8ab1ae39f4bf7da103b2bb9d6cad7a272651c6fcdcd22ca08fb17e2f85988ba9

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 06:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d4a5a584a7e3a1086dffb82cb48d3e0_NeikiAnalytics.exe
Size

128KB
MD5

5d4a5a584a7e3a1086dffb82cb48d3e0
SHA1

d6862ba3b1d9843d85dc64925004677e0de8fc2f
SHA256

8ab1ae39f4bf7da103b2bb9d6cad7a272651c6fcdcd22ca08fb17e2f85988ba9
SHA512

6654d3426fe3f3e5d0f579ec8bac7f22abab8c33ec53e863d59d4f54e3145f8eda4375ccbf064913bc32339f98e80061386631db3d09d2b685139f9979f03fac
SSDEEP

3072:oKeiCoYrUDI+cPzdX/YfqJDrLXfzoeqarm9mTKpAImA:oyCTW4l/YfqlXfxqySSKpRmA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgoobc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlnon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elbmlmml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himldi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhqcam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaepqjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbceo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkapp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gomakdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbiaapdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pengdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adcmmeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fohoigfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcddpdpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdeqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdbhcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojmcld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjpiha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmhgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnnep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekacmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe

Executes dropped EXE 64 IoCs

pid	Process
376	Ojmcld32.exe
2016	Oqgkhnjf.exe
1604	Ocegdjij.exe
1328	Okloegjl.exe
4740	Oqihnn32.exe
2032	Ocgdji32.exe
4080	Onmhgb32.exe
4700	Odgqdlnj.exe
2092	Pgemphmn.exe
4292	Pjdilcla.exe
3408	Pqnaim32.exe
4424	Pkceffcd.exe
896	Pbmncp32.exe
4560	Peljol32.exe
3588	Pjhbgb32.exe
3700	Pndohaqe.exe
4456	Pengdk32.exe
1028	Pjkombfj.exe
2096	Paegjl32.exe
1000	Pgopffec.exe
4200	Pjmlbbdg.exe
1148	Pagdol32.exe
2704	Qgallfcq.exe
3144	Qjpiha32.exe
2672	Qajadlja.exe
3208	Qchmagie.exe
3356	Qjbena32.exe
2356	Qnnanphk.exe
2784	Acjjfggb.exe
3152	Ajdbcano.exe
1548	Abkjdnoa.exe
3244	Aejfpjne.exe
1792	Ahhblemi.exe
3140	Anbkio32.exe
4308	Aaqgek32.exe
1364	Ahkobekf.exe
2884	Ajiknpjj.exe
3976	Andgoobc.exe
724	Aacckjaf.exe
4216	Aeopki32.exe
1152	Alhhhcal.exe
4360	Ajkhdp32.exe
1768	Aaepqjpd.exe
3364	Adcmmeog.exe
2368	Ahoimd32.exe
856	Aniajnnn.exe
2244	Abemjmgg.exe
900	Becifhfj.exe
1832	Blmacb32.exe
3484	Bnlnon32.exe
2348	Bbgipldd.exe
4452	Bdhfhe32.exe
1840	Bhdbhcck.exe
1012	Bbifelba.exe
1972	Bdkcmdhp.exe
1336	Bhfonc32.exe
1976	Bjdkjo32.exe
1108	Bejogg32.exe
1964	Bldgdago.exe
2276	Bemlmgnp.exe
1180	Blfdia32.exe
2444	Cbqlfkmi.exe
4052	Cogmkl32.exe
2592	Cafigg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ioeeep32.dll	Adcmmeog.exe
File created	C:\Windows\SysWOW64\Fobdihjo.dll	Clbceo32.exe
File created	C:\Windows\SysWOW64\Jplfcpin.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Pjmlbbdg.exe	Pgopffec.exe
File opened for modification	C:\Windows\SysWOW64\Elppfmoo.exe	Edihepnm.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Eegdfm32.dll	Ahkobekf.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Eapedd32.exe	Eoaihhlp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Habmmpbg.dll	Ahoimd32.exe
File opened for modification	C:\Windows\SysWOW64\Himldi32.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Hbnjmp32.exe	Hopnqdan.exe
File created	C:\Windows\SysWOW64\Aaqfok32.dll	Ifllil32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ajkhdp32.exe	Alhhhcal.exe
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gcddpdpo.exe
File opened for modification	C:\Windows\SysWOW64\Fljcmlfd.exe	Ehnglm32.exe
File created	C:\Windows\SysWOW64\Edgbbfnk.dll	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Bhfonc32.exe	Bdkcmdhp.exe
File opened for modification	C:\Windows\SysWOW64\Ekjfcipa.exe	Ehljfnpn.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Okloegjl.exe	Ocegdjij.exe
File opened for modification	C:\Windows\SysWOW64\Ecandfpd.exe	Ekjfcipa.exe
File created	C:\Windows\SysWOW64\Hqdeld32.dll	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Nhdlom32.dll	Fdnjgmle.exe
File created	C:\Windows\SysWOW64\Elogmm32.dll	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Gpiaib32.dll	Gbbkaako.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Kpbmco32.exe	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Fakdpb32.exe	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Bdkcmdhp.exe	Bbifelba.exe
File opened for modification	C:\Windows\SysWOW64\Dbaemi32.exe	Dkjmlk32.exe
File created	C:\Windows\SysWOW64\Hiefcj32.exe	Gfgjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcmom32.exe	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Jblpek32.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Aecqac32.dll	Cbqlfkmi.exe
File opened for modification	C:\Windows\SysWOW64\Cafigg32.exe	Cogmkl32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgdji32.exe	Oqihnn32.exe
File created	C:\Windows\SysWOW64\Fhglla32.dll	Elppfmoo.exe
File created	C:\Windows\SysWOW64\Hledan32.dll	Kfjhkjle.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Iddoeojd.dll	Dhbgqohi.exe
File opened for modification	C:\Windows\SysWOW64\Foabofnn.exe	Fdlnbm32.exe
File created	C:\Windows\SysWOW64\Qdldlm32.dll	Pjkombfj.exe
File created	C:\Windows\SysWOW64\Kjhonjco.dll	Pjmlbbdg.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Fojlngce.exe	Fhqcam32.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Elppfmoo.exe	Edihepnm.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8572	8244	WerFault.exe	420

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmkghpm.dll"	Pagdol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edihepnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcpopjlq.dll"	Blfdia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll"	Ibjjhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjbena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nconcm32.dll"	Bejogg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgopffec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbgipldd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imfdff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjdilcla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnnanphk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkephlb.dll"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfmkjoa.dll"	Gfgjgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dadeieea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll"	Ehnglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glccbn32.dll"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll"	Qgallfcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphkfg32.dll"	Blmacb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll"	Gbdgfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjnop32.dll"	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnlnon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohkbc32.dll"	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmbha32.dll"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cafigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docjlc32.dll"	Iiaephpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacghh32.dll"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bldgdago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbnjmp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 376	920	5d4a5a584a7e3a1086dffb82cb48d3e0_NeikiAnalytics.exe	81
PID 920 wrote to memory of 376	920	5d4a5a584a7e3a1086dffb82cb48d3e0_NeikiAnalytics.exe	81
PID 920 wrote to memory of 376	920	5d4a5a584a7e3a1086dffb82cb48d3e0_NeikiAnalytics.exe	81
PID 376 wrote to memory of 2016	376	Ojmcld32.exe	82
PID 376 wrote to memory of 2016	376	Ojmcld32.exe	82
PID 376 wrote to memory of 2016	376	Ojmcld32.exe	82
PID 2016 wrote to memory of 1604	2016	Oqgkhnjf.exe	83
PID 2016 wrote to memory of 1604	2016	Oqgkhnjf.exe	83
PID 2016 wrote to memory of 1604	2016	Oqgkhnjf.exe	83
PID 1604 wrote to memory of 1328	1604	Ocegdjij.exe	84
PID 1604 wrote to memory of 1328	1604	Ocegdjij.exe	84
PID 1604 wrote to memory of 1328	1604	Ocegdjij.exe	84
PID 1328 wrote to memory of 4740	1328	Okloegjl.exe	85
PID 1328 wrote to memory of 4740	1328	Okloegjl.exe	85
PID 1328 wrote to memory of 4740	1328	Okloegjl.exe	85
PID 4740 wrote to memory of 2032	4740	Oqihnn32.exe	86
PID 4740 wrote to memory of 2032	4740	Oqihnn32.exe	86
PID 4740 wrote to memory of 2032	4740	Oqihnn32.exe	86
PID 2032 wrote to memory of 4080	2032	Ocgdji32.exe	88
PID 2032 wrote to memory of 4080	2032	Ocgdji32.exe	88
PID 2032 wrote to memory of 4080	2032	Ocgdji32.exe	88
PID 4080 wrote to memory of 4700	4080	Onmhgb32.exe	89
PID 4080 wrote to memory of 4700	4080	Onmhgb32.exe	89
PID 4080 wrote to memory of 4700	4080	Onmhgb32.exe	89
PID 4700 wrote to memory of 2092	4700	Odgqdlnj.exe	90
PID 4700 wrote to memory of 2092	4700	Odgqdlnj.exe	90
PID 4700 wrote to memory of 2092	4700	Odgqdlnj.exe	90
PID 2092 wrote to memory of 4292	2092	Pgemphmn.exe	92
PID 2092 wrote to memory of 4292	2092	Pgemphmn.exe	92
PID 2092 wrote to memory of 4292	2092	Pgemphmn.exe	92
PID 4292 wrote to memory of 3408	4292	Pjdilcla.exe	93
PID 4292 wrote to memory of 3408	4292	Pjdilcla.exe	93
PID 4292 wrote to memory of 3408	4292	Pjdilcla.exe	93
PID 3408 wrote to memory of 4424	3408	Pqnaim32.exe	94
PID 3408 wrote to memory of 4424	3408	Pqnaim32.exe	94
PID 3408 wrote to memory of 4424	3408	Pqnaim32.exe	94
PID 4424 wrote to memory of 896	4424	Pkceffcd.exe	95
PID 4424 wrote to memory of 896	4424	Pkceffcd.exe	95
PID 4424 wrote to memory of 896	4424	Pkceffcd.exe	95
PID 896 wrote to memory of 4560	896	Pbmncp32.exe	97
PID 896 wrote to memory of 4560	896	Pbmncp32.exe	97
PID 896 wrote to memory of 4560	896	Pbmncp32.exe	97
PID 4560 wrote to memory of 3588	4560	Peljol32.exe	98
PID 4560 wrote to memory of 3588	4560	Peljol32.exe	98
PID 4560 wrote to memory of 3588	4560	Peljol32.exe	98
PID 3588 wrote to memory of 3700	3588	Pjhbgb32.exe	99
PID 3588 wrote to memory of 3700	3588	Pjhbgb32.exe	99
PID 3588 wrote to memory of 3700	3588	Pjhbgb32.exe	99
PID 3700 wrote to memory of 4456	3700	Pndohaqe.exe	100
PID 3700 wrote to memory of 4456	3700	Pndohaqe.exe	100
PID 3700 wrote to memory of 4456	3700	Pndohaqe.exe	100
PID 4456 wrote to memory of 1028	4456	Pengdk32.exe	101
PID 4456 wrote to memory of 1028	4456	Pengdk32.exe	101
PID 4456 wrote to memory of 1028	4456	Pengdk32.exe	101
PID 1028 wrote to memory of 2096	1028	Pjkombfj.exe	102
PID 1028 wrote to memory of 2096	1028	Pjkombfj.exe	102
PID 1028 wrote to memory of 2096	1028	Pjkombfj.exe	102
PID 2096 wrote to memory of 1000	2096	Paegjl32.exe	103
PID 2096 wrote to memory of 1000	2096	Paegjl32.exe	103
PID 2096 wrote to memory of 1000	2096	Paegjl32.exe	103
PID 1000 wrote to memory of 4200	1000	Pgopffec.exe	104
PID 1000 wrote to memory of 4200	1000	Pgopffec.exe	104
PID 1000 wrote to memory of 4200	1000	Pgopffec.exe	104
PID 4200 wrote to memory of 1148	4200	Pjmlbbdg.exe	105

C:\Users\Admin\AppData\Local\Temp\5d4a5a584a7e3a1086dffb82cb48d3e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d4a5a584a7e3a1086dffb82cb48d3e0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\Ojmcld32.exe
  C:\Windows\system32\Ojmcld32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\SysWOW64\Oqgkhnjf.exe
    C:\Windows\system32\Oqgkhnjf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\Ocegdjij.exe
      C:\Windows\system32\Ocegdjij.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\Okloegjl.exe
        
        C:\Windows\system32\Okloegjl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SysWOW64\Oqihnn32.exe
        
        C:\Windows\system32\Oqihnn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Ocgdji32.exe
        
        C:\Windows\system32\Ocgdji32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Onmhgb32.exe
        
        C:\Windows\system32\Onmhgb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Odgqdlnj.exe
        
        C:\Windows\system32\Odgqdlnj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Pgemphmn.exe
        
        C:\Windows\system32\Pgemphmn.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Pjdilcla.exe
        
        C:\Windows\system32\Pjdilcla.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Pqnaim32.exe
        
        C:\Windows\system32\Pqnaim32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Pkceffcd.exe
        
        C:\Windows\system32\Pkceffcd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Peljol32.exe
        
        C:\Windows\system32\Peljol32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Pjhbgb32.exe
        
        C:\Windows\system32\Pjhbgb32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Pndohaqe.exe
        
        C:\Windows\system32\Pndohaqe.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Pengdk32.exe
        
        C:\Windows\system32\Pengdk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Pjkombfj.exe
        
        C:\Windows\system32\Pjkombfj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Paegjl32.exe
        
        C:\Windows\system32\Paegjl32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Pgopffec.exe
        
        C:\Windows\system32\Pgopffec.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Pjmlbbdg.exe
        
        C:\Windows\system32\Pjmlbbdg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Pagdol32.exe
        
        C:\Windows\system32\Pagdol32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Qgallfcq.exe
        
        C:\Windows\system32\Qgallfcq.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Qjpiha32.exe
        
        C:\Windows\system32\Qjpiha32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Qajadlja.exe
        
        C:\Windows\system32\Qajadlja.exe
        26⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Qchmagie.exe
        
        C:\Windows\system32\Qchmagie.exe
        27⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Qnnanphk.exe
        
        C:\Windows\system32\Qnnanphk.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Acjjfggb.exe
        
        C:\Windows\system32\Acjjfggb.exe
        30⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Ajdbcano.exe
        
        C:\Windows\system32\Ajdbcano.exe
        31⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Abkjdnoa.exe
        
        C:\Windows\system32\Abkjdnoa.exe
        32⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        33⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Ahhblemi.exe
        
        C:\Windows\system32\Ahhblemi.exe
        34⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Anbkio32.exe
        
        C:\Windows\system32\Anbkio32.exe
        35⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        36⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Ahkobekf.exe
        
        C:\Windows\system32\Ahkobekf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        38⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Andgoobc.exe
        
        C:\Windows\system32\Andgoobc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Aacckjaf.exe
        
        C:\Windows\system32\Aacckjaf.exe
        40⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        41⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        43⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ahoimd32.exe
        
        C:\Windows\system32\Ahoimd32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Aniajnnn.exe
        
        C:\Windows\system32\Aniajnnn.exe
        47⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Abemjmgg.exe
        
        C:\Windows\system32\Abemjmgg.exe
        48⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Becifhfj.exe
        
        C:\Windows\system32\Becifhfj.exe
        49⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\SysWOW64\Blmacb32.exe
        
        C:\Windows\system32\Blmacb32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Bnlnon32.exe
        
        C:\Windows\system32\Bnlnon32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        53⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Bhdbhcck.exe
        
        C:\Windows\system32\Bhdbhcck.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Bhfonc32.exe
        
        C:\Windows\system32\Bhfonc32.exe
        57⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        58⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Bejogg32.exe
        
        C:\Windows\system32\Bejogg32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        61⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Blfdia32.exe
        
        C:\Windows\system32\Blfdia32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        66⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        67⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        68⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        69⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Cefoce32.exe
        
        C:\Windows\system32\Cefoce32.exe
        70⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Cbjoljdo.exe
        
        C:\Windows\system32\Cbjoljdo.exe
        71⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        72⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        74⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        75⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        76⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        77⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        78⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:624
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        80⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        81⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        82⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:416
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        84⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        85⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        86⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\Dojcgi32.exe
        
        C:\Windows\system32\Dojcgi32.exe
        87⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        88⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4016
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        90⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        92⤵
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        93⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        95⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        96⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        97⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        98⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        99⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        100⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        101⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        102⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        103⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        104⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        106⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        108⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        109⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        111⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        112⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        114⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        116⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        117⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        118⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        119⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        121⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        122⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        123⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        124⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        125⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        126⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        127⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        128⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        129⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        130⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        133⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        134⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        136⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        137⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        139⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        141⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        142⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        144⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        145⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        146⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        147⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        148⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        149⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        150⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        151⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        154⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        155⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        156⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        157⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        158⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        160⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        161⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        162⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        163⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        164⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        165⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        166⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        167⤵
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        168⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        169⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        170⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        172⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        174⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        176⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        177⤵
        Drops file in System32 directory
        
        PID:7008
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        178⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        179⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        180⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        181⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        182⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        186⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        190⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6828
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        192⤵
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        194⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        195⤵
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        196⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        197⤵
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        198⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        199⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        202⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        203⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6944
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        207⤵
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        208⤵
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        209⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        210⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        211⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        213⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        215⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        217⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        218⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        219⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        220⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        221⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        222⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        223⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        224⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7188
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        228⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        229⤵
        Drops file in System32 directory
        
        PID:7272
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        230⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        231⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        232⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7440
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        234⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7524
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        236⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        237⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        238⤵
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        239⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7700
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        240⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        241⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        242⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        243⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        244⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        245⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        246⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        247⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        248⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        249⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        250⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        251⤵
        Modifies registry class
        
        PID:7184
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        252⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        253⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7392
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        255⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7536
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7604
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        258⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7748
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        260⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        261⤵
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        262⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8028
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        264⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        265⤵
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        266⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        267⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        268⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        269⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        270⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7692
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        271⤵
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        272⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        273⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        274⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7240
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        276⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        277⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        278⤵
        Modifies registry class
        
        PID:7768
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        279⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        280⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        281⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        282⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        283⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        284⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        285⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        286⤵
        Modifies registry class
        
        PID:8036
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        287⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        288⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        289⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        290⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        291⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        292⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        293⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        294⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8368
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        295⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        296⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8500
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        298⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        299⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        300⤵
        Modifies registry class
        
        PID:8632
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        301⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8724
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        303⤵
        Modifies registry class
        
        PID:8768
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        304⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8848
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        306⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        307⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        308⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        309⤵
        Drops file in System32 directory
        
        PID:9028
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9072
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        311⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9160
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        313⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        314⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        315⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        316⤵
        Drops file in System32 directory
        
        PID:8364
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        317⤵
        Drops file in System32 directory
        
        PID:8440
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        318⤵
        Drops file in System32 directory
        
        PID:8512
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        319⤵
        Modifies registry class
        
        PID:8576
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        320⤵
        Drops file in System32 directory
        
        PID:8660
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        321⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        322⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8780
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        323⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8860
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        324⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        325⤵
        Modifies registry class
        
        PID:9012
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        326⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        327⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        328⤵
        Modifies registry class
        
        PID:9212
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        329⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        330⤵
        Drops file in System32 directory
        
        PID:8420
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        331⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        332⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8620
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        333⤵
        Modifies registry class
        
        PID:8708
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        334⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8836
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        335⤵
        Modifies registry class
        
        PID:8908
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        336⤵
        Drops file in System32 directory
        
        PID:9016
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        337⤵
        Drops file in System32 directory
        
        PID:9104
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        338⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8244 -s 416
        339⤵
        Program crash
        
        PID:8572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8244 -ip 8244
1⤵
PID:8508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abkjdnoa.exe

Filesize
128KB

MD5
823661d55099516f0751febaee1f4a63

SHA1
e4b161688bf0dcc3a500a1f4f08ba95aa857f786

SHA256
0b329596400b09a34305ae4edc3a7e903dd7f7a004c67ef922a783d2ab0040ab

SHA512
f463db9ba2342fa100fd9a0cd89892f1687659f27b65ee016c531817e92dc56e91e086f079b4350c75188a2bc5d5490630ac14d5bd4b774f16645ae3ed96b714

Download Submit
C:\Windows\SysWOW64\Acjjfggb.exe

Filesize
128KB

MD5
4092bd8cf97815f7a793957c10e780bc

SHA1
1689c7772ecb6ec4c83bdb3a6be7d2fded68f443

SHA256
8c87887083368818322d079816230e74fae3878096cbe4e3153660abfe348e0e

SHA512
b9e96fcbf0186d8b669eca3ab68bb4fc25822b2c2009c41d652253fdd07d6c144b681f382fe6205421cb781a6b99c1061e65fa4605a8edaab1e223831fdaefe2

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
128KB

MD5
efcffaeaed50630f164644b617d99bc1

SHA1
2cf3a95db0b3e476a8d9715c7c90c8d3b3985c74

SHA256
ea833a73d4d28cac5c7f1c42c88890d9ebf1fc19a9b0586ecbda1bb58b6a2523

SHA512
242ef0c3ca6ac7632db8e9599a99de45c649c71627a75959a0864240fea4d95a0237da8df42ffd65882dfd3fb86a2ac5fd293ea193071cd5762bba8bca0fc1b7

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
128KB

MD5
f890c4f4f852bf7ccbc6c1f0cd4ac909

SHA1
cbc9011cb977cc5f8409d79ce50dd1cb3498cd60

SHA256
3adf3d9979248dd919a3db6145be83649985e0c3cae44bccc2a671c54af0d543

SHA512
422d8f6abebf421112e98e0a263f570ca602880b5e8a34b974da8d5dde6682e7329618274c21339ebe4ec47c574d8340cd8acfc05df8def89c9a3da8f6a37063

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
128KB

MD5
1bf21ddb487865db680b589b34f9055a

SHA1
19d6b1459eae742abc2310278319365f4d4842af

SHA256
3a43f079bc9d21b5dd8d772fa5fc024a160cdeacedc6f905e3eabfb8df983238

SHA512
41a895ef29bdee377f0a04d829050d1d6417cd802cf414d6c17f9439a83a5cd0c3e9827d5a772c62df8512cb42bbb97b34468ebc4a5d37bd02ed58108a9e7f6b

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
128KB

MD5
7fb0c3b2c54f1611da75dac03f3de0a5

SHA1
5e5a3070dae10e49ad27a7e470e96fa5f9ad4081

SHA256
700ee2e4a30dcd242470f290043886f7e3b02ae95590675e2b5bfca58f251c10

SHA512
efee2c39a15fb1f09dc77ec5f6bf016b68e31dc2331270285dd90868256cbb373fa9b660d96da5dc9a2c86d35f3d552778c6d12567094df8bdb7cf4752dadfc1

Download Submit
C:\Windows\SysWOW64\Ajdbcano.exe

Filesize
128KB

MD5
9b80967c814d49b0a9898f6c30f5c1de

SHA1
49398de029ba1f9d6e59f2110771eeaa662977f0

SHA256
509e2ae0f2e48a50c39250edba4ec1839950405afea995c5a1be41c173894a24

SHA512
dc3dfcd7205b2164e104b538da24c00ed06b67668d09d0a514d167ee538391d095f4d4a8fa56183aee3784e7d0cc383bdc278d25571ea5e284de4ba8378aaee4

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
128KB

MD5
e9fa77b1ac906ac0b651355b63441178

SHA1
f4a129814d06c19c99408d50fbea7d6a76d0a709

SHA256
7d78a1304b9ec9067ce4e85f3660c6ced081c671ed00c78035eb9c6eee62eb22

SHA512
9880da1b8307f94889f172ffdc3cd16e9459f29de8acb1b61cf1803e61de79ef35f03d5d3fc1578a8f4866d9794ca624309f22c02a0fd497b2816d986a8b8dfd

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
64KB

MD5
23f5db06b404d8e09f5872b19b219ee5

SHA1
d836c19417641f2f8d66306400a485f1e20e0ef8

SHA256
20846304f3aed88237a92ed3bde99b1ce6973477e6f1ef59a069a8811b4dc938

SHA512
044b2509001e6bc15b9620843f206b64f33619fe8d7a0e8c4d8052eb9e3af92eed6c930bdf51eb51a4efc586f245ccfbe7b720c9924e48f206a70dec706c937b

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
128KB

MD5
2412b04373bc1e517100a30617a1a5cd

SHA1
35a3e88b848215b96942465a57ade6d67f7480a4

SHA256
881110d60c945003ca1c5629cf80a871121f336161d7f7ad2f4fa26a70bcccb7

SHA512
8ab814a5fc94f285caab90725a910f35ca98cc28f40f22a7fb60e5e4b9ec8197fb7fdced30a51dd0d74edb325f5a68ec0a806d0d50adf760a37bae9b0e897302

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
128KB

MD5
afcd86bd2aa7ad3d8a9d80ac2beb56a7

SHA1
18a6160be295632bda9a51d2cffee0aa0f33ede5

SHA256
4b0fe8cbfb69c283cdb174755fa9bbe8786fd8069541bbe5a96dd5b57ab8a7ee

SHA512
ae756115d26cb3b1df27f9f22f05612782c9112cdc9a94dea75628a45691ee47fdcf9445f1eabe4a14d0defe051f84600b7d19af50afa1f4cb092c6b08e1d1e8

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
128KB

MD5
4e645f470672b8c28eac94a7d99f776f

SHA1
c1cb81c731e7f554eff80dd1f14eff6d024486c1

SHA256
aac0b6b91bb676a02d609556defc179c7528e7e3d0a395e53a05015161eadc22

SHA512
56bc53d7d2ec6d374af7ea607e16c41e7aac68f85a9f5ed613d4f988d7f59b5ee209a3b40e858302cf8f5c1997986f171a7fd363b3efa3221763995329d7d7c1

Download Submit
C:\Windows\SysWOW64\Cbjoljdo.exe

Filesize
128KB

MD5
ff45bdc89a17ec42cdb882a8af414b85

SHA1
746a4d54505975bbcea82a38d65145a943144134

SHA256
d3a400b2b89e13863191fca1abf615811a05bbe89c449b75ff3203938482c8f1

SHA512
b7eab93fbfbbbc2059b5ac585c8af36169f28fc3ef88f64411c92024618dbbf5ce3de6b8e2b5a240027e3f0a7e855bf19e7ef1da604844dd7b44782857c1738a

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
128KB

MD5
c61ab7dffb2ba7231870dd510642ccb8

SHA1
1924cfa4ee6a318c430e25011a2ed0322b92650e

SHA256
bef9a4d093b717ca155aa76ec56b14af8efd41abb44c3c64273a6fee8bf9484a

SHA512
06e07e4b8417f255fe0197ba585106fe77eb718ef08210fd6260fc848c7083244e4840ac78a83b3feaa7546a077d38eadb41a3d43f730690ff2bfccc6a145fb8

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
128KB

MD5
8cae9749e9d979d42787cba128e993e0

SHA1
6ca5d1d9f1d53f958dfffdbbdf32be96b8b56ab6

SHA256
69a387d555bd22df3726254506304d6ec35d6a7a72a8529dfb79521a79a0cb1d

SHA512
242228a63207ee3fe9e56b7e229fa8b59c583cfd584e5f9f834ebd6de865c4e35438021d10b070e3588641d39b4deac84a0200059f248ffc53c92bd809bb549a

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
128KB

MD5
ee589d243f579aae9fcad54cd827805d

SHA1
96025a654b72bd388776893c802cb203b3772127

SHA256
f2f5ff259829b367ef02a78583ecfcd50cbc1d3b8615676c0c52aebae00a5d4a

SHA512
5e393d640b93809d56551e9df5c925688d197c0a15d8c82070ed6dc015a1c50cb326587aab13c42db8c0945b5468fdc632a54c546983ff42eb71969c7c58d8f7

Download Submit
C:\Windows\SysWOW64\Dalchnkg.dll

Filesize
7KB

MD5
dc98bf3679cf0613a016427519a70d04

SHA1
3a23a336198438a12129e18c1f39fc5c30dcd414

SHA256
bc55516a5527e5d0bbe16624520f12b949b2edcb0a769d343be8276bcc528cc7

SHA512
83d1a549a775433b5dd7e265d10f74693a1bbcd7d590b160b3c80c406bacbae10bd9f722a56902c9971b7a1587b82b367124a2699e04e0ec26074f2b43568d1b

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
128KB

MD5
2a0191a61921ba918335de077e38c55e

SHA1
c5d3e0b2e6c4d46f892f578c75c99686c06227ba

SHA256
fd1f0810abc33c4857ef604687d283caee269fb8a1d9512f357df4b157798d01

SHA512
0d6ae6f4c5d100d94037971035399f94c964826479e757b5b92627916b6a0e66c2f532e1101bdaee22306e61832d62911955798c99a317472ab109aed7fc84ff

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
128KB

MD5
51d989f63eea3948db7ad8d8ec7e029b

SHA1
fa1f72d68f77962459ccfb1e4b812cf25d58fec2

SHA256
f5446ff748d09c5390febc46325daa06a085deb708a3fc0380c473106bcd24a0

SHA512
d77d3cd637b43fcf0f3f6178fb0b49daaf48193cfc076da03e3b09a2432a6776969c3585f70426c2453128b38aaebe34188d20b2614f8189b27f104b930ae1c7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
128KB

MD5
1b9a9b6d315e5c4db3c6a70b7dd7fe79

SHA1
760e7a86f3261714c4a19019c341d515f7100b5e

SHA256
caf8d45b401b57124c2fc69e4d62c6642aa285e5c575f91b4b8c0ebe3d9ad28a

SHA512
3319aca3e7c4aef35bea68262771e9d450b9709b35bd8849a8a4f769c034c6aaec6233becec2a1f7a1521a752fc1876ca890fcf7baf4fee1f6d88e9033c3f4cd

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
128KB

MD5
f7a76f2176dabd492be56ea7a5b2d913

SHA1
9441f08eebfc2ba09f24bf22dd2a861c3e6a68e4

SHA256
0c72975ea1ad4e30e543b2b10ca1df4d4450199a8d96d6e6209eba8b9f6c90f1

SHA512
342efca9da0023be0e76deca93428ec1a1f01fb2897c9e376ef76fceb95774050aa2d3aeaeddf95f0d4f417f336ff0a300c07febafc655a18082a7ef5605be79

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
128KB

MD5
eb53d12d77d0303351413f7cf202deb0

SHA1
910bea452c94dd4465938305b2292ac4648c3b5a

SHA256
46af515f93f4d220c721c9c9a266742bbb7d8bda3867ad852838c023d9c00b89

SHA512
2b0241389a5ac240b3a9c3a0e37b259c8447178d48cf6dc5fdb93d545d846aa7038cb7f449d3851364f59ab03c9ffca3b255189a3fd1bae4260a242bc24b073c

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
128KB

MD5
562cd9092bd4efc859f3ba2df440f045

SHA1
b77ebfdf5ff12ca6244db6b7c3ead51fb2d1ca62

SHA256
b06009a3beb441fd1d48aee263fd26ae150088ca56e1171f82ee5925e65dae77

SHA512
0ea51b443758fe255f8cdaed67a48640e24755392f875983218c2245dc88f0ccf2c3586d33effab14c94f4ace85c69ad42ef81b31d7a2ef30c8062206693a8d2

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
128KB

MD5
56dcb194e975f0c6d4bafe39dec6de23

SHA1
56d49db10b4412df5287afb11b794c36a7b28a99

SHA256
5756aae5631694b628c94991857ba980cceb051344bcc49a7783f45a380ecfd0

SHA512
9d8b0a27913596d59f7ce12520170a49b2f325103df1af29d7db4658905cd628f6859623b1e83373916b64c4a7bd3229e9e63b2828891d0cd65a10479cc6ac5e

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
128KB

MD5
23a2f67fc2b275a8077726c1b410fc5d

SHA1
301a2773be8009071d55ddadd5b37fb2528363e9

SHA256
bbb55aaab0ab43e1645d0bf640b9f1a67a06fe0940d99a8157079bd13db6ed29

SHA512
8b8571d8169d2e1d590c44d58c9ba6f81bafcf13918857825d7484e3ea7d23baf8b2d876bbff878966312d4f8b21af46cdaa399759f34228a48ebdd803e3bac3

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
128KB

MD5
3ef6b8e997d60f60ff065ae66c8b35a8

SHA1
9e01b3ad0b6d80bf1def31ca5d1dfdfeb487596e

SHA256
f943af8ed724de2578a9c2188bef2106d10e5beec1eaec3b052553a11157d9e0

SHA512
e35daebd999944cf1ec1bc71d54104fe07da801a4c416afc9f51be654ce74632913e0cbd13a9bf8ba5a8cdd427c2d34d0d77108af7ef549a7462b8afdd26859a

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
128KB

MD5
927024ca7adb93b3de7d5c2d770cb3a4

SHA1
d63cc84c5fc16bcf75cf52ac7a8541bdf7a35d21

SHA256
5cba786ba1faddd9c07006a84c654ad615b70257d9cf7f8f2882ddec0b30e5dc

SHA512
201842618567818e1c13447758b623cc9acf293c03c364a08b13b1d47484c302770d8a00f512890aabe82e9e23464d14e68e2fba97a5f2238d7a333e7e24d879

Download Submit
C:\Windows\SysWOW64\Fohoigfh.exe

Filesize
128KB

MD5
31d775f4fe94ca141c40f4c8404a7423

SHA1
827af3536c0bdd4dfdfc5678799ad3544275b1f7

SHA256
24e67061e0fea2037a4d827b066cf7770d82d729005cace09c7e5b32d78abe8b

SHA512
c6604a292e6770743619d2828e028cb8fe055a55b26dd6055a7486367b7c1bf877e703b5084962889eaa6d17997abd41d7a139158260d75f638f3b163ea3a6fa

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
128KB

MD5
27e18dd23cd6fe696cdb6d04f1491d69

SHA1
d32fd2f8ca1295fa07ca230d86fe2b9e5f7f0a5b

SHA256
0da80a1bad358b96ba4d362944653576673c10b458a7c7a0e90aabaa27534077

SHA512
9b1134ad8233bbd2b69ef1386aebfe1e4482d54a7e55d720155557ab856ad07cd4aeef94d43c54e101193884ea230785b9f26ab12d3da03c1b8aafbcaab56f5e

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
128KB

MD5
98f3cf0d3d4fe61f916c49e89e63ce6c

SHA1
e10407de77514418e4f5eeeb328b863c8fd21d00

SHA256
b62aa2769b75a4b889ad628606a156a1f82e1c0ccd44ac241f449a82ccc33250

SHA512
cd82763f7b4da8676608d62e444db03102190e5e2eed1ebccfc26f3922656a3d26fcd91c547bce392c805d6d95aade9813f35a38042a8e0163fcb3b0d287d2a7

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
128KB

MD5
c9299da0897a9db4ea146c5ac93a73a0

SHA1
4f7b738002134161818cbbc60d09ca446de99650

SHA256
d7a82eb267d7aa61fc9ee060dce60947fa9014d9f2e41584a6a7f547f809a91e

SHA512
a56b3097c5d56f1c3f3a035e4de87a524664c5e1188c73fb99d41d5c1d091a6392a671125ff24ad553b4fe3a0f6cb2f4e73d13f7a77bc2dd7937e8715e4f62e4

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
128KB

MD5
ff1ceb3508bafa8284709a65e0e3d6e1

SHA1
52a037cc6c40fb61cc853625615e3bd2ce154770

SHA256
992d379118e38c82329ee43b4a1d7a403c262fc0b084e379ea1f4289a367addd

SHA512
8df5ebe437f0916dac0c921857ab3251814a7e0b010f7ea375f7f3fbc2d6ba9b4c586fc05590808bd097e23e3dd664a514108c7db3955158447d9ed2f7428168

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
128KB

MD5
e8eaecf1c366f54a5b9608d0a461d759

SHA1
35595bbdaf0ce7ba143112aede4edc22d7a1f7eb

SHA256
499d809ee8354ea575f13018c742480467397fed567529cb842bf12c684511e5

SHA512
7be8d268e503ce2a415d861182cd8ab8ef1921dcab479b3c82123ff0fada869ddee8ffa833d8e13618a019d00291638f13b0588bc026a1058283f4832a1fd062

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
128KB

MD5
1ea6e9485e50e8f32321dd50399be2db

SHA1
734566d3c182c7b9d407ba65711129aa88549332

SHA256
8e31d6666e5b455eaea573d0ef3ce83f312d9d81759168a397bafe2c5a043b22

SHA512
20f7c285e0cb27e625f62c17772eb6b650566e12dfa46301659586a029babd25bd643d9feff78ca72e47ea5d8a8db17018916a9f51ba5b5387bb82b989277f83

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
128KB

MD5
178788fdf8eda4a1948967990053c57e

SHA1
b9edee4abb4648a6a5b627fd22a5f5efb6e15192

SHA256
91024892619b4a7ed3fc2bd9d80161cd3b829e163d70ee205cb2332b6ed66451

SHA512
050d0eac3f4a518c5eef24743b4b5107fadea4b99c172b8af9c18323251152475bf40b95afaa74068d31c6b5f74a16532b381baea17671d7aa8be762ba220cc8

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
128KB

MD5
230e7191e15b84880a57fa6798fc6bc9

SHA1
9ecd8efeb3b2aa21b2f383d86ad1a0a175bac596

SHA256
f42d3c07673539aee227a222ffb9bb4c911c8fc505ef69bd36998b3b88d486e6

SHA512
2550f0163b8dcdb14c991a7cfed7bc8d1dab96a608f7e6d85ebf652926a7cdccee7eec27c6104914807e3f1e9394138b069a2d2535a99f72fb48453d3f556d9c

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
128KB

MD5
34d332ec46e1cbe13c4e96d4e9c933fe

SHA1
01de4878f950a320bdef724b387bd81d76d11fd4

SHA256
7b1389f9ed7266c77ea93485d17c6b7ff508df0c742ec188b50e5af1ce056d41

SHA512
43d031e0857f2449d14e73fbe9c6938295bfa4b786a15af9928429f75d2ce5b2db7fe467e94067add75e9dafde6a4a30f7adb78ad4a00b8d32725b0c12d108d2

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
64KB

MD5
0fb52d9b66ae39e8783dbbe37b68cd92

SHA1
3838c2b546b2d2a74e894dff7f810256ff64633c

SHA256
35c921456e708a77ac2255f04659353359ad11c1353b8ab15487a07d6e52af92

SHA512
09903308348bef354b6b763977eaca5a7bce30a09e13262ef86d84155f2d4189013a6fa68da3964f4020a11d0f8904dc9138845b76201c1ae5fce302c34b91fc

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
128KB

MD5
4c882fce29ce96b63d31d55d134b8df6

SHA1
3f9960d25cbcc5f1713131e5bdc69ef2db895379

SHA256
dd32735a40b7d8627d2fb773f354b6db03120ac19a6acf83dab0d0b8bcab8b79

SHA512
4416bd673b60156b5b55947549b589e800aadfe5835d42913c2ef5cf26d15a19fe158b3d2f794ce8cd6b790aaa8465a0f93cb1fcd7a217e90d5b01d57d401661

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
128KB

MD5
a231eecb79e65c478445f61d5eb61221

SHA1
7a906bc67c0885247f57daa0f5caad965a406617

SHA256
70fd569395d07f8f97a847cc9436318632d32a2f1ba6ced02b2415cfa470dc60

SHA512
9ddb5820b89b62ed5252f2251b58849bc2a342484a5539f03cbd856dfb83bd65788b13772a3cb83c6ca7b89534d6e506ca91a5cdba265bef643a5b98de847331

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
128KB

MD5
19e5af4a48d51bef6b68ce15b6ff97d9

SHA1
5567c4b52843ac43982f080fa1deb66b2045b77f

SHA256
c003fa73d34b8376496b95d4c93cbdbc206db1085747b4912cfd1b825dcb148c

SHA512
9fa73fb8d5b5190ae6e8920432d9dcf98475c8bed075a9983a4d18a3b42a6540fc040b4bcdc7e5e047de4dbd086a54efdcb3e79b7c3593558b2b7d6376d350ff

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
128KB

MD5
fb31b5d75014d56235f26db6d8d56316

SHA1
7921af9e8677a644be800eefdb6817d38fedf326

SHA256
7fd89f583d6c49a05cb52c21d5b97cdfacf54ca6ae20a673874adc87b557c149

SHA512
7f5b12a284899debc499349f20f76b9846622b58b1d6d803b0a0a70ceee9c070f18a5463482f987784c80f4f0a47daa51ae0357330a9ea253a970c4b5cee7e8c

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
64KB

MD5
ed935a3116ca88ff23bb009e28c3d1eb

SHA1
df71da59e8ab41dac6ee8f7366f0aa1cac49a5df

SHA256
55e1583910ca4954af6586c44e3d20c992c12d21bdbf05720dc19103a655d50c

SHA512
d5bc0081959fc72685a48716609bba96fca3c551b5df57f37f61c8ccf7fe8eca378a7406338db9cfc25b7d86068e0ffb23c6ebae1e62944f1af719c872508cc0

Download Submit
C:\Windows\SysWOW64\Ocegdjij.exe

Filesize
128KB

MD5
b7c81ca7f19fad06f80dd0d515681b76

SHA1
88939fd63ad1d98cf8e93776e1e0bd8b100cd75d

SHA256
e80beb9e97bebcc206cc23e0522c8895c25c7fb23b4174fe15b104d91b732317

SHA512
6de8efc8ea5bbf1c385c5a09e0fcedeee8badb7a7f6c1479633411d81016edcc56741f247dfa871c3127aa9f41e0e00238e04e120ad9fe363234d0b7c83f1891

Download Submit
C:\Windows\SysWOW64\Ocgdji32.exe

Filesize
128KB

MD5
928d4bb410e0dc7eb5ccbc82a422cfa4

SHA1
c40e6d68967e6cb43a12888760a218941f11c44d

SHA256
23c9750b8101d97b43294f4bfc28579f0a5ed5286aa5f29b06ed7ed64208a961

SHA512
6626b66024531f78b1329f64847eb627990a79aa7f8bc079918dab0a5fcd6bdda2bd2802c8cee1708022fe0973ea88a7adc70b7b2d81993a8871ca9b6addd070

Download Submit
C:\Windows\SysWOW64\Odgqdlnj.exe

Filesize
128KB

MD5
c7673612b3d387d88f96bd005e302e25

SHA1
7be1cc8fb352b77d1bf497006544ea3d5e878431

SHA256
4852646ec69e6abf022d39bfa8aeadceae525a86555dfd7dc9441b404713351a

SHA512
4a94407b467640f961909fecab9818b2ff5d8755b4075a7a5c1c947e499e40f888d9a7bdba25c549cb133fa1d035f2d148a5565f307d83ddb71813dbd163bbae

Download Submit
C:\Windows\SysWOW64\Ojmcld32.exe

Filesize
128KB

MD5
0da497d42062517747fd79bb36d4a0b5

SHA1
d1c60d454124446cbedb50ac00343b9ba3e5e2ca

SHA256
f45a317cd021b2e4ec536df7419296ec6a8d0a2a0c5283c217a5244bab904c4e

SHA512
9f5a452fc16f68290535ec6579a94486d199536266a554780237194f50578dfc97c625fa965a13e9189b62996215098554dba706792e2f0364192b7ad33be582

Download Submit
C:\Windows\SysWOW64\Okloegjl.exe

Filesize
128KB

MD5
661a44ef4c51056c370938db0ed86f85

SHA1
87a29bbe6823d82eaeb5afc9d2ac4fe91e73afbe

SHA256
7ee593b357e9ecc54fe4f1cea21368a044f0059bcdc2592d854c7b8b8859550b

SHA512
ebf07f501f73437ba803c249b397ee8eb3b8f2f37cadc32eec6b4fb06bd90c0d1285bef7cc3de8e686001999c40ae1bebbded92ebb9128b0f47c9ca2022fe082

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
128KB

MD5
6c10d9d46d59513f2774433cd9451233

SHA1
2cf0da4cb5c68a2a32ab85ae0d6692f0253c4f39

SHA256
2f9071f0c6068f0ddc3322db63995d534e645172c5bd6bca29a57668d940b7a5

SHA512
46d0e292b564ac95e7cdbe50aff034f8d14107c664613ad906cc4e4c9634487dce840dc6637dbe65d264596ab214edf7de495ccf82346866753897a16f208960

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
128KB

MD5
1c90a186e1de3260e2afa306807a5f78

SHA1
cf5dbdeb7c5c3e7a84206ec4fbdd16778a3f3f38

SHA256
8d4528406ea90e0c0c6335b18fff42ee24170fc84d295e409c0b5d53650edf5a

SHA512
7142651ccfb41b85632d8a8e58c7388e869cd9a0866e8ca842f00fdce1b4a24bba1363ffc911487760bc4756d747f24d7f8f89e45122281f707742e679666bd8

Download Submit
C:\Windows\SysWOW64\Onmhgb32.exe

Filesize
128KB

MD5
f6dfc5499381bff3566e5684cc9ccad4

SHA1
7dbfee526b3265714dc957a86c5bae9e820dea1b

SHA256
bb6f17f5a388985c3bd75a34fe739cd73644460c35fe7a0bf71af688d62598ae

SHA512
d5b4e94d0581924f9f3e32758e8ffd6d6489adeb46c06a47f558322391be2df7586a86b3e94bfe97bb8dfa825e7a714117c637e0ec7b2b67edd034dacd7f0478

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
f30da301163a8d09f606e90785267194

SHA1
ba1e6b0786fbcfac8de827b7d648675315375015

SHA256
136c93cddbabab24adbb04fbf8ccbf69e22743da5201033861ea86f3f36856e0

SHA512
eec925562d39d53c0512453757b2b7f9dbee8fd865c08806e19335827d208e8b9fa044719538d516ac5a423d5b82fa12710b5c89ecc23a482b1104128e0c9590

Download Submit
C:\Windows\SysWOW64\Oqgkhnjf.exe

Filesize
128KB

MD5
e4dd48bac1ccf75121d163f926915e94

SHA1
d9be87baba9279dd154cb2a2e2ae39c5b37f787a

SHA256
21309d880ce7e3fbdb56c80725eb82a74fbb2e581eaf2a1c7fe369b0b64d591e

SHA512
324175248f2cf40e11268974d55d8594e0640a4cba96c233fbbfa330c0ce4c00b202c9e45c68aa689b4eaed2a7c9c503f4737f2e426252368739d675fbc43cfc

Download Submit
C:\Windows\SysWOW64\Oqihnn32.exe

Filesize
128KB

MD5
30464d0e0682e613682ae0afbd09f56f

SHA1
0c266bbda84c3f74019c946d99afca2679e7a9f6

SHA256
4af65ae1cfad4b8f2363f045c2c28cdcff6f3f462dec7eb18f2980f2e027bfc4

SHA512
c02625b53387ea7f29d144daac716a90695f5ca6d46bd106e8ec4f27c1e991cec4ebc6989564cc7b29ff137eb57950e787bb3feeaa1ca91625355e961ee3c99d

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
128KB

MD5
ff95a6b8ad38a14bedc20691d5ae4126

SHA1
21709f6edf781a2da0216986770281ffb97dd135

SHA256
30bb3989c2a021be44e1f14143bc3e506d825ba2b2724ad22f7d20bd5edff9cf

SHA512
69ce222c7ee9e7a6a2d0f487617570bcfc1e42f94f215ae64c8c35e6c92f082ccfc35199e2e45a8ca2fdeb60e6aab1b355902c0b0287c50aa246590c948e2452

Download Submit
C:\Windows\SysWOW64\Pagdol32.exe

Filesize
128KB

MD5
c3c3e5a91c14b86cb14617abd291e4df

SHA1
aea006a1dd6054746afb8d1e05443458c8d9963b

SHA256
6261cc5c22ef2a3464faabd5fd4bb0b80ca061f1ae36e519179195de656172e8

SHA512
854c2c73ad3789330a31fc77f5717132d400f142d97139b6bfe959fcbedee332b8667327197407cdffb0e82dd756a559495f1600267df6f50302ed2a5782bfde

Download Submit
C:\Windows\SysWOW64\Pbmncp32.exe

Filesize
128KB

MD5
85581b44b649e0cb9205c2925e0d685d

SHA1
2d587d1aada995a6bd7b4db71725998c98d880ea

SHA256
bfddc5dd531052f2567bb58c742c75b01231aa0ae45e201446dde9ee9dc7e2b5

SHA512
14e278c99a46979bad646c3d95b80e0c714c302679a68f4e37bbd949731c3c720beff0cb86277fd2c3f9865278ec68f4b39e383b5e221acb959ef5fb1891d325

Download Submit
C:\Windows\SysWOW64\Peljol32.exe

Filesize
128KB

MD5
d720f45881763aced3e737f875509132

SHA1
48e27cb88b851ce2d043c999a5274bf28142b99d

SHA256
5cd231ce2c0c36ea217cb67f6dafa04e545484eb0938fab744b64975cbca176a

SHA512
05dfdb6eb55a528c25673f946c8907f2f962ef36b64fa1d4bd0e5ccdd803bc745336bf783fb0e3beac4aaa9e4071f6e9267311b64c3bb2fdf77fbb4e87676ec1

Download Submit
C:\Windows\SysWOW64\Pengdk32.exe

Filesize
128KB

MD5
ef2669cc2300fc7443305c2a11143c38

SHA1
51209e78a19f17673de0f3b7cf4216036c1ad4a0

SHA256
036b057db4c639314583519978a5ac6b709537d695450dda35d92aa3763a59d7

SHA512
61e4f6ce29f79913c5d57ed669e41299647fd7c28234ae566a565e8057a9f1d33278a644528ee99256335b109ae60e9fe262c8fbedb2e4ce1c4b134b1a29edb3

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
128KB

MD5
6bd41384eaee874ee57d8a1cc5214432

SHA1
30db111c24545ae65ff07d5a76d2a3c2cc422045

SHA256
ec806fe09bfdff8b0cc3212ba581b6907104c9ec8d10f07ea9c8301d883d0cfd

SHA512
bd0c11f4bf23be112827b235919a68484036485a2fb595d5c3b1904ba9711f999b6faa9cf9e9c5745388d5694aba71f61bdfd45f9101d9dbefebb3a240446a56

Download Submit
C:\Windows\SysWOW64\Pgemphmn.exe

Filesize
128KB

MD5
3f60c80a93d5b7656a7a6f192e14cad2

SHA1
cea61413c2af5e94455f1932f35729ebad7582ab

SHA256
5f11b7cdd9829dc08e9ea26fbb9a395b2f03541211f17b3294f83982dc70fae2

SHA512
90db508ba5a643b602d81a8bd10d82fe95cf964f0012d0e837c77809848a32ce3e9d59dd690e2fe16ac0e2333ffc75697df1a4f30b9f68c3e6b9efb47512f0d7

Download Submit
C:\Windows\SysWOW64\Pgopffec.exe

Filesize
128KB

MD5
550b1a60339076045dc5ec7d473c05d6

SHA1
bea9b822145a8eb34c3d2e85468bf2ea4ba27008

SHA256
dcaa9210f90bfbf01c41460efe9223770c17e3ef72aa34fcd269b313147e978a

SHA512
f86e5107c5ab56515f1fd6c2d54003b92a883411b9b80f7ebf4372c085540a3185d20c609a8242e6e409709097d038fa4eb543c2d11639cdc14ad419b87c1fdc

Download Submit
C:\Windows\SysWOW64\Pjdilcla.exe

Filesize
128KB

MD5
f587b02a310d473022544347f82bd8a1

SHA1
02f396ac0daf2f933d736e4261c2e8cf561602a6

SHA256
c65a1d95d3141a1b475f20c3326acb324539974cdfafeef5535e19cf2987ac7b

SHA512
5aada9f97b299f3cb6628c3cd874671c5856bc1975a7e55254572afd3be5559a824bf3c09a03e8a650720002ac7e3d69256c9304835d1fdcdc43597605c60aa3

Download Submit
C:\Windows\SysWOW64\Pjhbgb32.exe

Filesize
128KB

MD5
c647f0b0a3ceee1aacf2fad98ef30d18

SHA1
797a1e897361043c41e25ecfd78ae56754b24707

SHA256
8f46a06474baf578cc8a153de7912972d6e27c424b5fb1159ab3a9b63f811974

SHA512
4487775995ab6763610b75b7f95d53b93b9e9ad92bc5b745102f252250e4975623e13664567b8e521e83b611683e4304b1e94088b219f6f57d46440c1a02580d

Download Submit
C:\Windows\SysWOW64\Pjkombfj.exe

Filesize
128KB

MD5
f51a76d452052b05b8550d074b1f4d1e

SHA1
dfe64a4f94965fb6754c75129f8fc7dfad2d4016

SHA256
1dc67f8306b9966f4886a960c7402ba237120a623873a06a0dff0dfd33cb07e7

SHA512
e1fa2c598cf1dcbc6436637fd114f8096f7e12e734b0127ffb21fd594c9d83e39102efc52379d820cabc8323d4f1ab66135bbbc27d54b679639a933f94399a16

Download Submit
C:\Windows\SysWOW64\Pjmlbbdg.exe

Filesize
128KB

MD5
f995200f61d8f1a4c3f8e5003da65e1f

SHA1
1f0dd78d5943a4242a22ebd79d77695db3c5e1ce

SHA256
2c7e692d2867ea93af9af4996193b04c7abf0562da9b86cb12ffb426268f72dc

SHA512
72d28234fa89e3d897611102dc77363b107ba5692d923017a9cfff4c743946b83b74ec69dbe5d6aa056cf0aea1058fb4fa861d9dbf9d8fb7c3eda0cf2bac9995

Download Submit
C:\Windows\SysWOW64\Pkceffcd.exe

Filesize
128KB

MD5
5f4f5aceab8d95dd408544269899e2e2

SHA1
8a74b0098a709f1f630faf507358a36953f0b49a

SHA256
b92bb9980e9ff77a31cd9baaedc413b17ca27bc6bda684235e1adced631eaeb1

SHA512
968eaf25b61c39e95fcd12afe2f0296e14584571167b90db7cf09e4a6fc8d094047e25338ebbe5882cba2fc3b36db3890513f910071b3155425a2d7be0125efd

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
128KB

MD5
c3687a7dea247b238d6cd9ed265fa526

SHA1
78cebb45c9b1c8b768181619c0ae06a57b3590ea

SHA256
7187e3e630fdeae5cb03dfb2db1d5103b8c43321858e8e78a0b1422d075dd45f

SHA512
3e337688b7ed0612d23934a8d57e507c8fe146883be28a24d8699fb1eb936635a5d95c2c4d80f6a872a54d5505c29c6d3f5b8d9049fa0a5d0e8ab40cd57105a1

Download Submit
C:\Windows\SysWOW64\Pndohaqe.exe

Filesize
128KB

MD5
d2f877951667c8a58fe307920ea97b10

SHA1
67c298403328c78f19ebd8f0d93a921bd1ac8f02

SHA256
8bc05ff0552279b94620ccdb758c5512a40e2ae6e9f09a24d248d3eb98ecaab6

SHA512
39d5b4b31fb05ed426048216f1f2a7c37ba3a02f3c392c2cbc8b2f5a843283f89243f5fa7d879e54e17f7c3f63920c168ac2da5a5f280c81913afaf1c8d62050

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
128KB

MD5
5b3ccce6a71f28cd3acf455debd0b9b2

SHA1
0df496b896d1ee741078c27fc3144a9349cfbb10

SHA256
4854b58cd87834f76b12104a19da55bbe7c09777f6e38d55958ee1e48f00d7f6

SHA512
44c4e4affce5b79a23e8c6f675116c14f879d6444c11f4126867794145919f5ffdb8cf94a90ec753116df13e2aa8ebe6f9586b3c000aa534e91d5dd291a9c703

Download Submit
C:\Windows\SysWOW64\Pqnaim32.exe

Filesize
128KB

MD5
62b2940bf81f9e80dc403704864e93df

SHA1
a6faa12a046137ce6b3b1e58c223a1b3bc1a9446

SHA256
9ac94e9b3c93e490dcbfc06b254fee66d7db185a34ab069776ad76f4690635d2

SHA512
231d35c23a9658924b8ada042a5637dcd1ba2e35a665bf2049e702c2c586578b3ee268a916121a46234546e81eee8495b60894f91c3584825085c327a0678487

Download Submit
C:\Windows\SysWOW64\Qajadlja.exe

Filesize
128KB

MD5
c7fd881fccfd80539742133f2d97c43a

SHA1
214527059b65dfb5dd650d46afe4b74cc699e0b7

SHA256
f43a981f8cf101978943f5e31e67d68b49ae7d4f1cae973aeef7a1e8fa985e04

SHA512
0585939f5e3325d7653252a86b9f421c519c2f354fb6c18101997e0894a6a62021a84eb799e8e5248772c221ddbd880496015090f10c24341ea12dd692ca2ce3

Download Submit
C:\Windows\SysWOW64\Qchmagie.exe

Filesize
128KB

MD5
77207baf6d24baae68ed1e3c934669fe

SHA1
a5ed95e7bd480b33a18ae4cc1f6cd3ce30a69e3c

SHA256
13aac25b3a4f76b73cba399f320ba08de302a944a4c04f6e74765b66de96aebe

SHA512
3d843d965fd68e7892637528a82c7d97544f72a473e0e4813f15de0d29b4d20f98d429a9ad090bc0226c103c5690fe481beff7d3f5666e1d1e5814adf0954ee1

Download Submit
C:\Windows\SysWOW64\Qgallfcq.exe

Filesize
128KB

MD5
37fde8fe81cebc64998f0a9006ae6b9b

SHA1
3666695f8c4b4eecbc8e7d9c1d9f4f2ed7e4863e

SHA256
b61da3df2a34193a5eff93d0b9b4913981154ebcdac36d44f60ac11a97e3bd95

SHA512
851f50c5f78a195c7eb76311e3207a3d97b1e78ed82d15ab2bed2e8ae08f309e903ac3728b1b44c4cf422376622f4f12c1ac4b32e88a4d8c41f8eb0002b532c6

Download Submit
C:\Windows\SysWOW64\Qjbena32.exe

Filesize
128KB

MD5
b079eff2c02a7a68ef95909adcfecd9d

SHA1
c246574a46f00ec187964b1220f4a919510d07b5

SHA256
3b80260bda3836e2a91cd4b413bf8faa00e37555cf1520c970e6adc139fb92e3

SHA512
7b151a40fb56d0b6ce30ad7190d8627c0f77b1bd67033575c8d162945be50f8aad18c212656056cc0a6b040ddd9846d72332eb1e4117dfcb7301dde4655003fa

Download Submit
C:\Windows\SysWOW64\Qjpiha32.exe

Filesize
128KB

MD5
00bd22d77fa9d3e7073277374234bda2

SHA1
387440f9b84f49d78a10f3bef347e559e1c24dc6

SHA256
61802f3d43c27e57c764eb882390480da373cd2434bfc064b40f928bb0b510a5

SHA512
0003736a420014251de2a6cc7d20e32c4026d315cc1cc164e0d587a1067357259ccf76964d891c2dfad37cab8247be8194bcd69b5879f4a6d5ad936d8b2f8a7b

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
128KB

MD5
6bd1a6a2bfbbef163df8dda611e85ec1

SHA1
ef6e391b5ffc9ea8c72f9e9363a39dea85814538

SHA256
a4d4aab7b096ec343d67e1a0fb3acbc2be9507e4fa0dca1e8179bc9a2efce04f

SHA512
e17ccbc0bf9407a342dd7909d8914668bf766e8e4956c7e17545c14105be55cac7b446634ccbd0cc4330e19dc05326c908d1529ea14c3d5b4a91013f20b9c776

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
128KB

MD5
99c3b6a3a582a003a3bed92c8ef170e5

SHA1
c796742017c4c050c5d5a9c208f2765874c68ce4

SHA256
69ad7e534e4ea125c1c9820b4241275f381ac2825549cc07e36779af5bc75604

SHA512
a87b3198a670ddb9a6c17ec8ddb1e9a52c9c952f20852f68052c45560161adf31f1eedde184cf0330417b42a218e84aee3d872ba89bf0897484919f8235fee86

Download Submit
C:\Windows\SysWOW64\Qnnanphk.exe

Filesize
128KB

MD5
5fe8b784466ad0efc9c197a2e4dcf028

SHA1
c183d5665332f3556613a7690ebc908af07d229a

SHA256
8c2e34855259e6e24f50fcfccea8d2ae32e44b7acf21b5af692fda43375918ee

SHA512
79f1d9c646ba3e9afb781ab52f361fb13a0d13d2239cdb44dbebb466c1d77c45b462e882f9eddbf7588af8e7002b235ca6c7fdd35364b3578315df4d1a6af64c

Download Submit
memory/376-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/376-555-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/416-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-536-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/724-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/896-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/900-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1108-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1152-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1180-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1188-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1328-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1336-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1364-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1964-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2096-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2244-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2276-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-598-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2444-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3152-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3244-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3808-549-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4052-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-577-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4200-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4284-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4452-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-524-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-570-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4600-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4740-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4740-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads