.exeMelnob32.exeCbefaj32.exeHmjdjgjo.exeIlidbbgl.exeLmbmibhb.exeCdabcm32.exeDeagdn32.exeCecbmf32.exeLbabgh32.exeMedgncoe.exeNpfkgjdn.exeHkfoeega.exeEhgqln32.exeHbnjmp32.exeJianff32.exeAmddjegd.exeBjfaeh32.exeDgbdlf32.exeDhpjkojk.exeEcmeig32.exeJehokgge.exeAjckij32.exeBjagjhnc.exeDekhneap.exeHkkhqd32.exeChcddk32.exeHkdbpe32.exeDaconoae.exePcncpbmd.exeKlgqcqkl.exeCdfkolkf.exeDdmaok32.exeDmjocp32.exeFkffog32.exeFomhdg32.exeGkoiefmj.exeAccfbokl.exeClpgpp32.exeNepgjaeg.exeQnhahj32.exeAnadoi32.exeCajlhqjp.exeJmknaell.exeLfkaag32.exeDmcibama.exeHcbpab32.exeEkhjmiad.exeDojcgi32.exeJlpkba32.exeAfjlnk32.exeDadeieea.exeMcmabg32.exeBnhjohkb.exeCfmajipb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbefaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll"	Cecbmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehgqln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkdbljm.dll"	Ecmeig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jehokgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dekhneap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpppj32.dll"	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oalnaifk.dll"	Fkffog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgmlbfod.dll"	Fomhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clpgpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkfoeega.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aainof32.dll"	Ekhjmiad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dojcgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dadeieea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a6b2e45e1349772bacf68aec0ddec90_NeikiAnalytics.exeCbefaj32.exeCecbmf32.exeCefoce32.exeClpgpp32.exeCkcgkldl.exeClbceo32.exeDbllbibl.exeDekhneap.exeDocmgjhp.exeDemecd32.exeDkjmlk32.exeDadeieea.exeDhnnep32.exeDkljak32.exeDafbne32.exeDhpjkojk.exeDojcgi32.exeDhbgqohi.exeEkacmjgl.exeEchknh32.exeEoolbinc.exe

description	pid	process	target process
PID 4084 wrote to memory of 3728	4084	2a6b2e45e1349772bacf68aec0ddec90_NeikiAnalytics.exe	Cbefaj32.exe
PID 4084 wrote to memory of 3728	4084	2a6b2e45e1349772bacf68aec0ddec90_NeikiAnalytics.exe	Cbefaj32.exe
PID 4084 wrote to memory of 3728	4084	2a6b2e45e1349772bacf68aec0ddec90_NeikiAnalytics.exe	Cbefaj32.exe
PID 3728 wrote to memory of 8	3728	Cbefaj32.exe	Cecbmf32.exe
PID 3728 wrote to memory of 8	3728	Cbefaj32.exe	Cecbmf32.exe
PID 3728 wrote to memory of 8	3728	Cbefaj32.exe	Cecbmf32.exe
PID 8 wrote to memory of 996	8	Cecbmf32.exe	Cefoce32.exe
PID 8 wrote to memory of 996	8	Cecbmf32.exe	Cefoce32.exe
PID 8 wrote to memory of 996	8	Cecbmf32.exe	Cefoce32.exe
PID 996 wrote to memory of 404	996	Cefoce32.exe	Clpgpp32.exe
PID 996 wrote to memory of 404	996	Cefoce32.exe	Clpgpp32.exe
PID 996 wrote to memory of 404	996	Cefoce32.exe	Clpgpp32.exe
PID 404 wrote to memory of 3532	404	Clpgpp32.exe	Ckcgkldl.exe
PID 404 wrote to memory of 3532	404	Clpgpp32.exe	Ckcgkldl.exe
PID 404 wrote to memory of 3532	404	Clpgpp32.exe	Ckcgkldl.exe
PID 3532 wrote to memory of 1996	3532	Ckcgkldl.exe	Clbceo32.exe
PID 3532 wrote to memory of 1996	3532	Ckcgkldl.exe	Clbceo32.exe
PID 3532 wrote to memory of 1996	3532	Ckcgkldl.exe	Clbceo32.exe
PID 1996 wrote to memory of 4652	1996	Clbceo32.exe	Dbllbibl.exe
PID 1996 wrote to memory of 4652	1996	Clbceo32.exe	Dbllbibl.exe
PID 1996 wrote to memory of 4652	1996	Clbceo32.exe	Dbllbibl.exe
PID 4652 wrote to memory of 1196	4652	Dbllbibl.exe	Dekhneap.exe
PID 4652 wrote to memory of 1196	4652	Dbllbibl.exe	Dekhneap.exe
PID 4652 wrote to memory of 1196	4652	Dbllbibl.exe	Dekhneap.exe
PID 1196 wrote to memory of 3408	1196	Dekhneap.exe	Docmgjhp.exe
PID 1196 wrote to memory of 3408	1196	Dekhneap.exe	Docmgjhp.exe
PID 1196 wrote to memory of 3408	1196	Dekhneap.exe	Docmgjhp.exe
PID 3408 wrote to memory of 1496	3408	Docmgjhp.exe	Demecd32.exe
PID 3408 wrote to memory of 1496	3408	Docmgjhp.exe	Demecd32.exe
PID 3408 wrote to memory of 1496	3408	Docmgjhp.exe	Demecd32.exe
PID 1496 wrote to memory of 3724	1496	Demecd32.exe	Dkjmlk32.exe
PID 1496 wrote to memory of 3724	1496	Demecd32.exe	Dkjmlk32.exe
PID 1496 wrote to memory of 3724	1496	Demecd32.exe	Dkjmlk32.exe
PID 3724 wrote to memory of 2344	3724	Dkjmlk32.exe	Dadeieea.exe
PID 3724 wrote to memory of 2344	3724	Dkjmlk32.exe	Dadeieea.exe
PID 3724 wrote to memory of 2344	3724	Dkjmlk32.exe	Dadeieea.exe
PID 2344 wrote to memory of 2988	2344	Dadeieea.exe	Dhnnep32.exe
PID 2344 wrote to memory of 2988	2344	Dadeieea.exe	Dhnnep32.exe
PID 2344 wrote to memory of 2988	2344	Dadeieea.exe	Dhnnep32.exe
PID 2988 wrote to memory of 4852	2988	Dhnnep32.exe	Dkljak32.exe
PID 2988 wrote to memory of 4852	2988	Dhnnep32.exe	Dkljak32.exe
PID 2988 wrote to memory of 4852	2988	Dhnnep32.exe	Dkljak32.exe
PID 4852 wrote to memory of 2740	4852	Dkljak32.exe	Dafbne32.exe
PID 4852 wrote to memory of 2740	4852	Dkljak32.exe	Dafbne32.exe
PID 4852 wrote to memory of 2740	4852	Dkljak32.exe	Dafbne32.exe
PID 2740 wrote to memory of 2676	2740	Dafbne32.exe	Dhpjkojk.exe
PID 2740 wrote to memory of 2676	2740	Dafbne32.exe	Dhpjkojk.exe
PID 2740 wrote to memory of 2676	2740	Dafbne32.exe	Dhpjkojk.exe
PID 2676 wrote to memory of 4340	2676	Dhpjkojk.exe	Dojcgi32.exe
PID 2676 wrote to memory of 4340	2676	Dhpjkojk.exe	Dojcgi32.exe
PID 2676 wrote to memory of 4340	2676	Dhpjkojk.exe	Dojcgi32.exe
PID 4340 wrote to memory of 1756	4340	Dojcgi32.exe	Dhbgqohi.exe
PID 4340 wrote to memory of 1756	4340	Dojcgi32.exe	Dhbgqohi.exe
PID 4340 wrote to memory of 1756	4340	Dojcgi32.exe	Dhbgqohi.exe
PID 1756 wrote to memory of 4040	1756	Dhbgqohi.exe	Ekacmjgl.exe
PID 1756 wrote to memory of 4040	1756	Dhbgqohi.exe	Ekacmjgl.exe
PID 1756 wrote to memory of 4040	1756	Dhbgqohi.exe	Ekacmjgl.exe
PID 4040 wrote to memory of 3052	4040	Ekacmjgl.exe	Echknh32.exe
PID 4040 wrote to memory of 3052	4040	Ekacmjgl.exe	Echknh32.exe
PID 4040 wrote to memory of 3052	4040	Ekacmjgl.exe	Echknh32.exe
PID 3052 wrote to memory of 1376	3052	Echknh32.exe	Eoolbinc.exe
PID 3052 wrote to memory of 1376	3052	Echknh32.exe	Eoolbinc.exe
PID 3052 wrote to memory of 1376	3052	Echknh32.exe	Eoolbinc.exe
PID 1376 wrote to memory of 3260	1376	Eoolbinc.exe	Eamhodmf.exe

C:\Users\Admin\AppData\Local\Temp\2a6b2e45e1349772bacf68aec0ddec90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a6b2e45e1349772bacf68aec0ddec90_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\SysWOW64\Cbefaj32.exe
  C:\Windows\system32\Cbefaj32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\Cecbmf32.exe
    C:\Windows\system32\Cecbmf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\Cefoce32.exe
      C:\Windows\system32\Cefoce32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        23⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        24⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        27⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        28⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        30⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        32⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        33⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        34⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        36⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        39⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        41⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        47⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        49⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        50⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        51⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        52⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        53⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        55⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        58⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        60⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        61⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        63⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        66⤵
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        67⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        68⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        69⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        70⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        71⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        72⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        73⤵
        
        PID:728
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Gbgdlq32.exe
        
        C:\Windows\system32\Gbgdlq32.exe
        75⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        76⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        77⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        78⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        79⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        80⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        81⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        84⤵
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1592
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        87⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        88⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        89⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2516
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        91⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        92⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        93⤵
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        94⤵
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        95⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        96⤵
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        97⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        98⤵
        
        PID:628
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        99⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        100⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        101⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        103⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        105⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        106⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        107⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        108⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        109⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        110⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        111⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        114⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        115⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        116⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        118⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        119⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        123⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        124⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        126⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        127⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        129⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        130⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        131⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        132⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        133⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        137⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        141⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        144⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        145⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        146⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        147⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        148⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        149⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        150⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        152⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        153⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        154⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        155⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        156⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        158⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        160⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        161⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        162⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        164⤵
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        165⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        167⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        168⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        169⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        171⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6700
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        173⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        174⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        176⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        177⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        178⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        179⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        180⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        184⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        185⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        186⤵
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        188⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        190⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        191⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        192⤵
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        194⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        196⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        197⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        198⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        200⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        201⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        203⤵
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        204⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        205⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        206⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        207⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        208⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        210⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        211⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        212⤵
        Drops file in System32 directory
        
        PID:7224
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        213⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        214⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        215⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7400
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        217⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        218⤵
        Drops file in System32 directory
        
        PID:7480
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        219⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7560
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        221⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        222⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        223⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        224⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        225⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        226⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        227⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        228⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        229⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        230⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        231⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        232⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8108
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        234⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        235⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        236⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        237⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        238⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7428
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        241⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        242⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        243⤵
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        244⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        245⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        246⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        247⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        248⤵
        Drops file in System32 directory
        
        PID:8088
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        249⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        250⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        251⤵
        Drops file in System32 directory
        
        PID:7328
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        252⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        253⤵
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        254⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        255⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        256⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        257⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        258⤵
        Modifies registry class
        
        PID:8076
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        259⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        260⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7620
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        262⤵
        Drops file in System32 directory
        
        PID:7840
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        263⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        264⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        265⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        266⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        267⤵
        Drops file in System32 directory
        
        PID:8100
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        268⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8184
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        270⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        271⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        272⤵
        Modifies registry class
        
        PID:8204
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8248
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        274⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        275⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        276⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8428
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        278⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        279⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        280⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8556
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8604
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        282⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        283⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        284⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        285⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        286⤵
        Drops file in System32 directory
        
        PID:8824
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        287⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8864
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8908
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        289⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        290⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9040
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        292⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        293⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9168
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        295⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9208
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        296⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8236
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        297⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        298⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8376
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        299⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        300⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        301⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        302⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8716
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8796
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        305⤵
        Modifies registry class
        
        PID:8856
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        306⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        307⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        308⤵
        Modifies registry class
        
        PID:9028
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        309⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9116
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        310⤵
        Modifies registry class
        
        PID:9196
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        311⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        312⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        313⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        314⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        315⤵
        Modifies registry class
        
        PID:8656
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        316⤵
        Modifies registry class
        
        PID:8764
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        317⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        318⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        319⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9180
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        321⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        322⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        323⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8624
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        324⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8852
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        325⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        326⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9164
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        327⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8392
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        328⤵
        Modifies registry class
        
        PID:8676
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        329⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        330⤵
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        331⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        332⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9092 -s 416
        333⤵
        Program crash
        
        PID:8744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 9092 -ip 9092
1⤵
PID:8224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amddjegd.exe

Filesize
320KB

MD5
f536d79d8f2d47077ff006b1664a80f3

SHA1
6abb3d0eeaeb1a8abb276ad9d01c2557c0c86bd1

SHA256
c795bcea0914870166944438aafee289460ab54e76ff144bd1be2321021ef688

SHA512
30436bb51637c93a2445654acd21fd423bf92c667ad5b537fbdb493498966993eae2c6e327eb5c9426718cad85611163cbfaf25d5ba9e10e5282f305dd097ddc

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
320KB

MD5
3d085387d834d37672641ae065eaf26a

SHA1
bba79a6929b6d356ae5acf1d4055631c568ff0f5

SHA256
bfb5ec1a37b39a56557497495c929f0d064f6b5829c6a887fa3d82d56e714b0a

SHA512
caab96e47c804478224a932c112af638418d4b73ecd3c9fd5bfbe5a7c5f11b55d0e1879b96850c8034feaf1ef16e32a7d3197a5a6a8e1997f05d62c966db063e

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
320KB

MD5
2edf0c3d86188317783431b02650b1cd

SHA1
ae7c3e40421235762148d989cbfd4e08481c9c41

SHA256
30783ae5c6e6793e7e65a7827fad28070111544deb63c92081b4acb5e1c5e701

SHA512
36a67a8167a4c37266a8f4c7a717431930c70ee95080e510d2f64a1ee4c5fd39d35557a2d83bf367dcd59a79fe73bfb1eb185ab5d99890d0d77291b8af88c0ce

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
320KB

MD5
dd9d384bd5f5210e9361d4a61c570115

SHA1
dc79d2b016071beaeb9342b32812ac5807623315

SHA256
491ee033a658abafb8ebbebd5e34817e5f35a445b6230661d21d26126c3e4f04

SHA512
c389f399906d309c10a2500b83f3d08a5372fd2dd83fe983e57e559b0d390f6985aa7fc92a13d449b02ab594cb2c3e7a9c060ff9761a55fc04504238055f6ee1

Download Submit
C:\Windows\SysWOW64\Cbefaj32.exe

Filesize
320KB

MD5
68f5f2a07013b75a6998aa5655b04890

SHA1
7137763ef2716da9c366cae98c874fdc7a7d003b

SHA256
610bd835c2028f8e9563a3e10d326a9638b4732a678780efa26c909b53bbdd0d

SHA512
a1d67f414489995ae6a072aeb329b857eb43b4da9c762e6dc52fb3cbe2ddcee3804059823cf6686e30ddfa542aa9ae2f06d4a3353990da08b288073a84520e3d

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
320KB

MD5
54dc83e20e44464e23fcd1193832e0c7

SHA1
d4d9ef38bebf53a117e3d0c89d6515b7eb70e544

SHA256
7a125d71a07fb84e51369c722521ac52c43db660afe5fe64e36662d7792baa20

SHA512
63e659273f7d70ad6ee9b7bf221857f3272505889b0f16c92676c3a5a65e5972134d4cd28bed0a02b1c902de9c2c9056fe916a59901723bf35d7d9019adb3057

Download Submit
C:\Windows\SysWOW64\Cefoce32.exe

Filesize
320KB

MD5
f3b0429d3d129f361b731aaff80c6ca9

SHA1
79e04bdebdb3986340b2be8c0f4e6a20570d78b0

SHA256
d9e66672a8d2c176408f77d9e723137f4a1ddab4605fce1dbea979ddf8a9faa3

SHA512
3d7bff42ef232ecf59ab14bfe2a2a3ae40f6b8e7bfa362df5f42b9a877f4268d3918df91f1c22113284a83856b07a28246439f3af5feff2f5e3b2f1cb55f9af1

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
320KB

MD5
65b13f4e3627a691689e92f8078451b7

SHA1
aea096b2fc882664f7f3624f241e1266935b053c

SHA256
418f25b16c6e751ff0422092e22ae57f5ffcde351048bc4e01693239a7b1d236

SHA512
416efcc74408f4345e5e7db84e8e069851a54953f650b8660ac99b18c4274f9a275073b4a432ee0567ba7a508e8d087945d22822c6eb3ce4651cb737e1f8f6bd

Download Submit
C:\Windows\SysWOW64\Ckcgkldl.exe

Filesize
320KB

MD5
5b0828782e343d409b9a8c1cafb30888

SHA1
3fecda498e0b2974029808ad0688f1777e113083

SHA256
efd427f9b9ab19925f9d448469d0fbe0aa89f1c8c5119518b18717c8078432a5

SHA512
0cb302e51ac07c181a12c0f11e13448713472dc8b45b3b039fbd1acd6e4bb65e478a6af9d84627688d73a38238ea83e0252aefd79943beec9c4240eaac315f70

Download Submit
C:\Windows\SysWOW64\Clbceo32.exe

Filesize
320KB

MD5
5678f7c8734d79c625d3188db985e6ba

SHA1
9e4185064d810fee7c958280e9df8878bae7eac5

SHA256
29a05b3377d0778ad28ae173f04983ef43511f21d46e1f4b08220a1586b51127

SHA512
2aa0dac09c3742ae434afec3acfcef5295e17637d4b9e385d537df3fcdd34491b5842935e1f21331b88426515da401382659de0a79f12d10a234f093f19a9003

Download Submit
C:\Windows\SysWOW64\Clpgpp32.exe

Filesize
320KB

MD5
7b297208ce4ae0a3de0c732c49bf98e0

SHA1
6599f653c6f4d9558b74b6ca5c19b89223c0f287

SHA256
8ccb7254f8044c544159f629ba183e0bf25ba73fbfd405117b248a03bc1e9f32

SHA512
d86c412cdaae53e66d150b9f1cd11359242124f7dc79c16465ffc1acc645fb9205e67f649a68fdcd7c5cc4411bfb863e2236c7d652dad90138fc6e6c53f53a02

Download Submit
C:\Windows\SysWOW64\Dadeieea.exe

Filesize
320KB

MD5
96cad0e9141a51308af0f2e4a78944be

SHA1
ac41545e4e3e1813307acd314218032fd97fb914

SHA256
3da470cc0d8adebb848ac291e3f163d994939e83a183d86b1617ede6223608e9

SHA512
018f5061e61c33d5b42ddadbf04ca00a446ee39e140d00526ca603c2fc0db2b612c1cd879c7d832003175276d9e686837ca3f4e912e5d4f8f9a2b744054a9ffd

Download Submit
C:\Windows\SysWOW64\Dafbne32.exe

Filesize
320KB

MD5
262eaeb8714cd7c1144c84151bdb6d2e

SHA1
76da17c681e5dc858706a2bb9996fe08cbb1641e

SHA256
01bd2ff795fa1bb71c39c342f0031fa9d9798e0dfa729c05f9e4fb6a1f51fe7f

SHA512
c7fbbd7533fd37a17e07173277260cf2d8966980d0ca0113837ff9bd53675b9c6a21031f6e174e272eaaf02ab121d74e41ef21fe4adbb492461043a6b08ac494

Download Submit
C:\Windows\SysWOW64\Dbllbibl.exe

Filesize
320KB

MD5
932bbd198b8165ce4969c3970dcc2ba0

SHA1
9492fd2361fa0b8121eb7743f7b72e11f38ea20b

SHA256
22ed906a3e2ba9b35b454d329b849b4f31248e9d9ddf99adf3144e73b504af29

SHA512
250b9296318ac0545bf73b8bb0754db7632f7a9c4e56c9b3dfe74a4fa8267059cea09be792b7ca4ec0d6498bc05a5395d0f4ac38d6a96f5b05cc22d0cfea0fe8

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
320KB

MD5
023be1a1260edba68963d96e8ecbc4d9

SHA1
d4b7dca657691f60d4fe7072c8edb9a8c4bfeee8

SHA256
71f1b184008d1976d42a2c2c46a4bd8c32a59c67bc94fa385375c97946cf3d64

SHA512
bd0fb25e07037caf06668b53923089327ede3a760825ab538bea82f2b968b297c2c3d8612bf86885612838eb7bea17f057e17baf7ade3db9969016745315a4f7

Download Submit
C:\Windows\SysWOW64\Demecd32.exe

Filesize
320KB

MD5
e878bc505a03f1aa87d3641da7c30e27

SHA1
e318d5f7ea441432661efe1668bb612c578cbebb

SHA256
b9c10a9e3111e7f93e5a113d3f35a342a770cce207c8ec6fcdbbe498045e1259

SHA512
84995af008bb8de23fbddf125b6f63222026d9b9b6a786c92c1cb8a3a85db1cf55593ae5681bfb07e74cd5f59183bca778478b008d163114730e1ee580db811c

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
320KB

MD5
ffa3c3c2b26f94de8bb5155921a2c914

SHA1
85d33f5a0a62d7babb6d96cca2a55b32d31c5315

SHA256
e89c2c576dc0422c2a3b5ba23a2003b551d2c8fc179a5e1f4d6fed7af3fd677b

SHA512
b585ce860ffe3acde4518f4bb2b9e76cb01ccc6595d5628d19c5f6e1eb246581f4237daca5fcc1060daa04f2340bce4538a20197681437a08afd3011e81067ca

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
320KB

MD5
070856b5d316d92f271e24ed77e8981c

SHA1
cb2179d3fe55fa9f5bbd4a4cf8bd0e71bffba71b

SHA256
5a35118a2f289b5286a6a3a4a97a1d4d309693386f3e1e3051145e7abeadca09

SHA512
2e84ef2d785b7e0997feb559ee4030ea0020c7e636c2c1680cb6455837a369799c9fa6d985c287d0020e6dfc9df52bedf9279b35f64bc57e5d4988e8f0ce0fbc

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
320KB

MD5
2a831d53904465b7dba5784b88b35186

SHA1
3e420883c37a54dfc17324ae47550022040e70c9

SHA256
bf23d6345c3738c272e2664ccac9c1760637ffd8bcc973914d7095f8cc1fdfee

SHA512
520b19ed6541782bcde203640d9d8c2275a91f4c46eac9905f45239b08638250f1b04a6881615526d5b9f669c016e9e4d1405533806fc59cf5ced355054b7bcc

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
320KB

MD5
270b77d7a5756a81f0753b4792400fd4

SHA1
d0883ca75622090c4dab3ab9a790d2fc2df27b93

SHA256
2310a09fbe880dc7a66a3f98a39a6ba580768f35e890d4e95bee5cb058d1637b

SHA512
344ef3b24c091a1e9ce3f21fed354d5f47d51db5efa751732c9bfd9f548bb3ea2e68585d851360a62dcd15e25cc8d7cd730bd76384893e61693676fec8a33cb7

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
128KB

MD5
bb3873617c20994a67dba001d3510e35

SHA1
5a36a3ae7b38cf33373d81f59af0a99e4d5b8ee4

SHA256
1486603a09fd15df6d2e00a8e70694ecad8b082ce57f3d1856f08182f7996339

SHA512
b2a6a4928779e7c1e4077682e6ff0a2e9c639bf91935db26988cec2a01fd2401540f6976af26af53f9b9b818c20967dd3a01b08ecee6e35b6f050731007d3c36

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
320KB

MD5
31b0f742d5e75d023b23deecce59d501

SHA1
d1b4eb0662c01bc48a85078d6f03be6b90f2c72d

SHA256
3bb8007a67c0540c2904f0737f3619a75f3f140087a9de75c99c55127eb57cbe

SHA512
cf651f835201c23d61487b2c53a3f89f323c3918e291d805ae876394174574d9e6f90893b3b84b0e0a370eee0bdd5260cbf10aa1db341c7d2d281c5d19ef08d3

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
320KB

MD5
d89e04f1ee620dd01790fe20608c4af5

SHA1
9c3a1ec590553d0089b495e27648b1ccfcbd7c1f

SHA256
a9d0b8215be6fd2ebdda1ea6483d564ff006c67556844140ef707f26628085a0

SHA512
21e3275de81084aca1df0d9618259f4aeccd0262d005c74086b0fc519977d0e7b7d3148d704b260977427b02cafc4b725852d64a8e71792861303466bd39e4b5

Download Submit
C:\Windows\SysWOW64\Docmgjhp.exe

Filesize
320KB

MD5
18694d82b998afd20a29cacdbc2d5c62

SHA1
22038ea4ad699ad36b162da580a98142906a7fa4

SHA256
810bb7c6e0cdfcdef56a238f30e18f3a693859781b9bdff2bdce53fd3c9aedc0

SHA512
4146d8ca2bd029d9546eddef7641b5f73fecdf99f04d47aff3206972c38d8c10d52a5b966abbffec343504b0bae27923cf838b1da7351e7ed4311a2e5defe9a0

Download Submit
C:\Windows\SysWOW64\Dojcgi32.exe

Filesize
320KB

MD5
6a2fa3c9cf85794c7b7386cb6d0a03c4

SHA1
9745e9e15565dcea1195dc40adf2e9308d9050b7

SHA256
1aaacf206c3688ca20f832b675094f1b435afb91e94356fca9747fc563618b67

SHA512
acdc7bcab989f7217624c8a3834c1504b7c1c36bfb6419ef66eb6bcdfea03b8840d2272a1d848ada17fdaa50fea9911478393b7dd62df03583bf79e0bc548ec9

Download Submit
C:\Windows\SysWOW64\Eamhodmf.exe

Filesize
320KB

MD5
5d8358f77525af25355d8e090868a303

SHA1
9b88a91495a6fc33334d18301a6987540aa8880a

SHA256
92a4cc97e2a5d5083ebfc237b97e693c460c864715e40411234c8937b9b262c6

SHA512
4b37897c502b7d59732c38de09a197077292ac839c7b9a2e91e2d499c3c30e805ac359b40901d32b3c243f3937c490751545b8fd3b63c9d99e296c00cf7aef81

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
320KB

MD5
dc3ea5ca6d666ea59034ee9f05072504

SHA1
2ff9e5f2e7e324e23f1b6ecae581f50c129c19cf

SHA256
415f917af24a2aa57f029f4a334dfd65938ffe8b72af90a1c30bbd575ec0b87c

SHA512
a331e89f65b35f6a112983e92dff8f782940c01d0c1fee548feb50831267373574a8564d35d93b377904deac8d361d3374221b92ebecda41e628b4a341fec9e5

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
320KB

MD5
eab5f9e88e3d41f57c52f34eecee465e

SHA1
6c1728bd67fa554b5758ab1a29772bf6d013f585

SHA256
f126d96c9d005ca0c609f7bb199499dd16a963bdbc91604da7b9c72d5f1113bb

SHA512
6019bccc89bae311ee01d0a0a6b9af0527a0fbff2633d4b9f0fb2bc454466613c1652354b83df44b77ebad61c961567bc80a74d0bcf3fb10ca3a7e2b6080cdff

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
320KB

MD5
bad514ac290670999735c0c5fff9084c

SHA1
bc701a7495fb8ff7b279f66a8c61f65180a4255c

SHA256
b4145eb72efd7b0fd70cf6d47b89c6bc9195029c3260f75c5aa51a1ab46d60c8

SHA512
64df008dbccdfb0e1e25b67c5fd5dcd5b98bbf7fe9e928ee2dcf99d4f9cad8bb17a6f26f4740f7c066660382bb945b42915560aed8a81b914fd81c4c764c45d3

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
320KB

MD5
a760819a62ad7d89e21aa8fd5cc77b51

SHA1
56a4ebae60b43d5c4bc972d6da62dedd0067eee8

SHA256
311d1b49490f9f68443cf8e0d137d6963a3f68ff53b723da0802f5f6f6743334

SHA512
a85c07a3e4ae808eec89d03fd9e1235bab3d275f50dde859ef5c99d5f71400eac6e08f6e66c486da3fc552f00622824fd22685462b5b1b969fc9dbd88e48e403

Download Submit
C:\Windows\SysWOW64\Eeidoc32.exe

Filesize
320KB

MD5
3142d4d0e1e3b6f1af120a894a1dde93

SHA1
b691fbe681c0a98a16267027c5be828d47ec72a3

SHA256
d780a5068a02adf1f0a3ace7a80ca12ac047b40efef5943f038f7ea5519e3223

SHA512
c49f7fe45ab4fd6c2ff3ffd9da3852f2caf6b9d1370280c1c486d5968c826e980f72afd3b486188ec31c9acdfe17d45534a567ecd72fea62f6aa545798e619c4

Download Submit
C:\Windows\SysWOW64\Eekaebcm.exe

Filesize
320KB

MD5
2793f7b1d3e27771dd6fd33eeb131ffc

SHA1
153fc7b49ec6ff1bf5dadd4bf9b7e4f760fbd20b

SHA256
b5cafa7a7cb0adcacba06395c2c37fec9747f6129f1f9bbcac829581385c5bc6

SHA512
4aecaa8cc4593ac05f44ef58af1bf5da7652bac20b619d56a8c88b64d739e407ecf41d17e9007d2ab1ebd221599fae57d5acb463b24829d2d282a506543688b5

Download Submit
C:\Windows\SysWOW64\Ehgqln32.exe

Filesize
320KB

MD5
5c47efca07569c19b4612e33528bb7e7

SHA1
ecdacbe8429a7127d7f87bd18864df49b7ab99fc

SHA256
d13c66548a7d3d09b85bb4663adfc630fcdc163efb186241fa8a04d5f40a83be

SHA512
8f7e877567528fbbb99ff9233d8aa7c0ab5c6cf14a8a5460ed7361f0e38c808e00abca637099bc4afd008672f19cf82888e41fcad7c28963fdff3911c3058489

Download Submit
C:\Windows\SysWOW64\Ehimanbq.exe

Filesize
320KB

MD5
2a5a89e9e81902026b6c0880d73eb9b5

SHA1
3b242bab583b2da71f68f7bd10eb36abb6d60e7e

SHA256
1cd3fa307a3e7e9bcad2b5870c8af554d8070c6b438bc277f85c4daa1c288c91

SHA512
f1108e2bed5e2c2ddabb55aa6beaca5fcc6a31b3beab06a2c97c2afc7eed693a718b4419a83b27be79768f53b985dfc197dea7b429227adaff8a66fe10b19ff9

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
320KB

MD5
c3cb5885d276947f108691a91a32f31b

SHA1
6f9f3aaae49d2b6a6272651ff11e7a751da22d64

SHA256
1e8eedd15e255dc647aafc63dd40ca19f23983293385de48e029d7d510b7bbb0

SHA512
af2fd7f20b9f385d0dd3940ce8068932c0d3678aa67b6842b6c22cb5a5db54dfca37b5401df63c539d7abbe3face8ead49689cbe0cd6b91c90e08fa20de6bad7

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
320KB

MD5
e4fbfe598a4d62340a4483502f4976a8

SHA1
2315180684072c78cf9357805308370bc64d4050

SHA256
66e29b3cf3b61ed152a3270db731cc0ec616999b881dd970600c65af0f8ec95f

SHA512
14cc040f63bdd0d9f97be484835aa376988a9a9ef0d87ce304f5a1e04fcb39aac7bc6b8c2ba55dca9cf6093686ed6677c0751737ba94f5c04257a7834cc67698

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
320KB

MD5
d7febf5265fe6715a1e7beb758bb986c

SHA1
f7bb17c46064bc5387b3255f39d67156262cb883

SHA256
cab00d4de865c4ace8a50cbbfb70545ea85fd91a8655e598501d3a8e6eccb619

SHA512
0093cb23b95a4d2f91fac8f83f3c2f4ae6f0f95c93075f8555602b1f66297c6d66b3f3e4605af86187d7958acf8cea5365ae4c6202ecaa897dc92155023c14c2

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
320KB

MD5
601f64ddb3c45f142bf22ef556c54b78

SHA1
6e1123282f5b695465742a7dc862c40e4e68c310

SHA256
599a32056374b36e6c57bb8ee3c6d117f9d6a225977fec790475d50fb372b0b0

SHA512
f4e6802aa5c38e6b4d712b7d31bdf59adb94bfabadf98a33cdf8fa62be46d6c5c4b1bccadd9e6db0839e05adc925a01405af339b98c48c39f01db47f93b18ef8

Download Submit
C:\Windows\SysWOW64\Eoolbinc.exe

Filesize
320KB

MD5
c82a8b4df28e2d2dddd4a183aa42f4aa

SHA1
91ea8a5ba3768ce216a43e1c3c3d4b0e883c8642

SHA256
c6a07b15e0c1f62426bbac88e7520f76ee4b6eb06adb4bf146b06d82e7177981

SHA512
98bf927f621fda7e8ca5e4579e588c315303338e0735b3a8a1594a1662903561608997fd241c3733916838e919810c54afcf7e38db4a8651032e1dfa14d1c1f8

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
320KB

MD5
47955c1143f685eac151df227808aab5

SHA1
f54a7138f983e554388235846d8ae07a662401dc

SHA256
0f375a278db3a32bb092dbb15d2c365d806366bf54f66b5c9026be62b53741aa

SHA512
ee15dd800319e058e7496db79cf04fc8779130b7db666087ff788dae7cb1fa3dd223eac0e0661929b0f86fbb4ccc4d9e69787cdf7ff0d3250ced5b0bcf9dc078

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
320KB

MD5
c4ddb0e513de80ec1aac4becab450f8c

SHA1
710789038df49afb76a9e0b858ff18db4dfd0cae

SHA256
cdee02f54506799d631402afd44314d8fcc3a9714c09ce1ecf85ef4145e41642

SHA512
16574ecf72d4f85cfc47975b3b340bf7084b0f9db261672713b435e0826a3be111303921bdd8e3a752861ce6187f3fae1536e1a2468eba2405354e53593e8c34

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
320KB

MD5
ab9b2f261c0f510a3aedc66c969d311a

SHA1
0696f0ae1fa20ec0294a8ff30d6ebf3250ee62f4

SHA256
16682a890c8356ede2e8d230589c5005aacf20ea393513c38710198d58ad62a5

SHA512
8799b69a327404dca8e7042e5089baf26c40f95bd9e650a280ec319a5ee6024ed348fe0a9dc85e351626ef5ac377b0b53264845c0eaed53f32e1c22528a63668

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
320KB

MD5
52cc9804a8ec9310e174f51cd5c0a0da

SHA1
63df03c34f49c507c8bb5da5e72c74ee04b6573a

SHA256
08e26caaeb3eff9a6fae7a2c24e371b575c2d727139e34caf637a00e23123e84

SHA512
6fbc03d5f200d74abe9ceb58d5784b91c2c42b014c9428a60fe2abf6d1e57bc04c4b50c7264ec517f25dcc1764b98352bd3e7ee6c79809954f43d7a91378b9f6

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
320KB

MD5
2df147bc6537233efecc70be7c52f075

SHA1
6f6472c8f9783dd84178b3d093fe629e7dfbfac0

SHA256
9359c997fbf1f868db4e7bf606dcb57fbfd211645dd1bca3b239e95a1fcef748

SHA512
394d1185364d3685a32ce30148eb3da448dd995baded47f73498ed57365c9451c622df13b2b9d254b7f564ddde841c72a0d07049fbdd9e76ca69f5a2f0924a06

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
320KB

MD5
156e3dda5320631d16dec8e2a135e1ea

SHA1
b020de6d5f9f731868850055f736a9ac1a48c0e0

SHA256
732df72f975d3714e64eb9a3046cbb7801fffbbe000be37776733a186b50304c

SHA512
cef6b9b2b7362eec05b8af4946f51ea3a574bcba35e707b13cc9684efa3bf811ab2b5105e6ff0d3a62713f9ddf452cafbdcda88a9b0ef42d6c8a3e1bf1e24d21

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
320KB

MD5
fa7e5e2c3897e90ea2254ed8592fa913

SHA1
1d485a233d52181dedbb548e0e928b86ed911e40

SHA256
97417c0a293b299115d096589ba67758938309cd8d6c2408b01dae424b3049b6

SHA512
49af344a47d4b47474e69c704edee07d5efe7397deee1e6db3e66c5ce274629b2abe03972dc63ef08e1fabdf9449c81559c57ce0ee7684cbd49d29d1a1457e1f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
320KB

MD5
807ff1ed61cfaca31c20d85361c7c6f9

SHA1
a81cbe7a8678cc304acd83add14e579bfb2b8b86

SHA256
336311d687e6bff87f6da4a9f1ebe0086de7924565a3469f25d4ca1e5c017b57

SHA512
266ccc17eeb3398d36d838af8846461162933571519debccf83f423357621a52cc377f6c71e5f51f3ed11274f1ac3cfabe3915f2199f1a3a1da41ac219be668e

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
320KB

MD5
3bbf284880a0c94a3da22b99211c8820

SHA1
e400f3cf087fc17ccbc6d4546c9f05e05aba9b0d

SHA256
7efcaea54bd7f88ec6e910ff7a7a3bc0501f16664a3704f39b26bf54be6659fb

SHA512
947d741991c2c2167bf69f1bfdbe8786bfdc528018dece2d684687e5d4d84f9224c9d06c7b118667a1699b7b556d4b8cfc992b94997d176fedc03b8f5e9e8664

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
320KB

MD5
eb2d35ce1a47ef30d5ede5a15a23d3a4

SHA1
39a3d775ce5bcff2301ae0f9dcb11cc5c74eac20

SHA256
f5c227b449a1bea8064d83107e1143180b5cd1f412d4c4dc1e3c4e10fafd34fc

SHA512
456a2cfe7cbc3fc832ef69d841cd9c17856da4411a04ef32dbd49cbaa463d6418194e8ca077a730d62d5313de91764e2bb52aa3c4649cbdf86dbddf397196ebc

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
320KB

MD5
2645c9aaad87cee4a47cbaa11b46ca68

SHA1
71706d3972a2e000b77f26132fc50e2b7cf78640

SHA256
68f8fedce9c4e7f35c51a28e4c4493d747315dea0dfe81860288a97d7856d00e

SHA512
42245fb77d0a526b3381c0f6e86a61af6fcc64ff9fea05169f2ff63c9af54469ae25f563bf0ab390f513eb1e21a6481dc27cd6d7042f9b6ec93da48da23a13ad

Download Submit
C:\Windows\SysWOW64\Picpfp32.dll

Filesize
7KB

MD5
39dd2097af7ae956dda98d02190731ac

SHA1
441e8c1e13b467a82e019e46dc026989c5c621cd

SHA256
5dadbd7d5ce4f64109927d5fc5eb5ec98e8572a650bc2d9ec8fd2cc4d9a3651f

SHA512
cec569dc6809a4ba78fc60bf55bc05790b364f5da6744cb7011017ea585dacba930c52ac9ee66029875991ba3c7f3c94dc736fc4a280ea181c41c1f7ff887c61

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
320KB

MD5
a2112c51f3aa0a3810a35570de3dce67

SHA1
2ae485cd9fcc7b81f88e6e4dbe4516f3dad05a83

SHA256
037d9e22a9dce6c846ed5eff0fb6bbd73adfb2754c0acb09c3af10943a6e50c5

SHA512
328696a73de6c925f51be9a503592c0b8c1affd36413be5de6f6bc35654e18f8864779de110ac5359f95c39812e9bd1e4584e27350de2c61a955d317c8dab80e

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
320KB

MD5
1bceca6e5c0731daf1e071d448e00de9

SHA1
ab3563b2b37d4a3fad10cd12ed49b7e0bb51b001

SHA256
d3728947c889cc0292397414323e7976a7abfdc10f4f183f402d0b3c68ccd308

SHA512
6ff965b7b3e75c8827af3e9cebe5025cc215b5820e35f00f5a493bf71f5456b3b894be28fdea46b9d6349837601ad8c63c926b1b5f878c07974859a16ca068dc

Download Submit
memory/8-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/392-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/644-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/728-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/812-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/880-556-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-626-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1464-612-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1832-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-469-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-603-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-632-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-475-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3076-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3260-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-620-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3380-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3532-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3728-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3980-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-634-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4084-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-470-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4372-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4500-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4532-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-608-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4852-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4880-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download