5d93b0b02a580d482ff4f02b25c9ad52c6b9968dcc4e448d6ef62f093c48bad1

Analysis

max time kernel
143s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05fb6ff874af04bc0ee6de6e2ea3c290_NeikiAnalytics.exe
Size

1.9MB
MD5

05fb6ff874af04bc0ee6de6e2ea3c290
SHA1

a83a92cdba251af6928912467f1aaf1822d8c317
SHA256

5d93b0b02a580d482ff4f02b25c9ad52c6b9968dcc4e448d6ef62f093c48bad1
SHA512

87c1a32fe1fadace14860979ca3aacdb62900632c76d87259f7c892e31672105e1a92dbaf3c5f39d47ea3f7f4db46d77b5f72e60f35e022f90aaf1962e75d307
SSDEEP

6144:0ecsKKr2n0MCRqJ++6yYEwPJ2kEe16L9Jww61EvBqc:yc+6CwUkEoILTAc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoeoidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eekaebcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgjmapi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peqcjkfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddecc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dekhneap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	05fb6ff874af04bc0ee6de6e2ea3c290_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camphf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdgdgnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iejcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flceckoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okloegjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peimil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alabgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekacmjgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gomakdcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iejcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elgfgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fllpbldb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdgdgnbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehimanbq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcmgfbhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eabbjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe

Executes dropped EXE 64 IoCs

pid	Process
2556	Occkojkm.exe
4612	Ocegdjij.exe
3484	Okloegjl.exe
1640	Peimil32.exe
5012	Pbmncp32.exe
1996	Peqcjkfp.exe
4420	Qcepkg32.exe
4996	Alabgd32.exe
5088	Abngjnmo.exe
4852	Ajiknpjj.exe
3460	Adapgfqj.exe
4416	Angddopp.exe
2432	Bdkcmdhp.exe
2044	Bjdkjo32.exe
3280	Bblckl32.exe
1364	Bdmpcdfm.exe
4072	Bldgdago.exe
3552	Bbnpqk32.exe
2396	Bkidenlg.exe
1788	Cbqlfkmi.exe
1400	Ceoibflm.exe
2464	Cliaoq32.exe
4756	Cbcilkjg.exe
3416	Cddecc32.exe
1784	Clkndpag.exe
776	Cbefaj32.exe
1536	Cecbmf32.exe
3220	Ckpjfm32.exe
4084	Colffknh.exe
4652	Cajcbgml.exe
3064	Chdkoa32.exe
2636	Conclk32.exe
2828	Camphf32.exe
4892	Cdkldb32.exe
2800	Ckedalaj.exe
5024	Dbllbibl.exe
2024	Dekhneap.exe
2740	Dhidjpqc.exe
3084	Docmgjhp.exe
3000	Daaicfgd.exe
1600	Dhkapp32.exe
2280	Doeiljfn.exe
696	Dadeieea.exe
2660	Ddbbeade.exe
1456	Dkljak32.exe
1040	Dccbbhld.exe
1068	Dddojq32.exe
4528	Dllfkn32.exe
5060	Dceohhja.exe
3612	Dedkdcie.exe
3372	Dhbgqohi.exe
996	Ekacmjgl.exe
5004	Eaklidoi.exe
4424	Edihepnm.exe
1912	Elppfmoo.exe
2832	Eoolbinc.exe
1464	Eamhodmf.exe
3624	Edkdkplj.exe
1260	Ekemhj32.exe
2252	Ecmeig32.exe
4732	Eekaebcm.exe
2868	Ehimanbq.exe
2972	Eocenh32.exe
4460	Eabbjc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bbnpqk32.exe	Bldgdago.exe
File opened for modification	C:\Windows\SysWOW64\Dhbgqohi.exe	Dedkdcie.exe
File created	C:\Windows\SysWOW64\Hjakkfbf.dll	Iejcji32.exe
File created	C:\Windows\SysWOW64\Bjdkjo32.exe	Bdkcmdhp.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfembo32.exe	Gokdeeec.exe
File opened for modification	C:\Windows\SysWOW64\Flceckoj.exe	Fdlnbm32.exe
File created	C:\Windows\SysWOW64\Oekgfqeg.dll	Hodgkc32.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Hbbdholl.exe	Hodgkc32.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Pbmncp32.exe	Peimil32.exe
File opened for modification	C:\Windows\SysWOW64\Fojlngce.exe	Fllpbldb.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Fiknll32.dll	Febgea32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Alabgd32.exe	Qcepkg32.exe
File created	C:\Windows\SysWOW64\Egdmkp32.dll	Clkndpag.exe
File opened for modification	C:\Windows\SysWOW64\Ddbbeade.exe	Dadeieea.exe
File created	C:\Windows\SysWOW64\Edpnfo32.exe	Eabbjc32.exe
File created	C:\Windows\SysWOW64\Ghkebndc.dll	Hbbdholl.exe
File opened for modification	C:\Windows\SysWOW64\Ilidbbgl.exe	Iikhfg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Flioncbc.dll	Doeiljfn.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckpjfm32.exe	Cecbmf32.exe
File created	C:\Windows\SysWOW64\Febgea32.exe	Fcckif32.exe
File opened for modification	C:\Windows\SysWOW64\Gdqgmmjb.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Ohfjnoma.dll	Ippggbck.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Eocenh32.exe	Ehimanbq.exe
File created	C:\Windows\SysWOW64\Nhdlom32.dll	Fdnjgmle.exe
File created	C:\Windows\SysWOW64\Iblfnn32.exe	Ipnjab32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Eofbch32.exe	Elgfgl32.exe
File created	C:\Windows\SysWOW64\Edbklofb.exe	Eadopc32.exe
File created	C:\Windows\SysWOW64\Hfifmnij.exe	Hckjacjg.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Jlkagbej.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Ocalcppo.dll	Eoolbinc.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gogiek32.dll	Edkdkplj.exe
File created	C:\Windows\SysWOW64\Kmipecpd.dll	Fllpbldb.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hhkephlb.dll	Fdgdgnbm.exe
File created	C:\Windows\SysWOW64\Hkfoeega.exe	Hihbijhn.exe
File created	C:\Windows\SysWOW64\Hcmgfbhd.exe	Hkfoeega.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Lgdalf32.dll	Edbklofb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1372	640	WerFault.exe	355

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpeohm32.dll"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elgfgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkcmdhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkdkplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alabgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdamdma.dll"	Cbcilkjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbmncp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbllbibl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheqhpfp.dll"	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjnpq32.dll"	Pbmncp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckafhlkg.dll"	Dccbbhld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll"	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooajidfn.dll"	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbifaej.dll"	Jimekgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnopdeh.dll"	Fdlnbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iblfnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clkndpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll"	Faihkbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfmb32.dll"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okloegjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgia32.dll"	Qcepkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaijinl.dll"	Gofkje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iemppiab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkciihgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2556	2784	05fb6ff874af04bc0ee6de6e2ea3c290_NeikiAnalytics.exe	83
PID 2784 wrote to memory of 2556	2784	05fb6ff874af04bc0ee6de6e2ea3c290_NeikiAnalytics.exe	83
PID 2784 wrote to memory of 2556	2784	05fb6ff874af04bc0ee6de6e2ea3c290_NeikiAnalytics.exe	83
PID 2556 wrote to memory of 4612	2556	Occkojkm.exe	84
PID 2556 wrote to memory of 4612	2556	Occkojkm.exe	84
PID 2556 wrote to memory of 4612	2556	Occkojkm.exe	84
PID 4612 wrote to memory of 3484	4612	Ocegdjij.exe	85
PID 4612 wrote to memory of 3484	4612	Ocegdjij.exe	85
PID 4612 wrote to memory of 3484	4612	Ocegdjij.exe	85
PID 3484 wrote to memory of 1640	3484	Okloegjl.exe	86
PID 3484 wrote to memory of 1640	3484	Okloegjl.exe	86
PID 3484 wrote to memory of 1640	3484	Okloegjl.exe	86
PID 1640 wrote to memory of 5012	1640	Peimil32.exe	87
PID 1640 wrote to memory of 5012	1640	Peimil32.exe	87
PID 1640 wrote to memory of 5012	1640	Peimil32.exe	87
PID 5012 wrote to memory of 1996	5012	Pbmncp32.exe	91
PID 5012 wrote to memory of 1996	5012	Pbmncp32.exe	91
PID 5012 wrote to memory of 1996	5012	Pbmncp32.exe	91
PID 1996 wrote to memory of 4420	1996	Peqcjkfp.exe	92
PID 1996 wrote to memory of 4420	1996	Peqcjkfp.exe	92
PID 1996 wrote to memory of 4420	1996	Peqcjkfp.exe	92
PID 4420 wrote to memory of 4996	4420	Qcepkg32.exe	93
PID 4420 wrote to memory of 4996	4420	Qcepkg32.exe	93
PID 4420 wrote to memory of 4996	4420	Qcepkg32.exe	93
PID 4996 wrote to memory of 5088	4996	Alabgd32.exe	94
PID 4996 wrote to memory of 5088	4996	Alabgd32.exe	94
PID 4996 wrote to memory of 5088	4996	Alabgd32.exe	94
PID 5088 wrote to memory of 4852	5088	Abngjnmo.exe	95
PID 5088 wrote to memory of 4852	5088	Abngjnmo.exe	95
PID 5088 wrote to memory of 4852	5088	Abngjnmo.exe	95
PID 4852 wrote to memory of 3460	4852	Ajiknpjj.exe	96
PID 4852 wrote to memory of 3460	4852	Ajiknpjj.exe	96
PID 4852 wrote to memory of 3460	4852	Ajiknpjj.exe	96
PID 3460 wrote to memory of 4416	3460	Adapgfqj.exe	97
PID 3460 wrote to memory of 4416	3460	Adapgfqj.exe	97
PID 3460 wrote to memory of 4416	3460	Adapgfqj.exe	97
PID 4416 wrote to memory of 2432	4416	Angddopp.exe	98
PID 4416 wrote to memory of 2432	4416	Angddopp.exe	98
PID 4416 wrote to memory of 2432	4416	Angddopp.exe	98
PID 2432 wrote to memory of 2044	2432	Bdkcmdhp.exe	99
PID 2432 wrote to memory of 2044	2432	Bdkcmdhp.exe	99
PID 2432 wrote to memory of 2044	2432	Bdkcmdhp.exe	99
PID 2044 wrote to memory of 3280	2044	Bjdkjo32.exe	100
PID 2044 wrote to memory of 3280	2044	Bjdkjo32.exe	100
PID 2044 wrote to memory of 3280	2044	Bjdkjo32.exe	100
PID 3280 wrote to memory of 1364	3280	Bblckl32.exe	101
PID 3280 wrote to memory of 1364	3280	Bblckl32.exe	101
PID 3280 wrote to memory of 1364	3280	Bblckl32.exe	101
PID 1364 wrote to memory of 4072	1364	Bdmpcdfm.exe	102
PID 1364 wrote to memory of 4072	1364	Bdmpcdfm.exe	102
PID 1364 wrote to memory of 4072	1364	Bdmpcdfm.exe	102
PID 4072 wrote to memory of 3552	4072	Bldgdago.exe	103
PID 4072 wrote to memory of 3552	4072	Bldgdago.exe	103
PID 4072 wrote to memory of 3552	4072	Bldgdago.exe	103
PID 3552 wrote to memory of 2396	3552	Bbnpqk32.exe	104
PID 3552 wrote to memory of 2396	3552	Bbnpqk32.exe	104
PID 3552 wrote to memory of 2396	3552	Bbnpqk32.exe	104
PID 2396 wrote to memory of 1788	2396	Bkidenlg.exe	105
PID 2396 wrote to memory of 1788	2396	Bkidenlg.exe	105
PID 2396 wrote to memory of 1788	2396	Bkidenlg.exe	105
PID 1788 wrote to memory of 1400	1788	Cbqlfkmi.exe	106
PID 1788 wrote to memory of 1400	1788	Cbqlfkmi.exe	106
PID 1788 wrote to memory of 1400	1788	Cbqlfkmi.exe	106
PID 1400 wrote to memory of 2464	1400	Ceoibflm.exe	107

C:\Users\Admin\AppData\Local\Temp\05fb6ff874af04bc0ee6de6e2ea3c290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05fb6ff874af04bc0ee6de6e2ea3c290_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\Occkojkm.exe
  C:\Windows\system32\Occkojkm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\Ocegdjij.exe
    C:\Windows\system32\Ocegdjij.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\Okloegjl.exe
      C:\Windows\system32\Okloegjl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Windows\SysWOW64\Peimil32.exe
        
        C:\Windows\system32\Peimil32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\SysWOW64\Pbmncp32.exe
        
        C:\Windows\system32\Pbmncp32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Peqcjkfp.exe
        
        C:\Windows\system32\Peqcjkfp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Qcepkg32.exe
        
        C:\Windows\system32\Qcepkg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Alabgd32.exe
        
        C:\Windows\system32\Alabgd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ajiknpjj.exe
        
        C:\Windows\system32\Ajiknpjj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Bdkcmdhp.exe
        
        C:\Windows\system32\Bdkcmdhp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Cliaoq32.exe
        
        C:\Windows\system32\Cliaoq32.exe
        23⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Cbcilkjg.exe
        
        C:\Windows\system32\Cbcilkjg.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        27⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ckpjfm32.exe
        
        C:\Windows\system32\Ckpjfm32.exe
        29⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        30⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        31⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        32⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        33⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        35⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        36⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        39⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        40⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        42⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        45⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        46⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        49⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        50⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        52⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        54⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        55⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        56⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Eamhodmf.exe
        
        C:\Windows\system32\Eamhodmf.exe
        58⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        60⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        61⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        64⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        66⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        68⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        70⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2008
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        76⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        79⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        80⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        81⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        82⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        83⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        86⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        87⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        88⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        89⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        90⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        91⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        92⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        93⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        94⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        95⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        96⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        97⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        98⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        99⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        100⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        101⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2516
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1700
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        104⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        105⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        106⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        107⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        108⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        110⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        112⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        113⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        116⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        117⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        118⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        119⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        120⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        122⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        124⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1548
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        126⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        127⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        129⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        131⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        132⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        133⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        134⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        135⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        136⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        137⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        138⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        139⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        140⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        141⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        142⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        143⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        144⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        145⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        146⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        147⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        148⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        150⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        151⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6884
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        155⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        156⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        157⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        158⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        159⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        160⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        161⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        162⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        163⤵
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2000
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        165⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        166⤵
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        168⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        169⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        170⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        171⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        172⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        174⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        175⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7048
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        179⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        180⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        181⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        182⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        185⤵
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        186⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3768
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7072
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        189⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        190⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6532
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        194⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        195⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:532
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1672
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        198⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        199⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        200⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        201⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7252
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        204⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        206⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        207⤵
        Drops file in System32 directory
        
        PID:7476
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        208⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        209⤵
        Drops file in System32 directory
        
        PID:7552
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        210⤵
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        211⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7680
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7728
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        214⤵
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        215⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        216⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        217⤵
        Modifies registry class
        
        PID:7892
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        218⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        219⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        220⤵
        Drops file in System32 directory
        
        PID:8016
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        221⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        222⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        223⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        224⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7236
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        226⤵
        Modifies registry class
        
        PID:7328
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        227⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        228⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        229⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7676
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7764
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        232⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7604
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        233⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        234⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        235⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8128
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        237⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        238⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        239⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        240⤵
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        241⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        242⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        243⤵
        Modifies registry class
        
        PID:7248
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        244⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        245⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7356
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        247⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        248⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        249⤵
        Modifies registry class
        
        PID:7920
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        250⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7820
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7844
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        253⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        254⤵
        Drops file in System32 directory
        
        PID:7412
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:112
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        257⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        258⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        259⤵
        Drops file in System32 directory
        
        PID:7940
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        260⤵
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        261⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        262⤵
        Modifies registry class
        
        PID:7780
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        263⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        264⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 216
        265⤵
        Program crash
        
        PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 640 -ip 640
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:112

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:7852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
1.9MB

MD5
dc45745ac5ba849bd8e1fe0d9af9369f

SHA1
2691b70d481aefbfc12081b9401666defc3d573c

SHA256
8a5dcbc9da184a8a67078b6f47c07e286e5207cbde0473a1b1656e7cc5e948a2

SHA512
fa9cecb5eadcd4f4c756ef7930254ab5b9dc075b61479a93f3958a97177df1588bbe5cedfbdabb01e1988023a6347ba82d52451de40e25607b561587b9e5def8

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
1.9MB

MD5
cac5c25ecf59f49d322954e98fe65742

SHA1
00461b689a8483abf237541425341f46a2c38984

SHA256
4edc69d29036f51e5888c42f05251a063f600800e7178c948040ad0bad606c45

SHA512
c41da39daa92283e0d6f657f4f51dfb145369e5dff33765dc50ca316b7844b1eac9dc25935cef8782a10801097b56842ecf8e867b39b0d8655455b481ed21437

Download Submit
C:\Windows\SysWOW64\Ajiknpjj.exe

Filesize
1.9MB

MD5
fa0c8f4a93551cd9e0eb85be6f4765c0

SHA1
be5e2b855c5161e530352e0edd65b7029d9a9f92

SHA256
34429c6d877e5c7d266b7a565bd413c4946d74a8515e9c6c29ed4aae319b395d

SHA512
40f778de87423a48970fabb76019436d2809bc8a310c5c060e3c85ab2a466cbd57dca9503cfb80982b1ba01945b904a9d05fdc763d6bd652c80cb428d0209db2

Download Submit
C:\Windows\SysWOW64\Alabgd32.exe

Filesize
1.9MB

MD5
815f1cda1f7920926acfc72549581654

SHA1
a2573eb902e72a56fce0472bf61368c13c145375

SHA256
9776b04a1a8b574bb80557286f169df659e260f9ac93799d5c86e46e24af25c0

SHA512
d29afdeb48120097acc68753c67e67b17ffeff976fb8fab419feaa6d937aee6c965a980eb1ac71ae56b569e3b12c356d973843b18932fbcb13d76e480565ce93

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
1.9MB

MD5
192112b3ee47b359520f61cfc448d718

SHA1
6c1f4a4da0bc102ed1f7102aab3d3a55d32ea88c

SHA256
215ac522b8984312488791a6eaf65b476eb8977722c4097ba7826bbb77ea5579

SHA512
43b2677e9a4685bb57810c8172138a51720447a92ab2c1643ed1c9a968139c3bbcabd87baf11f971c0e3c0978f2d4a9e078cf8e955f2e9b50bb930919431327d

Download Submit
C:\Windows\SysWOW64\Angddopp.exe

Filesize
1.9MB

MD5
f49843cb6704ca71c16e98cfa4c24ed5

SHA1
e30a65253f65cfe6c77a9d7e07abdb2052e49fb2

SHA256
3397bb629faeb5eb778d1844e2106b4f2a18eb2a6c7973b116dcec69e5e59608

SHA512
9e2bd1f05300e41a178dddf1d63227e1aef46463690c0a0f50dcf2a1efcb30fb5b066e8aaeb5c20e53ab076ac64bf82552d3565802c991b5b8869b5e9bba034e

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
1.9MB

MD5
3a32a036189421f76049f7538005b23e

SHA1
b1293010660d043e9225fb41bd3f6177364aa05b

SHA256
e0ff680c62982e420e127a9be734746b4f0e4cbb62209ed218815bcce835104d

SHA512
8be6521f9d04140824acd25fe44c8675b429dd2a02f46bbd4fd007ed5afe54017857aa8c070254b4c485c684b847327ba2981e44fdaded7ae4b24873ceb3ba4c

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
1.9MB

MD5
e7f39a9e87a043054dbfdc0aaa7aea60

SHA1
fac95a5431d137d4f29fe199df9b243f810f3ffc

SHA256
93d1a825fc859ee24a41c100f462246505a47fb113bacf71025f8eaf5e700c27

SHA512
7d5827748b9c24a6ef89ad416ae60e9098ae63cdb6737ee7365f4d4ce7665991e14b8e9f15aff425b7c782937c4d61b263c683d710ea416276e32febf8b428bf

Download Submit
C:\Windows\SysWOW64\Bblckl32.exe

Filesize
1.9MB

MD5
c0d7df20fde0d2c1f75cf7b41eb3363e

SHA1
a469fddfc0c474fd6f2438cbfbffe77e70c3b8a1

SHA256
f55755ffa503ead5462afb7acc03c9743ad9699f86ec94fe7e87f1f9d001212d

SHA512
78a1093f4314066ca7b079a8999871943c8b270835d00e08e6680598322032622fe2c31aafa32d05cf165a18a2a07e40257e40bc578fdfc1306561e1cc73d200

Download Submit
C:\Windows\SysWOW64\Bbnpqk32.exe

Filesize
1.9MB

MD5
a7ec3693ee95b847f14f06c81393d338

SHA1
8cd0e238067a3759df8631be048564bc3cca7cdc

SHA256
8e916adb7a18024051baa254b19192845ecceb548fceb304107e2c8f9c3b72b0

SHA512
9a3910df59c2566dae540b535a56531c8bfffba96869804a9d50025ea7ecd109dce28866e7297946770d97458ef99f922de1e16d058c09402edf28408000f980

Download Submit
C:\Windows\SysWOW64\Bdkcmdhp.exe

Filesize
1.9MB

MD5
d3442d4f8a36af4505ea0f05e53f7c98

SHA1
10348020336b0cd11307c5cf025ffe408e29a8f4

SHA256
d929cf6d1d4ed36ce489352573cc81658c4f00fa51133ade9945f85ad1be23ca

SHA512
cf7f05c18355447d5ce04c1532ade971612b6b1e611e029247fb1e8fdda3a2d91c6f9a12a466f9a9766d910fd9cd49aaf3dd8b8c1f8267410e83894344dd4b42

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
1.9MB

MD5
9df47cf213438c9c82ad96ada8e17824

SHA1
df03826221980ea60f5eee5299324326f95fa266

SHA256
e91afcc499d8e4312135e6c5362c969bf6deeea41c274f962ecbce604d10293f

SHA512
0170c8befcfd3b0283efe16bb9d9ff7b96fe4f23dbf27903f7b2a3676d6a5c5e293db451282825039ab83a71cddabcaddc8794939f5ba8705a2939f2cc498f3d

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
1.9MB

MD5
58de48f88fe7887cd7f45facf32d2840

SHA1
b043458958cbbf7a00c0e375b4ce687ef6f492c3

SHA256
0c0630d0f94a5e98c426ad899ff66ab61a8ffdf533a1a298d6b46d451a97d136

SHA512
d9dc38716167bdccce0f1394c5a275e398fd10a399f6ead516cbe4b6441d286b2747718d9491ed28f85c97d0e06bb9bc2f0a6680c29df3f8e5061afba7546711

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
1.9MB

MD5
44fdd05c879814a2b1bb2f5bcde86999

SHA1
c694c0e38b5319ec8a3f4c9be1b59a4aed3e09b8

SHA256
ad2643910f66f6ebfe542e11112f9a8494ceccbbc975fe20d312244bf2cf5b21

SHA512
17f5150bba42634c2a8611b0b87fd0b6ba7b7e0d05b84c46af3645bd6101044749eb176b7233d434af4c1c871003c21a8308d0140bcc0188a3167c63daebe727

Download Submit
C:\Windows\SysWOW64\Bjdkjo32.exe

Filesize
1.9MB

MD5
4ce01b68a9fcd75696cd8bc243cf79cd

SHA1
186aedf809285e9096c445c1bedb31980ad3759b

SHA256
5ad07b4ecaf9b0d9b1dc4527e368214240c9161b564f891dd950a677cb7d244f

SHA512
b1b07182fee0eb49bfe4bdb25836befeed5aa24dcc9360e8626684a993c09570d42639155c51c84ad561dda91859b4a454caf1fa0452c32147bff9c14f4d167c

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
1.9MB

MD5
f25ab5086925fd79c25ded699334169c

SHA1
d27a45cb9e0d051768b250c038d49caf1191fd19

SHA256
b66b441bcd77c9b42e75bae04f43928543336b01196caf61f7147ffff4ba49b4

SHA512
111ccd80523da6be6909fd8af2ca7c764d8027fad15d414d927f659d5549f01be464a6c0c64b56f86f246d2ab0acb15eca103374bc26a15dd1d18add4e796cab

Download Submit
C:\Windows\SysWOW64\Bkidenlg.exe

Filesize
1.9MB

MD5
539546df190dd5939573320effd5cfcd

SHA1
d4a6dbf84707128643c034b0e29343dd66bf03f3

SHA256
c3e877329960d6bdc5bab445a120ebac8a2b09c3cde98cf3c7633a19a2d65d91

SHA512
9e82d470c9c1aeb210fe8ed4e294b5e6dea711652c76d27f604625356cac09278b5b75eff653abcbad083214e4cf18cd64e52df91524fa6cec7bc70a23af6d50

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
1.9MB

MD5
c031720b0e3c1b068bc86067f194661a

SHA1
a6e823d501b47f4b7fbdf6cd7bcba3a78e48e314

SHA256
547d701b0d7ee089ca1a488965f55f25cd39b38548f0b5c0afa8ecda04503ea2

SHA512
106f996bb841dfd3da22b93555b16e5af5e2e5c56bc50af80a28d7237ac4a1791e564e3090045ff84292ef08414e4a08b11efdefa6746285383718ddb2da9f64

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
1.9MB

MD5
f3bd362f4bdbc0588f5c0740bde8f9c0

SHA1
324a9d761e3b29b693b8df8e74f6505ce1223d48

SHA256
0cd1abae5288c5c2ba59e1a7fbc00576f5875aeea002a8f4d519940acaccb7d7

SHA512
6f93ed8e3c098f594abffba38d2c5d402791bb383f70d3d9d1064ef46e387578985976a5802193197927625d2ac5f6ff6861da886aa1a9df113ac5b18a1b2a51

Download Submit
C:\Windows\SysWOW64\Cajcbgml.exe

Filesize
1.9MB

MD5
2f5de8c2230b9e8dc7c49610dde29fbd

SHA1
67bcade26d877e65203d57268ff80a6239155a41

SHA256
c9b60d943fff2474360d657886802e8b10ec0dc85a5cc5c3cb254b2e8e83fdfa

SHA512
32631beb89d14c9106e57920ab5c11c79405e5ae0a4b4b517191f3e46037404e817a978b46aed091a6cdd7bf2c5fc4ea3e940359ff28014ef47daacd348f5d7f

Download Submit
C:\Windows\SysWOW64\Cbcilkjg.exe

Filesize
1.9MB

MD5
c80ce53e2316b4187f329c395566c9f5

SHA1
ff5963e4fa4453976f25a191845537261a84cb4a

SHA256
6464bbc775f0e0f959bb2db0376736812bd3e293ffd2039bc99f9555e54fd2c1

SHA512
c18b427d9ae78c8f0dd00f483f4bcf885aaf2dbfdebbb32778d3e4b4e15380f3e19b683be857de53ae81003d9e9c0dedee9e34c1556c2ae03f957baa0f8c86db

Download Submit
C:\Windows\SysWOW64\Cbefaj32.exe

Filesize
1.9MB

MD5
707996761587140b64f33c3198039b73

SHA1
dd7bb27cfd1b9ad7abae94d245467aa503485a9f

SHA256
e386f9b193b55554abef1c18c96c434ee995bcc72aafe7e99b8f3a0cab5a3f1e

SHA512
deb6d7df64000f857fafdb40811cd3eab91449c19babc3827516b84e025e87893ecb6938863b89b2b4e173b29d14f22a9ba8adc908c95b18f3f9d56679522079

Download Submit
C:\Windows\SysWOW64\Cbqlfkmi.exe

Filesize
1.9MB

MD5
aff316e2243362223267ee3b3ff8df74

SHA1
55ab5d48163d47da1872b81b03b962f68ceb08d8

SHA256
d0008d2ebe72fae2fd9501ff977871a63e14bd8b944dc6211aa3d4a798264472

SHA512
130d804901817ed7a4eef972fb04c040abde5a29940eb2156bfafe5b0e8a6082bb6ef22e9c08e38405c5903a07520d880e73541ae216897e55479fa5329b2046

Download Submit
C:\Windows\SysWOW64\Cddecc32.exe

Filesize
1.9MB

MD5
594ae86da0318c89d7773c55865dac2d

SHA1
ad21ce67b2da47b346577ace4767964c9a8399c4

SHA256
571ba9b3ae27d209de88ea80ee474d5f8235db2cd61e5f3d6baa6af5637ff81d

SHA512
22d77339aa012e57af5300d02283214b77543d0093bddcf67c460a1984303b40a38a08e65c915e2151c407ba898f8abc4bffab902e62454599c7509f13f5c6ed

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
1.9MB

MD5
72544055c76967cdda650023439982b7

SHA1
852044d720d964617529834877b73fc5a5cb34a2

SHA256
88390d1e3c68fbe5dbf4afdd28c0995b85bf2987de7ea981739517096dad75f8

SHA512
57402f25ac2e9cfb64e29c6ee13d1dabca08a1ba065918cc60b1d6fa44b252536e8344b5bbfdd121378f4f66da680d52510237a9c10f74b74d9b990594ea26e8

Download Submit
C:\Windows\SysWOW64\Ceoibflm.exe

Filesize
1.9MB

MD5
48abaf9f93701af3041488acb7ad4f2a

SHA1
afd2d85404fa45d23830029c07f8e9cddcdeb6f4

SHA256
7ee1258c8a7edc107a2401122790a06b9ff2c0ae080064b93266e86a20e50ecb

SHA512
2e5de32e7475a175ed6e8a5c7d6836cb8b98188a3c9cf580ebff508eb282d1afb212df4ab4a44b793584a87b916e77d7b9b25969dd5837f838cb591c82be95bd

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
1.9MB

MD5
92881a199279fc9911adb885e747ed26

SHA1
534f69f099be5cf512e6a142eee27b05a7b1a21e

SHA256
b221f1e8574f0daff0152ee10c2b8e88dfe61cb46e1aba0312a00ac9873e7391

SHA512
172e0acc2729cc3f9a5580bbd936f354fcb0bd01cb3795aa65dac78bccaa08c7bc9a16f47fa9449ed986e51b251ae7ec7689b0d0f9781871fc6e4c9e96416956

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
1.9MB

MD5
aa1939f7ea9d4c8d38a686bcce58e3e2

SHA1
646b0b88f900f6895284cb4f49c7f67612ac1e4a

SHA256
09fb0f23f806119ee2bdd3513e66431cdf3e778f45f814cadceb4814eec316b1

SHA512
3afbf63f18b53bd30b37fa41cbc813209288bc269b64cb7008721a4d2e518118eeedf8e52a9320da4591abf3fa7bbb12057b1f358402b22cf4bb52e1900685a5

Download Submit
C:\Windows\SysWOW64\Ckpjfm32.exe

Filesize
1.9MB

MD5
acfbc7cc06f10ee4c54bdbceb22c8a4e

SHA1
ccf5483e0cde1c4876f95baf0de22c7f2b0f9d14

SHA256
eedca949a5348188e6f01e02aa4354aba7e0418b10a4346243202cf2b2476f7b

SHA512
0d75fb929879514e11343f7b6b0375bedacb79905442c2b44621709af46a2d8ebe29818cad1729f05cac3652b84a31b6d9b67e1fffc15d20a0300cdf7841a248

Download Submit
C:\Windows\SysWOW64\Cliaoq32.exe

Filesize
1.9MB

MD5
5eef4cb3ddb376f7e1ef74627992e2fc

SHA1
24f9063ccf6d6d61cbaf14199d721262eff7b8be

SHA256
f62b2f92f1098bd5c535ed9be735c862984e910a35a4c3cdc536d72cc6dbf6f7

SHA512
2565afab46d97a5261f4805ef6bf2867ba322e9292e3c74d27c8910d897f58c94277755ba2f69bcd985665516edcaa4e55fe3230d4064ab2c99b1ec01b70a05b

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
1.9MB

MD5
6e04bfa1932752fd95e805e291533454

SHA1
b14cafef70c505a304c3ce83786add3539e4b78d

SHA256
46425c7ced2c26950fdf24bb4ae14d5a874d0b5d18d966438b12ac7c7f88fa13

SHA512
39c2ff2f95b10a51630429944cc11837ac4f8fab67fd7fefe8cc24407e80651182b8ccc9975fd32fc7d1c7948b252e526916df2437f4412286acac587cf35ba8

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
1.9MB

MD5
3eaadfc9e751d1ecf5e892ef4815c920

SHA1
63e4709762cf63aeedd5891684957d11ded967f3

SHA256
3b1376a62a1ccbfc225a328828a4c83a73be2f6245565833a65ffdd65bc45630

SHA512
d664ecc71af460de4378988c04817a4542113034b4c32548391badc884bd36860c02b55313e57937b05b008708be67eb528f248f139161a34c50c4f90622c883

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
1.9MB

MD5
37befd70078000ddeb6a1d78dc517988

SHA1
aab8b54faa040e230c2a4b4430bf498b508b81e3

SHA256
47af91f457482c123031b33fe3e237b4f50c92c8823ff2b6321897d28359086f

SHA512
e9606e0718d37444e4529c18c9e98b1e5f012bf35477fe992dbd1de52a29501d8579c692b437dd4dd7617f2ec108c87796a02c92320b5796b71580335f29aa3f

Download Submit
C:\Windows\SysWOW64\Conclk32.exe

Filesize
1.9MB

MD5
7da3ecf7f363c0df0c173dbb377160da

SHA1
3460b8f072c615e09e7f7ff202024a0bf2170e1f

SHA256
85cb6ce5edb7fc9a885b58e2f1f6b2484795ca2322e530a385f73f2089e15bfd

SHA512
5e74aed4065c03a38f9708dbb7ac26d84bb9b33c5f57fe5c75ae08bab5600992e83d6175068c151eb3f2ebca10f478b424aaf34913b1470c72a3c3ce0870b09e

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
1.9MB

MD5
e9b97c9c50bf3e9131447b34e6ea9b6e

SHA1
7e00b8ea11b7de60b61b525a841f889090352699

SHA256
14576948db10b0c669e1ecd7a66a90ffe3ae49726b14f8be0c3b5dcce5f2a3a8

SHA512
dd4f25592f49e0096118779ceae696cbf0c5f8e68a7da0ef254cee781e605dde15c43638f3677fdb6ba8108f1cafe10068a13bb4d7b6ebe3a752eab6878a928d

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
1.9MB

MD5
6bbaeedbd2d0caa96e84354ae0f0af7c

SHA1
edc5698332f5df760663224e27309fdf446906fd

SHA256
8fce79e28ce3fa1f9d312a26613f0a2c7ae6c3e9333f9d4756dcb9dfefdd78c4

SHA512
15c1a92d2883a4d613b331fa1af23443991c1372b3a9b6b601b07645d50454cdacaad58068472ae0492d0b83781079c0608dd5cdad4cb9d54519922f4066384a

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
1.9MB

MD5
9dd496ef6084e4e5643762596a767a4e

SHA1
3c61d0198523f98b73e4e0a456435a4de935930c

SHA256
283ad74eae2fb651cc2003114151b81c8029fbfdbc1ec977d8732baa50ebcd21

SHA512
833570e6d33905f8720c4cf426ab61ec0607b13d86f435dd2a1db7c9e934c21efa5dc80ff16fe7ce1c6faa2e1c67787b8445c462a05533b1bc57ea4ced7d1aab

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
1.9MB

MD5
3e3c6d2f63eb08dab59b9afc3db485fe

SHA1
914bfaa26704965a48a8126a9ffc4982c18caf71

SHA256
84ba05365bae5562bc87a1067738105068939885d24c330b33edaec51bff40e7

SHA512
3ad57fbd9f799d4aa2b658931c5944ad0422f0c7072eed06bebfdd2ec52cf15befecba0977c7c11712d7709f0558f429978f6e50d9f0c59e27b05c029f4e0201

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
1.9MB

MD5
bd4daa7420175415e8aaa72ea0d322a0

SHA1
d92a8a3d604db4ce60dcebe72bf7924426da3dba

SHA256
e2c78232609b5b2df01eb43b9cc7f26b9d9d1bf85e3640d7285fefa8ee9c8a62

SHA512
3460b0cf2e4314df2b6e307c0ec5ebc53fe5792d5f76e7571e3837950125c4109e7db487d5e2fbef21ccababc0a8a2ea8c5756fbd3e6543bf9c4507e0cb779e6

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
1.9MB

MD5
913e90ce47b7f922a9ea3977cc98fc55

SHA1
e9f7b149c0c9184fd8a347c552577aa2e0b0b914

SHA256
bd8d6d76c2e318956faa3232b3f22ed0aecaab7d9a217821b220f8a8460946b4

SHA512
88204b7e6c511cb79969a6624f0407607a19e3ae4288fcca9aca48af84bbd1b83cd432f8a3a10bf4fe48a12cc54ccda090a73a49391af1aac76c2f47ad03306d

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
1.9MB

MD5
8bc06f9100c20b306788109355bf5a49

SHA1
d03b8fb413eabd94723e4684eb8f57b22d17bca9

SHA256
73970b01e49b7176c91085b49c8cad0b550be2042836ba1dba19c4460238efc1

SHA512
c23ef693a0e894f2ec4fcc9ae6cf07af4956d6b6a52ac9113411877a38272de2c7368d53709fd980d49e4e341f1e47e1feb508b327228e0a9181258cd8c7df74

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
1.9MB

MD5
76b836998895f58a60739d13e84b117c

SHA1
eba597476817a5c5631c1a819d35b6e42f6cf0d0

SHA256
9dfd2c3104358b74b73f28373b2d660d5822186b086e8bf96fff519b4ed7e7d3

SHA512
8725a4cdc0812336c7f7b22b588bdb994863eea2e340687bcf139ca799bc7f493eb2b7db74926b6cbe58d62ac482e5ed8c8f41f52432c3f7e406e7524c18a4b5

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
1.9MB

MD5
a0638582d6844d433a05c02bb106f97a

SHA1
c2ffaf8dccf72fccc06999b7bd9ac7e058829fbe

SHA256
e786210db883668ce09f77cef5fd207f6ce5da3d30de62ce15f6afdb8553d4ee

SHA512
d6f8f9dd682d81ac09ab6b82849086e2ee5bc1154d370f0017e62df1441e18135f0fa8c971fc71e6e625cc7c98875d35917a67d12dfda4d2dd2d4527066d6f23

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
1.9MB

MD5
ff48d79940aaadca17a6cf64ba6a815b

SHA1
bcdd8115ab7df9d0e1ec92fa97f73b97be9aa479

SHA256
0630133450c1be61606dba66a6c51f0976f2e0d23c85a177d30803dd17530646

SHA512
096dafe3f2615e2baeb3e467163483a78ec8328b86b13e442854272681e4f467e399d438ed1fad5dd01a9f2fd06291416bccde8793ee7e265aeecb8b17b0e9b3

Download Submit
C:\Windows\SysWOW64\Occkojkm.exe

Filesize
1.9MB

MD5
bc476fb6a6ca5c5e1d06f5edae7547b2

SHA1
0278fcca5181cd01154e0773873c68b8857a795d

SHA256
24603cd39b17f2ba34105981cb55d0ee38ec7078947623273419be187273525a

SHA512
56f486bbb772ec8604ef7a9a6b8805eebea50b1e7f88222f6ad77514ceae79c1065bca675ddfe7cf4d2f37c0fba8dacc24b086e13681970047a684da722c078c

Download Submit
C:\Windows\SysWOW64\Ocegdjij.exe

Filesize
1.9MB

MD5
d11c97ab429765e1064e1d8b0e7960ee

SHA1
56f9a8676575254eaf167e234f2cf3be71c22a69

SHA256
4b7dd82af358addf5a7cd04a4558df39f1d70c4c54550645d7df8109b345cb1e

SHA512
0b13ca2fb541acfa0ca4ee35e2c5ef37c30addd857b5ff925e50fe7b568d391f1232b88da1cfca44a71c788c44f141b9b6cabf090e11076671b404ae43a419ed

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
1.9MB

MD5
9c8d9748c5bc3b03f5f76430713e6b4c

SHA1
6085f48cd13a2b7aeec7d5559a9431504e46a6bf

SHA256
46c50f1320e4a28f20a3f22c935e387a525c9fd6004ec4f3beb6ffd4361d76a1

SHA512
51114f1ffafb9d2141657bc84fd4f33f41ca13ed23ac69bb57bc9a260ba390af2d44963aecbb12f430699632ba7643058b52181214db9092bad60a2dc17d04f1

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
1.9MB

MD5
be68c0a85104bf9a3d47108e8773b059

SHA1
3512a9ca541213a2350438ed2d1ce0a5b5ed563b

SHA256
674ec006f2101088c637a4992d43940f9de1fec0665676df98ed289e63dbd806

SHA512
cefe20271bf878b632c880c6f0ee4d34d32d5eff800e350b9287b76b6698f4c89a70b6cbaa3b2b32b6068c03fcc5f24197f870b6c2173d8ee98db71a5b89a502

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
1.9MB

MD5
9a538856de6bdce3e2d081949613564a

SHA1
23e6aa984e28dfd670a6ee78104d7c654113b0ab

SHA256
2d5a84c58c5b137ec4e70f7d699e097e1960f708a15b8883d197a1dd84d27c41

SHA512
37844b7f36cb8a99bd0959724b737a62b54767c6a3393248f4bdd8487301be1907b649987568bb26c1915addb7bbdd3b300e94701a2470d449d93a04bfafca8c

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
1.9MB

MD5
ac281508f5fe4cb37ed419d7f70438e1

SHA1
dcaba21f4bed9531b99eb3e14dfb2014f1a7c996

SHA256
e08afaaa26f7b58f30ee1ce9ad82746ec93b5b5b8d1c002c991464dcbf007cbf

SHA512
f1f0edb3381692beb8526a5d3a8e19c8a4472f4f666d8bfac7ebfc8b660b5fc422c4eb26811d08987599435f412fd1be1941d105841534afc42bcefb06f6aed3

Download Submit
C:\Windows\SysWOW64\Okloegjl.exe

Filesize
1.9MB

MD5
7e6aaad58c1239dd18f408b70ebb239a

SHA1
6cd854514a6523517d4f87beca28e641ecba1c0a

SHA256
d1b10461ea594aaa4bca93c7581b4be1b88b1d2f46ed7814b5e907f87c40c183

SHA512
1eef728a4ee1a9cb9a4a88ff957c736f77810284f22438c73c6aee8fae53b01679bcb8707118b6d1b69adca448752bdcb366b96d441156cb2514f9b62a072a84

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
1.9MB

MD5
da9fe1ca1d515dbafa2f0b24a2a04ae1

SHA1
16bd2e89baef4c01fd5a1e60c79f038cc9ac36d3

SHA256
24249eb073f7a3899a9e8099e19ac6e6134a18c8f137386cd5b34b910dc164c2

SHA512
3254aba8eb93c3a5adffed1267cf0236ec951bd797967b52f29c3a46e5747c8792ba3e45c630bbd8746188958975da91cd5dc49fa51db64358ebeac7018a4a23

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
1.9MB

MD5
d183d7635a7e08d84b507fe920e2f928

SHA1
8141fd74901c415c922c2e5ec343a8616bbae8f8

SHA256
574f2d35f3b964a2414fccda91deff2c86db9c0034f6589e0cf0266e3e06b18e

SHA512
ad6b24f0d6e581f23fe56400cbef0f5af99711a95ec13a80ba1cfea7f9129a70f889f1d05f411ca2616b464ef4cd2f650f5ee22299d281b1e8d3fecb6a076cdb

Download Submit
C:\Windows\SysWOW64\Pbmncp32.exe

Filesize
1.9MB

MD5
e62d51745c3e1d66da1e0e8ce90eb30c

SHA1
5dcf306d1e379927214fc1e4be0affa9f6323e92

SHA256
199551e51f5b8cf334de0cbbb7051fcbcca989335f45bd01e1266ec441d8c4a1

SHA512
e7c319a36807b3c4213702b24c052ac939b72caf6e5c789d601906748b0c4e8d439a5d74b4ad95cc34a5a07a4948b9a3e9283f156d1239f9ae3fbe71c1f215e5

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
1.9MB

MD5
93605ca30bfcea357508a6c29c257890

SHA1
ed21afad6165e175f8b7599f68b0a7279fad95f0

SHA256
ed893b9d09be3a1cb5a9a499c6fe715c08f27166533b47b4292763d688d9e6de

SHA512
a72d7de326d4ee3e65ffa7aa9df2dd3a79ff64d750eb9a4b1f62f4daf07e5d3245d09d55b80b44919a59bd73a5a6bdf390aa0962a17a935fb3fcf6885490b89e

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
1.9MB

MD5
2bdb778af0e370ac1447afdd251ecca0

SHA1
ac543e418238ab3ecef4e69cd836eb56151453d3

SHA256
2f1dc6306296313abbb6bdc8a35da6cf6dda4e1aed5fc1d41849a9b49f75f956

SHA512
dae8fd546ef5d701541fd0c987b3c13bdc536519ab6fc36d9b0d39ef7dcf3b685e5ae559168cdc3780f7836b528ec89d8f71333f3b8523336442f0dc6072f646

Download Submit
C:\Windows\SysWOW64\Peimil32.exe

Filesize
1.9MB

MD5
83045a4e2e8cb85eb15459549a8b2782

SHA1
5c3164788252fb84015d05c97be32553d0ae1cff

SHA256
1e3b4b49813320f3cc16b4f7917c51eeb7e5b7b6c6881ec8be0822942db32551

SHA512
0ecebd1d1a99bd4423526af32d9eaa7748aa5a1f2d631be20f69c8ba69b588d7cc68dd1c0174788b3535168f275cbdd735a867ab3b39b3a1c07da658d67c2b4d

Download Submit
C:\Windows\SysWOW64\Peqcjkfp.exe

Filesize
1.9MB

MD5
cb806c19361da8fec25c4e7b4f4f30ab

SHA1
354c948576776f334f1f83f55195e3d5fbc28771

SHA256
c58ccba488e6de3296a995f482a7763b9251d5331687f8f5423933081464df48

SHA512
4f35e21e1710c7a62879f2357f37ba7124bb1f98cc43eef18512c879f1f4bc31c8ebed84f511fc5245495af127124e44189aea467a1fc5d8c6078182de60eae3

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
1.9MB

MD5
aac38e9042680fced4a8517e2bf93bd7

SHA1
2f55ad59a7c272e5a6ffe336b15c39d14b9656e0

SHA256
40e4cf861592ce2736fe7b076308356026a17273430d98a86a965af314ffa70b

SHA512
1811647bdff8dcc101b0da614276eb233b0d973439d715253e14ad9ec3780da71c8f51fa275027fde29f77f79817f04394d1d9e4c870d2f23d2327c2e08b7689

Download Submit
C:\Windows\SysWOW64\Qcepkg32.exe

Filesize
1.9MB

MD5
cd304318cc1314f440edb4e53ccdbf17

SHA1
d7b8cc04e8c40151b5e15373865b12457bd8f438

SHA256
d3f614abb79473b7b0da5b437d659b31c3541d0b4ab4d9f913f38f97d274a228

SHA512
faeafbb00562f28d9ac6cca0a786b13e9038e48031c36cce72b967555621e3c9346c74562ae64b209ce54d9d4fd4b0772c09e822b3a0dfce8e212d836ed8136d

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
1.9MB

MD5
fefa0463a6adc0cb0e0188eab7e08cb6

SHA1
aff330b5ff14223fdf2587bd0667b7653bb10378

SHA256
ae86f591181c8f82154614c207491baa6cbedc21d5f0ebdfdfaa7981b5bb528e

SHA512
007cfea87f61620adf2cb0350598597f66733feded1f929f21532981d9a76b712738e6c332083cf0ee26692165c2ba69fb4ac42a7623ca130f02012c1b4b3698

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
1.9MB

MD5
903a6b395333bad4f8ec6a81716adca7

SHA1
848854775c8890e3b2bc8e99e3676ccaea7abb8f

SHA256
d32824c86362da80b4a7d076ba5763e865a1dbcf22db04c41838ae7e18edd9d0

SHA512
e83416cbb67efa4761810a3f3d360bd890f781e20365ed202142d06897e360a1369580d9237df518b412b87060f23679b12d8c0acf97755568ba2dddf6c904ac

Download Submit
memory/680-837-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-814-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-797-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-823-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-817-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-818-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-830-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-792-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-816-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-828-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-798-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-812-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-1287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-1708-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-796-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-791-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-840-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-826-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-1324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-841-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-838-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-836-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-808-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-831-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-813-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-790-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-793-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-1236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-815-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-809-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2784-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-1227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-806-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-804-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-827-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-833-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-834-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-811-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-802-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-810-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-799-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-822-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-795-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-1256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-789-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3612-821-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-829-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-800-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-1703-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-842-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-839-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-1338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-825-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-835-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-819-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-1249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-801-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-832-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-794-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-805-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-824-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-1300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-807-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-820-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-843-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-844-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-845-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5268-846-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5300-847-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5336-848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5372-849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5408-850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5444-851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5516-853-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5556-854-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5588-855-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5624-856-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5660-857-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5696-858-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5732-859-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5768-860-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5804-861-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5840-862-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5876-863-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5912-864-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5948-865-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7780-1700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7820-1717-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads