bfff921da9b3e356958dff7b835287362193ccebb29e487eeb9e69bb26864797

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b169f2eb427cbe009c4cbb7b75df4fd0_NeikiAnalytics.exe
Size

96KB
MD5

b169f2eb427cbe009c4cbb7b75df4fd0
SHA1

55f18ebbe51a532ba1ea24dc5d18ab317bfea042
SHA256

bfff921da9b3e356958dff7b835287362193ccebb29e487eeb9e69bb26864797
SHA512

8b14733f22fcaca96459d41a611ded02aa36b5b176ca39f7922c1112f8f6860acc9013e19f4403f37516103ebd3aa03982533e48339cb17bf8aae662d64bb9b6
SSDEEP

1536:202r2Kdbpxg1zXgUmSTKa/2L2mZS/FCb4noaJSNzJO/:0dLg1rt1EZZSs4noakXO/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojjqlpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfonc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgmpogj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fohoigfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gomakdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkgqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eolpmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbgmcnhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cahfmgoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhqcam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edihepnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejogg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Foabofnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefioj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fafkecel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjghpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajcbgml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleiam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe

Executes dropped EXE 64 IoCs

pid	Process
2828	Bhfonc32.exe
4180	Bopgjmhe.exe
2432	Bejogg32.exe
3188	Bhikcb32.exe
3468	Bjghpn32.exe
4352	Baaplhef.exe
4728	Bhkhibmc.exe
3704	Cbqlfkmi.exe
2596	Cdainc32.exe
3180	Cogmkl32.exe
4984	Cafigg32.exe
1728	Chpada32.exe
5020	Cojjqlpk.exe
4772	Cahfmgoo.exe
4284	Cdfbibnb.exe
2436	Cajcbgml.exe
4940	Clpgpp32.exe
1568	Conclk32.exe
4948	Camphf32.exe
1748	Chghdqbf.exe
3048	Doqpak32.exe
1284	Daolnf32.exe
1648	Ddmhja32.exe
4388	Dkgqfl32.exe
4896	Ddpeoafg.exe
632	Dlgmpogj.exe
3228	Dbaemi32.exe
1180	Dhnnep32.exe
672	Dohfbj32.exe
1656	Dafbne32.exe
2524	Dkoggkjo.exe
5056	Dahode32.exe
4384	Dlncan32.exe
4004	Eolpmi32.exe
3224	Eaklidoi.exe
4960	Edihepnm.exe
4460	Ehedfo32.exe
4544	Ekcpbj32.exe
2964	Ecjhcg32.exe
2240	Eeidoc32.exe
4564	Ehgqln32.exe
2924	Ekemhj32.exe
1676	Eoaihhlp.exe
748	Eapedd32.exe
4600	Ednaqo32.exe
2388	Eleiam32.exe
452	Ekhjmiad.exe
1960	Eabbjc32.exe
2552	Eemnjbaj.exe
1616	Edpnfo32.exe
1964	Ekjfcipa.exe
3556	Eofbch32.exe
2312	Eadopc32.exe
2840	Edbklofb.exe
864	Fljcmlfd.exe
3408	Fohoigfh.exe
4104	Fafkecel.exe
5024	Fhqcam32.exe
4568	Fkopnh32.exe
1916	Ffddka32.exe
4528	Flnlhk32.exe
908	Fchddejl.exe
2624	Fdialn32.exe
2656	Fooeif32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Gkkojgao.exe	Gdqgmmjb.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Cdbinofi.dll	Jlbgha32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Fdialn32.exe	Fchddejl.exe
File created	C:\Windows\SysWOW64\Ffimfqgm.exe	Fooeif32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Bjghpn32.exe	Bhikcb32.exe
File created	C:\Windows\SysWOW64\Dkoggkjo.exe	Dafbne32.exe
File opened for modification	C:\Windows\SysWOW64\Foabofnn.exe	Flceckoj.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Lnaendmh.dll	Bjghpn32.exe
File opened for modification	C:\Windows\SysWOW64\Fohoigfh.exe	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Cafigg32.exe	Cogmkl32.exe
File created	C:\Windows\SysWOW64\Eeidoc32.exe	Ecjhcg32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ddmhja32.exe	Daolnf32.exe
File created	C:\Windows\SysWOW64\Fmfmfg32.dll	Eemnjbaj.exe
File created	C:\Windows\SysWOW64\Lpcqcc32.dll	Hflcbngh.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Bcfmgfde.dll	Dhnnep32.exe
File opened for modification	C:\Windows\SysWOW64\Ekcpbj32.exe	Ehedfo32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Oehldcbk.dll	Bopgjmhe.exe
File created	C:\Windows\SysWOW64\Eadopc32.exe	Eofbch32.exe
File opened for modification	C:\Windows\SysWOW64\Flnlhk32.exe	Ffddka32.exe
File created	C:\Windows\SysWOW64\Iifokh32.exe	Iejcji32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bhikcb32.exe	Bejogg32.exe
File opened for modification	C:\Windows\SysWOW64\Bhkhibmc.exe	Baaplhef.exe
File opened for modification	C:\Windows\SysWOW64\Dohfbj32.exe	Dhnnep32.exe
File created	C:\Windows\SysWOW64\Ngknngal.dll	Gkhbdg32.exe
File created	C:\Windows\SysWOW64\Icgjmapi.exe	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jeklag32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Edihepnm.exe	Eaklidoi.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Fljcmlfd.exe	Edbklofb.exe
File opened for modification	C:\Windows\SysWOW64\Flceckoj.exe	Fhgjblfq.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Bjghpn32.exe	Bhikcb32.exe
File created	C:\Windows\SysWOW64\Ekcpbj32.exe	Ehedfo32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Bqhimici.dll	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Eleiam32.exe	Ednaqo32.exe
File created	C:\Windows\SysWOW64\Jgbcdnbb.dll	Gfembo32.exe
File created	C:\Windows\SysWOW64\Ilghlc32.exe	Iihkpg32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7812	7668	WerFault.exe	347

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhqcam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flceckoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkomqm32.dll"	Gcddpdpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll"	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhkhibmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Foabofnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbkfdh.dll"	Cdfbibnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekemhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bopgjmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecqac32.dll"	Cdainc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogiek32.dll"	Ehgqln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gomakdcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fafkecel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcojed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfmb32.dll"	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjihje32.dll"	Dahode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoholen.dll"	Eleiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjbebh.dll"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manffk32.dll"	Clpgpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll"	Eeidoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceacpg32.dll"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobdihjo.dll"	Chghdqbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eadopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdcdbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2828	2712	b169f2eb427cbe009c4cbb7b75df4fd0_NeikiAnalytics.exe	81
PID 2712 wrote to memory of 2828	2712	b169f2eb427cbe009c4cbb7b75df4fd0_NeikiAnalytics.exe	81
PID 2712 wrote to memory of 2828	2712	b169f2eb427cbe009c4cbb7b75df4fd0_NeikiAnalytics.exe	81
PID 2828 wrote to memory of 4180	2828	Bhfonc32.exe	82
PID 2828 wrote to memory of 4180	2828	Bhfonc32.exe	82
PID 2828 wrote to memory of 4180	2828	Bhfonc32.exe	82
PID 4180 wrote to memory of 2432	4180	Bopgjmhe.exe	83
PID 4180 wrote to memory of 2432	4180	Bopgjmhe.exe	83
PID 4180 wrote to memory of 2432	4180	Bopgjmhe.exe	83
PID 2432 wrote to memory of 3188	2432	Bejogg32.exe	84
PID 2432 wrote to memory of 3188	2432	Bejogg32.exe	84
PID 2432 wrote to memory of 3188	2432	Bejogg32.exe	84
PID 3188 wrote to memory of 3468	3188	Bhikcb32.exe	85
PID 3188 wrote to memory of 3468	3188	Bhikcb32.exe	85
PID 3188 wrote to memory of 3468	3188	Bhikcb32.exe	85
PID 3468 wrote to memory of 4352	3468	Bjghpn32.exe	86
PID 3468 wrote to memory of 4352	3468	Bjghpn32.exe	86
PID 3468 wrote to memory of 4352	3468	Bjghpn32.exe	86
PID 4352 wrote to memory of 4728	4352	Baaplhef.exe	88
PID 4352 wrote to memory of 4728	4352	Baaplhef.exe	88
PID 4352 wrote to memory of 4728	4352	Baaplhef.exe	88
PID 4728 wrote to memory of 3704	4728	Bhkhibmc.exe	89
PID 4728 wrote to memory of 3704	4728	Bhkhibmc.exe	89
PID 4728 wrote to memory of 3704	4728	Bhkhibmc.exe	89
PID 3704 wrote to memory of 2596	3704	Cbqlfkmi.exe	91
PID 3704 wrote to memory of 2596	3704	Cbqlfkmi.exe	91
PID 3704 wrote to memory of 2596	3704	Cbqlfkmi.exe	91
PID 2596 wrote to memory of 3180	2596	Cdainc32.exe	92
PID 2596 wrote to memory of 3180	2596	Cdainc32.exe	92
PID 2596 wrote to memory of 3180	2596	Cdainc32.exe	92
PID 3180 wrote to memory of 4984	3180	Cogmkl32.exe	93
PID 3180 wrote to memory of 4984	3180	Cogmkl32.exe	93
PID 3180 wrote to memory of 4984	3180	Cogmkl32.exe	93
PID 4984 wrote to memory of 1728	4984	Cafigg32.exe	94
PID 4984 wrote to memory of 1728	4984	Cafigg32.exe	94
PID 4984 wrote to memory of 1728	4984	Cafigg32.exe	94
PID 1728 wrote to memory of 5020	1728	Chpada32.exe	95
PID 1728 wrote to memory of 5020	1728	Chpada32.exe	95
PID 1728 wrote to memory of 5020	1728	Chpada32.exe	95
PID 5020 wrote to memory of 4772	5020	Cojjqlpk.exe	97
PID 5020 wrote to memory of 4772	5020	Cojjqlpk.exe	97
PID 5020 wrote to memory of 4772	5020	Cojjqlpk.exe	97
PID 4772 wrote to memory of 4284	4772	Cahfmgoo.exe	98
PID 4772 wrote to memory of 4284	4772	Cahfmgoo.exe	98
PID 4772 wrote to memory of 4284	4772	Cahfmgoo.exe	98
PID 4284 wrote to memory of 2436	4284	Cdfbibnb.exe	99
PID 4284 wrote to memory of 2436	4284	Cdfbibnb.exe	99
PID 4284 wrote to memory of 2436	4284	Cdfbibnb.exe	99
PID 2436 wrote to memory of 4940	2436	Cajcbgml.exe	100
PID 2436 wrote to memory of 4940	2436	Cajcbgml.exe	100
PID 2436 wrote to memory of 4940	2436	Cajcbgml.exe	100
PID 4940 wrote to memory of 1568	4940	Clpgpp32.exe	101
PID 4940 wrote to memory of 1568	4940	Clpgpp32.exe	101
PID 4940 wrote to memory of 1568	4940	Clpgpp32.exe	101
PID 1568 wrote to memory of 4948	1568	Conclk32.exe	102
PID 1568 wrote to memory of 4948	1568	Conclk32.exe	102
PID 1568 wrote to memory of 4948	1568	Conclk32.exe	102
PID 4948 wrote to memory of 1748	4948	Camphf32.exe	103
PID 4948 wrote to memory of 1748	4948	Camphf32.exe	103
PID 4948 wrote to memory of 1748	4948	Camphf32.exe	103
PID 1748 wrote to memory of 3048	1748	Chghdqbf.exe	104
PID 1748 wrote to memory of 3048	1748	Chghdqbf.exe	104
PID 1748 wrote to memory of 3048	1748	Chghdqbf.exe	104
PID 3048 wrote to memory of 1284	3048	Doqpak32.exe	105

C:\Users\Admin\AppData\Local\Temp\b169f2eb427cbe009c4cbb7b75df4fd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b169f2eb427cbe009c4cbb7b75df4fd0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\Bhfonc32.exe
  C:\Windows\system32\Bhfonc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\Bopgjmhe.exe
    C:\Windows\system32\Bopgjmhe.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\SysWOW64\Bejogg32.exe
      C:\Windows\system32\Bejogg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\SysWOW64\Bhikcb32.exe
        
        C:\Windows\system32\Bhikcb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
      - C:\Windows\SysWOW64\Bjghpn32.exe
        
        C:\Windows\system32\Bjghpn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        24⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        26⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        28⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        30⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        32⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        34⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        39⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        45⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        48⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        51⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        52⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        60⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        62⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        64⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        66⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        67⤵
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        70⤵
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        71⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        73⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        74⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        75⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:212
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2864
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        78⤵
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        79⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        80⤵
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        81⤵
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        82⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        83⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        85⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        87⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4160
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        90⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        91⤵
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        92⤵
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        94⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        95⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:60
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        97⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        98⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1512
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        100⤵
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        101⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        102⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        107⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        108⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        109⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        111⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        112⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        114⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        115⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        116⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        118⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        119⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        120⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        121⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        122⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        123⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        124⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        125⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        126⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        127⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        131⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        133⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        134⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        135⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        136⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        137⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        139⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        140⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        141⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        142⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        146⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        150⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        151⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        152⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        156⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        157⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        158⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        159⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        160⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        161⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        162⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        163⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        164⤵
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        165⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        168⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        169⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        170⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        171⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        172⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        173⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        174⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        175⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        176⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        177⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        178⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        179⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        180⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        183⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        184⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        185⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        186⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        187⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        188⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        189⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        190⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6988
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        192⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        193⤵
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        194⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        195⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        196⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        199⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        200⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        202⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        205⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        206⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6996
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        209⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        210⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        211⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        212⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        213⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        214⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        215⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        217⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        218⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        219⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        220⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        221⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        222⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        223⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        225⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        226⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        227⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        228⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6720
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        230⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        231⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        232⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        233⤵
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        236⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        237⤵
        Drops file in System32 directory
        
        PID:7296
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        238⤵
        Modifies registry class
        
        PID:7344
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        239⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        240⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        241⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7536
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        243⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        244⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        245⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        246⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        247⤵
        Drops file in System32 directory
        
        PID:7776
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        248⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        249⤵
        Drops file in System32 directory
        
        PID:7872
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7920
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        251⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8016
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        253⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        254⤵
        Modifies registry class
        
        PID:8112
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        255⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        256⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7264
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        258⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        259⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        260⤵
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        261⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        262⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        263⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 396
        264⤵
        Program crash
        
        PID:7812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7668 -ip 7668
1⤵
PID:7772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
1a4b7ae9d2cd54dafdb144e4f0c89e19

SHA1
556ae85f053d0560da8a5458319bffee11a320ff

SHA256
b81c048c9b5e2e96f9898704e65b973f78ecf8eef4e8a661059721cbe6469c8b

SHA512
1a4586548cb273abe2e3f6830102eb986e38bd272e20b44235ef5242bb9081511ef22482449004efbf6dbd951f1f381c60761cc357372e3f517e35dd6d1fe907

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
b4018a68458c81e22df12c290b9352ae

SHA1
c5a1f4825336d1b5824b803f509c434fb6242499

SHA256
c9ef2fd15e9763c8268e36959a883460e3e51bd72945fa839ef373e5e9a18e10

SHA512
76e22fe9de3cb39209ecb0aee33c3ea5ee711a3789ea8b9585908faa7382e62256b9f73c3e76c4f3f9a407383c1eeca146d9dae5b9a915d109c3f4a06f610066

Download Submit
C:\Windows\SysWOW64\Baaplhef.exe

Filesize
96KB

MD5
b078f494a3420a60064d65cdb7af421b

SHA1
3d2b2952ba13e023e18eaf639bae7c3cc4bff156

SHA256
5032ac953b59d2ea2379228939126f3e0e891f713942dbec18ae64057a4c13c1

SHA512
3bef15b516d2a82026d0e0bc4f479b885a8ac70489a7b22c6bff62b20377a30e3ede8f2197f621b03c0d6e63839896bae47a2e539163d57664c9bccd3c388f2f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
96KB

MD5
45257d7ae2a7bb37c86808dc3901bec6

SHA1
40ce28b86576a8b35ca303e714e7c5fad0552d04

SHA256
ef3809ec7d998f00379908d3d436a351b267c11bd4ff6af328b389e48e8ce9e9

SHA512
32f28faf971655b2a9e6af5afeff5430e7e49e8d960c08a54f1f42821047d96825b331f6b839a41531969de6267733f18f945d919407290b75ea11e430fede2b

Download Submit
C:\Windows\SysWOW64\Bejogg32.exe

Filesize
96KB

MD5
a218a2e189ce2282e2f185978f83bf44

SHA1
19281c9856b7fbbdb491549b4b2c5bfc7b433b81

SHA256
e40766183390a2578c21605f099755055d509a53f447f0ffa7886be7214ed25f

SHA512
0ff1e22f03df6cc5394e69b0af9d230b6dd40ac489e054b65081f45fdebab72341fc7c3dce28f4df73c72cc56e4a90d4abd95bb97d9611105f24c3426264eee9

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
8da2a43e4b908a37a34900accc1e8a6f

SHA1
9187d5f0e239cb108ca6cf704b1f59d3e2f26f52

SHA256
c1a445e2911a2c1117b4bdb324f29bcae4d968d94b96997a74241a1b152e43da

SHA512
9adafb208a065b9d2321a3608340bfcb5c791a969adf28707a0b6c796cfa2bf8075ee3b9bd04e1abed75c14f77170a79856081d2fe4b4e67a49906a14791ed4f

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
64KB

MD5
db98d18568ea9a2a773810f65f7efdea

SHA1
7a9a9731f8948a6df3b98b37ba9c01bfaea82c59

SHA256
c58dbedae5188e662658c899945ec663d2de97e08878ae8e56462d73107d2155

SHA512
3f85933149cd5f40b2e1033c00bfa4b5a26df2078b44e17f7b2d393274b81c8cdc2998822f15f08504135a163e36faf245959ad616979984a34ef06804741f28

Download Submit
C:\Windows\SysWOW64\Bhfonc32.exe

Filesize
96KB

MD5
4dd066601fc4f2cb43f18a2e42863d80

SHA1
5ac30c347c29e66ca9c3b81f2339537dea63f86c

SHA256
dc9d0b5c13180b0a46ad1c9297a6db747b277064e3c7f3702e0a3cafe0994604

SHA512
db5fe043c2b9230b410e394dfed885d6a1c78bba528807e7578d72b66e4c107560d99278b1522f15e8e9ae491b67ebbfe5e8ec0772702aef75f1a909e92c21df

Download Submit
C:\Windows\SysWOW64\Bhikcb32.exe

Filesize
96KB

MD5
87b0ea2694a51b1c859d9b95c617e224

SHA1
f1ea51bf9e2d3832c6d7d5f2cb47c6633cf0f260

SHA256
8ae7ece336240176a843bb49388c5c2c1f3d2b72d5e3e3d95fe07d3282ecf105

SHA512
9ecd12f9f3be522607033ada89955bba21cf2e364c4449f7f61d5b79961af5ea95d3c73871c15e5de2700592982f0d6d88c4108e821615e85d7c18752982bcf2

Download Submit
C:\Windows\SysWOW64\Bhkhibmc.exe

Filesize
96KB

MD5
13b9a0d49efd9ef8bd8a26fab5a436be

SHA1
56a579b6ebc91daa0ce5d99763434a8bd2a7e018

SHA256
d403f97889719a7f09a92024d38f86b81026db1aaaa7c28076bf837d66d930c6

SHA512
5a32578e805e30c2ad82e578af6bbef82599281c0935feca675bf02923160304fb032d229aebc8ffd2a7f772768ebcc4209a6b3d596bd261af87a040f6ee2a07

Download Submit
C:\Windows\SysWOW64\Bjghpn32.exe

Filesize
96KB

MD5
75caaa8c1a04bb8f1e0b9f12c34e9ebc

SHA1
89c74fddf9cf5885742ed52e979f9dcee593df11

SHA256
1a51828dc3f37d3ff5068597c2fa13708dd99a04c986412de134bd05a89b3f5e

SHA512
e8644911f4ba7b895120a3950cf39a7a0c017de3170f7e60926a786980e1b48969f1cfe42b75cf2464ae0c4dbff380109ae0ff1c3c7f758ad05fecd312de4c3b

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
a37b1418c49cbe87ebbb80cc82556e07

SHA1
065575c5944e9748afeacb107a3a7cfb39b3698e

SHA256
893d890344c2ae2f3ada2a10834ef39400a1e6229a8c9ffd8edd5d28e328642e

SHA512
94fcccd5e9b7a407baa2a97322af8663da2a7aa5ff43d4e3897ccc76ea09bddc888ae587f8b15388ef6f36ac3f135be5bc9e5e87545e0e01fea25a18d628cabc

Download Submit
C:\Windows\SysWOW64\Bopgjmhe.exe

Filesize
96KB

MD5
b2c7e849db0f6b2e9642ee6844882eb9

SHA1
cb0c49ce943425526eb6ada61e2b1365aa25b7b0

SHA256
ae94fc66ab6a562a1c85e998a0652c0ec5029eaa7c54df02d632bb9a4210ae65

SHA512
735282258abf909987947c31b27b14e016a406a9abbeebf06b5e935877e56ed8b1d2a9652caa28d0cf5bebe1d339b402ebf67de276718c59b31cb9c5206a15d4

Download Submit
C:\Windows\SysWOW64\Cafigg32.exe

Filesize
96KB

MD5
0c1f0d49bf1ee88b817c2839fb728a79

SHA1
cfda4d5abc3509c1b1c5df22cc09bb5828754b94

SHA256
c8cefaf6b804f9d54a4de798b3abb0b2d257058860a55d85b4038cb5dd697ca7

SHA512
95e86d9433e6bd0fb4ad78900ca8638d85bd5f695702ab0dd5b1c457ec5041dfa8bab0e69c006c200f1b538e6183b637bc0028f60b15071b9f703688fef7a78a

Download Submit
C:\Windows\SysWOW64\Cahfmgoo.exe

Filesize
96KB

MD5
417241f8ae3cada5d0903683cfbe81d9

SHA1
4857bae66bd8ba39bd511bd38ff4e51899ecb014

SHA256
360810b1beefa66e3d2ed4b04e35942cc0c27a74124ca68a3175d93dd7dfd302

SHA512
bba29fb6c53e2dca1fe419d2e87b84aedacbe4849139d86f18fc11c1be74c14a212d01cd264de10397cef50dd933b1a4a4495bd9d38e5c1690b02dc8b786d195

Download Submit
C:\Windows\SysWOW64\Cajcbgml.exe

Filesize
96KB

MD5
b9890b94285abb2749bd15d1ff49ee02

SHA1
838b4e841893118249e38dbd6d441abb302b36fe

SHA256
48523478d26ee24784867a5029caed2d3d99290329aad0014e3e02e421c47951

SHA512
d6bd9514d300fe0e05e65fd1a76123850b92bbd5d2d0dbd316d354ab3675f28a087e562d3cd6a90611279bd46c6bafe21251d8004575125e2fb68880ab17807e

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
96KB

MD5
b659b8f6e3da5e10062a86628783c80f

SHA1
ac03cffa941290c26a78fc8e8d10274cc673a19b

SHA256
26a06baf666b57b3059305c728328ad36482e37ad5837f6e1b2d45a78dca269e

SHA512
585017bef6db1079f7ac583028aa270b3b41291a1f2d1b7f62f85d6614619be079bff990af163a8059271cfd6b3b1bfae52dc3cda760a99def647fb4bcbe9cef

Download Submit
C:\Windows\SysWOW64\Cbqlfkmi.exe

Filesize
96KB

MD5
012e3e5775049b334d8fc8fc6e371d0e

SHA1
4bd7151cce9a53d53192d82754cfdce44076a015

SHA256
f83a72d2156a44606a86dea3f89ede1752b4a06477bed898d3695523e7151f8e

SHA512
ebc98c9cb51613469b4c0434e723630fcacf42c1655bf7f19e415890997e972aa63b6412cd7ab77f0286cc3b0fd025e02baba5fcb8aee419eccf2fbc97953d61

Download Submit
C:\Windows\SysWOW64\Cdainc32.exe

Filesize
96KB

MD5
e789570377be6de7f31757f46f04f52a

SHA1
cb0b14c5f25e202b5abc616b67f12d7f2ee98c50

SHA256
2e63c57126010e1cbe29adb4c5485fc07f025c21ce008fa20b1cc0ddcb5ec175

SHA512
b4941e061165baef81a94415b3ca1b91bcb492d787396ab3536a94117fee6b4626c8d5437d2f53401489e8c9c4370756c9366cb9e78f4caf1ecb9a03199607b9

Download Submit
C:\Windows\SysWOW64\Cdfbibnb.exe

Filesize
96KB

MD5
3354d6b1bc4c8d442963a9d6d7aaf1f5

SHA1
e0e26775c511b7f6a6696a3e32b4fe6f2d97e54e

SHA256
32756e97ab5d34b9aa6a04856309a9ba57984e6b12b761b0d42cce956e4c0114

SHA512
fc74436aefc1fb128d136d5092a7d778152efff6289a4c9ccb347a5d7b0abdcad1c8abd5a5a19f47b7c03c1e147c6dab57b93e3e038a80c7592b383839405264

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
62e4a95c31a21a3b28ed0395ce7b0eb0

SHA1
1858ddc2c6751b48b58c866042b134305d30a050

SHA256
59e9d361aaa38b57a00d46e2bfe67411b0e122e3f0f5635fa380261b1ca77911

SHA512
49636e3af431adb6690cf4ebea9069b4e10fffb6a86ed9ac58cf30c1fa72879dede698b6b8a263e9899438b4732b0eeb85f0713e3544864c5b5111d3e1f7053e

Download Submit
C:\Windows\SysWOW64\Chghdqbf.exe

Filesize
96KB

MD5
da74c2d79dadf5ff4fcf94fe32bc7fc9

SHA1
97017ed05c0a82ef3c953a052a46aaeeb430da5d

SHA256
fc2f77a259807e302ada51ef483f6eab931ba1b4b208b405d9a5944ab35c1ed9

SHA512
725598439bfa240dab626debc979a67a7abc1ff50b065c37f6a03c7103dda1443c05b407a9347e2318ca79961f6851e38de465a84fee5d0f1e55c5d283e94691

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
9fa56d8b1d463b4228845759507d40d5

SHA1
0084e844d1c20e3bbb4ff4a1ae6758abe995bcdd

SHA256
9334bc42618d7f46199ac12d2b82f9d3302af8a964957166a1753c4f71d067a1

SHA512
bf625241e0d214dbc6d39f73e8782646502d1ceaa2ebc1200993246148784c0f23bc3dfbdc1a8f3ee8b8e671189f7aca109be7686f3c158b035248560dba67c6

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
96KB

MD5
cb92879575e936781b5c7f25a23a91c8

SHA1
b47131eae329ebf6bb2de9643a2b69c4fea5b1ef

SHA256
5cc158359df100e5d1e6bbb515ff97b5199e45d016795d56a8dbc585e4dbeec0

SHA512
88c4256d217fa0075fdd22a8bbac52c749dd5cba2197f279287bf0af71d9a42cdd9d5a6c0b2a29c966a1919d40d318b2b0d266090c867720e47a27532e48f1e4

Download Submit
C:\Windows\SysWOW64\Clpgpp32.exe

Filesize
96KB

MD5
4052cb341b8ba9513890cca1804061e9

SHA1
244fd4aaddaedadfd29ff9c21dba37df6e3037e5

SHA256
41e95ce7719d2d70069e2c8c8b3ed36c746e8f4fdfa2040dd5fbad6c07abc4cb

SHA512
3b4284aca9bcddfabd1e45784a2d3088a650f3f7864df6a7a8d7280bdfc04c8d9ac411266397f0559550b542b6d56fb1e9ad6a45a2919ad386c07e9b39edccfd

Download Submit
C:\Windows\SysWOW64\Cogmkl32.exe

Filesize
96KB

MD5
7acd65f2ec2a38d36547525e86775c3b

SHA1
624e71171a700d190677aa414ac19d9b317f5be6

SHA256
32202fb986352a7f0e95f7f51353f580becbfc9cfc9e712ade71821af746c3ef

SHA512
edb0b3c69a94a1f06f1776ac398b44f2c64aca874eb26a17f83e7318fcd8f9057a09ad8a6a1de23119b0ac351907e25d01d7d4ec6f80b300236497c6f76a8b16

Download Submit
C:\Windows\SysWOW64\Cojjqlpk.exe

Filesize
96KB

MD5
e73744b5574dfb6103498df68b986533

SHA1
6ccb93ad880936a6eb793a699826ff3aed08eb09

SHA256
010303c6fd8d2d9db261a870e1a20e916c10eee0cb9b2fe36f7c3fcecc994137

SHA512
361979f9026707439f0491823ba93e4db2366d17a7571869e4d9be54d873486772c7bfdc1e95bf74eba4ee2d4f1849017e2b74a323673dbf39d4d1d7761e89f6

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
96KB

MD5
4bf505ab846add383a635a8550739347

SHA1
23d9c9a867a27d83147d84af8ccadda26c131919

SHA256
96c0b46a1f3ebdee85cdca2aebf808142f4eef43c420bf07c0d7ae0b2c3993de

SHA512
bf0af5f57157b718ba36f5c339702df76460f80ed7471c7fc26ac18bed16dc3d3c9d587ba861676db40e29d2b73dda7bda824b26ce63ca12fecb59150c84fb30

Download Submit
C:\Windows\SysWOW64\Dafbne32.exe

Filesize
96KB

MD5
88deb34b8d7d4c25c6f24a862d867b5e

SHA1
838eb61957a41d2ee840532c35a59435ddca35a9

SHA256
dd5409d98f69a2745fccc94c54f00c4015ae7c0a2436e64b7847f8711ee5cfa2

SHA512
2b63cf49e9552c341674e273fbfedd369d80f274ce1f9c43afcf23cbe3b62b987185314e87fa6eb3d8b037353c7ec2d94270a0f77efb4ec39fa8bde16fe19ca9

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
96KB

MD5
058cdc63c9c5862e4a0ef4ce1917e0a2

SHA1
e0815f3e3969e885f88ebfc05f2ae23bea67c961

SHA256
0ac74938dc8e4161262d61e7c3fd19eda0c27b3f98cbd0586f25665316f4c263

SHA512
a0a8f3a6568eb8eb0a261440d3fb7252ee2b46a6175adb5a9661bf366a05ee311afcc33ce982db817db7d348accf0edb1e89b8b8bf4ed341b751271d62592690

Download Submit
C:\Windows\SysWOW64\Daolnf32.exe

Filesize
96KB

MD5
99f07bc842436816fb561abad444f5f8

SHA1
50056d21da6f8c1a724a38704f7ca3cfbca5e644

SHA256
8b2ad0dac56902b173841b64990c56c99eebc447efcba04a1344566baddbc33a

SHA512
be38733a96075b0ee82b7f39306aa2bff4a5802781fdbfb9149ecf7a984d68428d51902a81d249fde23dda4ad57f459aadcd6e87a1021052242bb31d6450c0a0

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
96KB

MD5
37a706634302a7927e2a1fadad040b26

SHA1
d4382cd7ff7c5b54b23359505813664309711226

SHA256
1f875f315603074d4466a3ce58aafa8c480c1831721e6175c09da6216868bbbd

SHA512
882bb8820c0c015a00b0aadd720563e2280e876e880c48ffa367420a5dfc0e1a2509fb7fbc31a362138c28bd8013469bedeea7e851912f9da990abebeead4c77

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
bed16c982eabd2295cabf751786cf49f

SHA1
bdaf7d9f90a07a2a8fefdbcdf9eea2cfcbd81b7e

SHA256
fac9a146e20c046fd3ed7cd1e4a176b283843542356e281623daabbc993d1579

SHA512
4e4688bafa7fb2507d9702236033d1b92c20359328caf4e4dc78510977eb9101613fc45afce613feeb37a06403e4503d19bece1c8a8f185b7ed24cf1d79689f0

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
96KB

MD5
6cb2095c7e14ed0f25ab3c241b60827b

SHA1
b52d9627dd4e0dc2f7d69ebb2a587a03e61e26a8

SHA256
dd098ab0672a6e98be2237668fe3f870de6bc0a4d55db5fe17cae658c22f6fd8

SHA512
4914cef589b48093124c786e479f4715d678bd3ffb089083cf2949594d28d5df08e4e348954c7db7718d3b3fd0dec3692fadac8ee98b7b5133b75c4655f9af59

Download Submit
C:\Windows\SysWOW64\Ddpeoafg.exe

Filesize
96KB

MD5
db7e7d95c504659ccbdb61f49b88bb06

SHA1
c81e987081ef5c584be0d67dac2b098eddbb2321

SHA256
928a39f0342ca65e496c03b684ce262e037c1dc2a5170336dbd6cb39a22ba0fd

SHA512
0740d19c56b067cc3ffabfe92890ae42eef36739b7dfd459f87ad21c6c5e3e180fc450b1b2acf08fbc3ca2aaa25a4fdbb09764e0a5530a5d828013dd6388ff06

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
e7376bb352d871dcd3ccb3a5ac06981a

SHA1
0e04d3ca15a6eb45c2d9729ad20eba538ad55d59

SHA256
87c390d437ec45a5f1745ef0f0b2b5e70d7a4984a94866a226b6757f24fdff31

SHA512
844551e840846f2a755b917e6eb532d73b391a825e714884e84296ca41b2a92ebd62fd4e08b49e5ce1e44bafc9d143b08164a52e4013e0fedaa26f301d2ab5b4

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
96KB

MD5
78202977e2fe38b521d5f3f7d77de33f

SHA1
6ee0c8b32199ed16f1946d57c9aa130c292aece8

SHA256
30e037116bc9f7fcf8aac7685f3a0f1738d25771ee70b3db71ce26117c6607d6

SHA512
e1a8658200912a227bfccc5f615469e381737f5788a0fbb41352217de9c57cfa35c7e38c536b27f544291baa77f4709daace4610394825623b622f7c4c0b7a2a

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
96KB

MD5
a70fa502f4a9262ef289ca99915bfb01

SHA1
d37a3836ae8bb6890669bc3e2514d66346472607

SHA256
0b7d64d88534875d19cdb21056ced633fdcaddd78b044682c7c44ff515229e20

SHA512
14ce57fb586c0712e1f2c35bf8d9eabdb1ba9c01e2fd8731a53d27663ab46242a21b78d6045bb0bf14712d939024942128720b33f08f76575af654f412355ccb

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
96KB

MD5
a656ce9f92288351621e27d1fab2a6af

SHA1
5ab0e1ffdbbca5a421ba3492290879d11d93ad50

SHA256
25e44ff6e65d346b7b7ec4ed83e0878fe7f6d66879d860b9ebbbeef7e7883736

SHA512
818bec02a5e0f8c188e26648198796ba9bdc791c6efe1a41436c65c23c097fb63b95e43983e0384e2235565d49b00a1fa2de1e6c376ff0a80e677797b8ce0ee8

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
96KB

MD5
0e63474e0dccb2ed58739c5ecb47904d

SHA1
3def6ccdd4c42f686f1f8dfcb3a386071a9df71d

SHA256
3c3c728b4a823338a7b84d30a19ea89c5bfff856f6002d61756d18c3af18e374

SHA512
2c2583792d09ad7f2eabdee836abd30fda283d3ac3fabc277ede61382df87314384b3ffd35145afb5a415031f69b8ade283a497ca11fbcdde88aee2565258b99

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
1288633a64cafd40507deb50c8cd290c

SHA1
40930b32f242f2e1080e1723c378524ab475f60e

SHA256
4c7e9d5abf275c704387bac0424bf156c0541650c668f288f87b11c96fca9232

SHA512
8e177398cd9349b2d88e247324c0d7dfeec0d575cbae0bbbf833324235a84498099422f99d940445353af6db1fe733d13943636f3c5ace066c55a18e2f8ff602

Download Submit
C:\Windows\SysWOW64\Dohfbj32.exe

Filesize
96KB

MD5
cf476050ab25e2695f8d7fa9523ee879

SHA1
68acb141c45f743194fa95a62e59b13b9126d6ed

SHA256
306ce9cb9dac4a5e26390a0c8ee0a7dd05f6eaba66ce2e78751e0314eb5e2317

SHA512
099783d507179f11394b2182550236a527f18ff7e30c38fde8612e0cba8e8b5ec234320efd6a03e504ab5f558986746246f6c71a4f1a9e0f71391ed9a0662b5a

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
96KB

MD5
31f5f7ffb075acd05f139e4c5781a00f

SHA1
b11559061b2339f9fc9f32774464d7353dd2b345

SHA256
418a7f69f8f1929dd5826808e9231d2860c79961ab210e78b9a8a63f1728e3db

SHA512
85abc923965bc96e324e79f2cc6978453a8e0dbc132ea3435eefbfb542231f7484236ea8480b5275ab7a62eb76954bb2cbee40ff2750bdca99fec592a4f5ba31

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
96KB

MD5
96b51aa1a6fc22df8c7024421a30ecbb

SHA1
4122f0101090faafb22c97ef18a3e5654ec9b827

SHA256
d143e27daadd56769aa9edc22f08f0cb6bbe6ee4516767cb02b8a79b734790a0

SHA512
f095e9f09000f531c2554708cff7a84a2701d1a34e8e8ffd688343b4a4932a0cd8583096ac2b2cd7f4418256a8ee3120e5879cbcfeb8751eb2ea10505b9a9e2f

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
96KB

MD5
645062e63a4d53ae9ddde36ff23c2d14

SHA1
562397e81327d68e0a6a5c74240ba2422acb78f5

SHA256
5e6e889c1b3b8fb24212ed1f7ebe109699414a4b14a2440dd4a3d77f1020f1f4

SHA512
160d5274051a31c24288731f452bb1794754244fe4fe76c0541929b1a3a89aa156456206e47e711530e9c0fd467f4a65a5aa7328e204edb55a8d2563679701f3

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
96KB

MD5
a0efd05725c5dd0afce771a18d3a067c

SHA1
feabb2d8fe5d047b15befff428b4c5ffd594c74c

SHA256
490cb011297420290d58a0840caa05032c34e77389e13df99711a273190ca8e4

SHA512
a28679944210d07ca5e6d18f8416e2503f93734adc26879cc3c28582dad466bf3125c9ef4d95f8dba3e4c66096a9badf30fbbbf099722e29181658a560f42d1d

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
c1b6dae03cb670aafc9f015591366318

SHA1
a37c2cde066d230aa0bfed6f012eaceef35f26fb

SHA256
793df2d3d0e16538893e2b5ee49d0be8650887b55758d07b1353fc5dcb40b3d8

SHA512
85b9a167055105a94e610ee0285b13998f9d0e1c2d2c540f4f84725d5d36a587652151df7802ffc0bd4951bf30a93dea40ae6ff3666a4268ad1d58c8cf9cbabc

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
96KB

MD5
dce2b8ab232a815fed127224efa4a35e

SHA1
5d5fea06ee19e5ef68666bb347ddf6e4e52fdffe

SHA256
4c68fc98ffb9c51ed93a9443de520484bafdad72057aa8977c0ae796900415c7

SHA512
cbded09273ad58fa4f0f737f94923ba154279b0467fa2609f16353ac62a75b18a6278ee2af4047667509b752be52f765a493165b7a7370780a11a835b09514f5

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
96KB

MD5
17acf4700aa12d6cfd11a422d83cc4ec

SHA1
e575ad352aa346817d78f0a36baa08adb727ba11

SHA256
25067fd14249dcbab4b43ef004662476cc28b5256f14aa82e0743c06ed6603c9

SHA512
71aebe059e5e0be9921a2428658f5a256ce1b0d3571e4ec2ea823b9e59c06a43f065d65575768766b850c06d2d373fc7ea36bd90730337632bf2083963ce86fa

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
96KB

MD5
b02f4c75fff584892ec3c3721ea32553

SHA1
46dd3edbcdb99a728373af30add8038e1320e540

SHA256
2675b91cc5182c8e5ede841de2553ca2c301872ca20e7b13b5efb2bf25428d9f

SHA512
1baf12b36b1b65fe26f738e7e8a8c013d4867ac9f90261df3e8e7293bee28cd17ef5c1b02bcbbdb7754ea3c1182f25266f6618dca842ca2a260fc26b49205c79

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
b61f03590034a98f9ceddfce5729760a

SHA1
f8af3401c63dad9e903052d4eda0531c44fa2319

SHA256
296244774aeaa5e209c3154eb06e7512eb33ef37e315bdea765e061bd41c78bc

SHA512
a702a5ef37b90f349c1155a84fd0d64aa072fd01de04abfeb99337738480b4b50f218396869adf696e3185f59a5c2b9dd7aab894ffa233761104fc826730e038

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
65c1d4f00e87597a5f5d37c9db78278a

SHA1
dc15a3c96c4b2940d4199ac18714f6f0ef82d880

SHA256
ce5f170602e7f6ae4eb2abd8ae9febee5f2d2892ac18fb8bd3a13eb47921e5ea

SHA512
c1f9f845b0b8f6a5d1059839e026bdbdf6e02109eb422ec58940310feade5b4632cc738ba05ab6a1e2c7cec2e850e4236297a07d56ab7e8cb0605d1e6dc3ba65

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
8a43cbed1ce628f67b1c6482020a8f0a

SHA1
d67611e26161bff56338be59a53186ed806f410d

SHA256
1b879e7786e9a59eaf8aea7af53abe816a63265be351b60095d31b0df7911c35

SHA512
dbe108824ce7daf7b79ce8523ca8a7e3474880a4ae89b0307429e2aaab09b70eac217d8a5c9b6a76f43cba79922af12bd6a153e74c142dd9b6a7872ad14ac75d

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
f82b736d459ba79fb40fe9d492cd256c

SHA1
40fa649a08cbb076cb3ae3e87381a1a79e3ad82e

SHA256
0bb912d5d70e28330a66e51a09e23ed5ae7c71587da367084d510af3157d4e6a

SHA512
9d61892c97cba50ead1c37046c6bc3e3b06b2cc0baaa3f96d9f6ad8642d7853af79c7b62255bdb300bd9fe5bebfcd60eac71345e7fbad3626f006967f83dee4d

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
96KB

MD5
cab14b2b481031e4383c835f303028fc

SHA1
da7b7cdfe987a7740aceef40e36cecba514b8344

SHA256
581cdad1a049be04ce886ecf0088e19efbdf56587a215c8a12b922890d198bbe

SHA512
aac4527a17806c9b2152e8e4ca2a4f9aae237b2dd51e00ce9e21872a889639c78d622068ad3047890769271cd1495ff95afd69b59f166742171c26075ff92192

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
d79bf6d9daf6bdcceee4b7d38959c9cd

SHA1
a12fdedb9bfe82ad7a4fb527a523559d4063a08e

SHA256
bf4f15506e9c5bbbf6d6957b04352e5d41fc58d133368e5413244c857b4dc923

SHA512
346c4fd39c362b35b001c1d12d68667348176315a2c9fd084b301ba9184d3cb44741c09269618ceb7e4fb67c4db1af0054fd15e66e88a38fa83961a2ddddff83

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
2b8c34245277ec052f9b6503b1df8456

SHA1
90bd719bba84e4213709fb91d71f45bf957b0e89

SHA256
fc1077a75ea71c1dc0e0c201a4c496036793e808e0e3693c59af653ae47a124e

SHA512
48f14f8f80f954da66c9b32c19c9e55be91ff461ec458e7bb2ff733473e07975f6047eaf80784f8b57d0f474a5fc903fb23b81f3110cb71a447c7677a1847f9b

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
96KB

MD5
ad54f4243f6e488e18fd1f8d6cfa838e

SHA1
1c2d6192ef35cd88e27d57592b03c8cd718480de

SHA256
44ec0c20e12ae6a1024f44c1488b85af4a62afd366d1e8f48e3e02df26d12fbe

SHA512
1cc623f6653587cd0eccc809f434d1a18b701e3668f524a6b44ea25fd653744857cd899c71763c0c5f435579139e304f97894a301c75e831462e5713b8d0bce6

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
96KB

MD5
cb4356def43d4115e2fe57f9a2d083cb

SHA1
35e7de28a85498b6a623a63f404b2e6691e111a7

SHA256
64a465e9cc9878b54e3b37b7131c32b21c57177bd0b03b93c6ea6dd71b42c7b7

SHA512
2bbfcb025135ba676ce64e5fbb387651bf647e89cea0c5c7baefa884ce89fc4085a58bfde6d8038a7eb17591ea9c31ea51830e451008f3f4ad020bbd5658f890

Download Submit
memory/212-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2712-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7600-1823-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads