344f238be9f7022adb30f5619db31881eb36a5603b2f4f4dc56d99417f38c598

Analysis

max time kernel
130s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 09:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe
Size

186KB
MD5

ac926a04b3054c1be73435b77d1e9e00
SHA1

120d75dc5612cc50d07a3444941a464191603fc4
SHA256

344f238be9f7022adb30f5619db31881eb36a5603b2f4f4dc56d99417f38c598
SHA512

05c8dca80c2efb15f87e070b7911adf7ee9bed23ec2c45585146530e1a441be039f1f99fc18e3a39b8e0feb9ff9700414e78f23a4b2efc7dc9a55145d7d58422
SSDEEP

3072:M2FTH6363vYwdd5pUnriZCoFv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:M2FTH636f1dd5pUnrBoF+Jk/4AcgHuv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghaliknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daaicfgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgmpogj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkmchi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chpada32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajcbgml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gododflk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eekaebcm.exe

Executes dropped EXE 64 IoCs

pid	Process
1980	Cacmah32.exe
3556	Chmeobkq.exe
4036	Chpada32.exe
3400	Cknnpm32.exe
3960	Clnjjpod.exe
1952	Cajcbgml.exe
5040	Clpgpp32.exe
3964	Camphf32.exe
3208	Clbceo32.exe
3408	Dldpkoil.exe
3036	Daaicfgd.exe
3716	Dlgmpogj.exe
4624	Dadeieea.exe
1848	Dkljak32.exe
1220	Dafbne32.exe
3596	Dkoggkjo.exe
1816	Dhbgqohi.exe
2688	Ekacmjgl.exe
4972	Ehedfo32.exe
1516	Ekcpbj32.exe
4732	Edkdkplj.exe
3240	Elbmlmml.exe
2236	Eoaihhlp.exe
4644	Eapedd32.exe
3468	Eekaebcm.exe
5044	Ehimanbq.exe
1820	Eleiam32.exe
4500	Ekhjmiad.exe
3672	Eocenh32.exe
4476	Eabbjc32.exe
4580	Eemnjbaj.exe
1140	Edpnfo32.exe
4472	Ehljfnpn.exe
3832	Ekjfcipa.exe
1000	Eofbch32.exe
2256	Eadopc32.exe
2348	Fljcmlfd.exe
3852	Fkmchi32.exe
5104	Fcckif32.exe
1880	Fkciihgg.exe
4620	Fbnafb32.exe
4404	Fhgjblfq.exe
4696	Fbpnkama.exe
1040	Fdnjgmle.exe
2088	Gododflk.exe
1740	Gfngap32.exe
912	Gofkje32.exe
2476	Gfpcgpae.exe
372	Gmjlcj32.exe
3544	Gcddpdpo.exe
1840	Ghaliknf.exe
2328	Gkoiefmj.exe
4336	Gbiaapdf.exe
3232	Gfembo32.exe
2112	Gmoeoidl.exe
3956	Gcimkc32.exe
2312	Gdjjckag.exe
1420	Hmabdibj.exe
628	Hckjacjg.exe
2724	Hfifmnij.exe
2024	Hihbijhn.exe
3860	Hkfoeega.exe
4056	Hbpgbo32.exe
2420	Hijooifk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkgoikdb.dll	Ipbdmaah.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Hihbijhn.exe	Hfifmnij.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	Kfjhkjle.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Hckjacjg.exe	Hmabdibj.exe
File opened for modification	C:\Windows\SysWOW64\Jbhfjljd.exe	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bpdkcl32.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Qncbfk32.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Njohbh32.dll	Ipknlb32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dkoggkjo.exe	Dafbne32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Jmknaell.exe	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pejjde32.dll	Ehedfo32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Gfngap32.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Cibifp32.dll	Hcdmga32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Fdnjgmle.exe	Fbpnkama.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Elbmlmml.exe	Edkdkplj.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Daaicfgd.exe	Dldpkoil.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Clpgpp32.exe	Cajcbgml.exe
File created	C:\Windows\SysWOW64\Hioiji32.exe	Hbeqmoji.exe
File opened for modification	C:\Windows\SysWOW64\Jlkagbej.exe	Jeaikh32.exe
File created	C:\Windows\SysWOW64\Jifhaenk.exe	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Edkdkplj.exe	Ekcpbj32.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Eocenh32.exe	Ekhjmiad.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Dcjfkm32.dll	Eabbjc32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Gdjjckag.exe	Gcimkc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9060	9004	WerFault.exe	389

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekjfcipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkoiefmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmabdibj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpmkplp.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clpgpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll"	Clbceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdejo32.dll"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoholen.dll"	Eleiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dldpkoil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dammlf32.dll"	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cknnpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophfae32.dll"	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daaicfgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpaeonmc.dll"	ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll"	Icnpmp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 1980	3324	ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe	85
PID 3324 wrote to memory of 1980	3324	ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe	85
PID 3324 wrote to memory of 1980	3324	ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe	85
PID 1980 wrote to memory of 3556	1980	Cacmah32.exe	86
PID 1980 wrote to memory of 3556	1980	Cacmah32.exe	86
PID 1980 wrote to memory of 3556	1980	Cacmah32.exe	86
PID 3556 wrote to memory of 4036	3556	Chmeobkq.exe	87
PID 3556 wrote to memory of 4036	3556	Chmeobkq.exe	87
PID 3556 wrote to memory of 4036	3556	Chmeobkq.exe	87
PID 4036 wrote to memory of 3400	4036	Chpada32.exe	88
PID 4036 wrote to memory of 3400	4036	Chpada32.exe	88
PID 4036 wrote to memory of 3400	4036	Chpada32.exe	88
PID 3400 wrote to memory of 3960	3400	Cknnpm32.exe	89
PID 3400 wrote to memory of 3960	3400	Cknnpm32.exe	89
PID 3400 wrote to memory of 3960	3400	Cknnpm32.exe	89
PID 3960 wrote to memory of 1952	3960	Clnjjpod.exe	90
PID 3960 wrote to memory of 1952	3960	Clnjjpod.exe	90
PID 3960 wrote to memory of 1952	3960	Clnjjpod.exe	90
PID 1952 wrote to memory of 5040	1952	Cajcbgml.exe	91
PID 1952 wrote to memory of 5040	1952	Cajcbgml.exe	91
PID 1952 wrote to memory of 5040	1952	Cajcbgml.exe	91
PID 5040 wrote to memory of 3964	5040	Clpgpp32.exe	92
PID 5040 wrote to memory of 3964	5040	Clpgpp32.exe	92
PID 5040 wrote to memory of 3964	5040	Clpgpp32.exe	92
PID 3964 wrote to memory of 3208	3964	Camphf32.exe	93
PID 3964 wrote to memory of 3208	3964	Camphf32.exe	93
PID 3964 wrote to memory of 3208	3964	Camphf32.exe	93
PID 3208 wrote to memory of 3408	3208	Clbceo32.exe	95
PID 3208 wrote to memory of 3408	3208	Clbceo32.exe	95
PID 3208 wrote to memory of 3408	3208	Clbceo32.exe	95
PID 3408 wrote to memory of 3036	3408	Dldpkoil.exe	96
PID 3408 wrote to memory of 3036	3408	Dldpkoil.exe	96
PID 3408 wrote to memory of 3036	3408	Dldpkoil.exe	96
PID 3036 wrote to memory of 3716	3036	Daaicfgd.exe	97
PID 3036 wrote to memory of 3716	3036	Daaicfgd.exe	97
PID 3036 wrote to memory of 3716	3036	Daaicfgd.exe	97
PID 3716 wrote to memory of 4624	3716	Dlgmpogj.exe	98
PID 3716 wrote to memory of 4624	3716	Dlgmpogj.exe	98
PID 3716 wrote to memory of 4624	3716	Dlgmpogj.exe	98
PID 4624 wrote to memory of 1848	4624	Dadeieea.exe	99
PID 4624 wrote to memory of 1848	4624	Dadeieea.exe	99
PID 4624 wrote to memory of 1848	4624	Dadeieea.exe	99
PID 1848 wrote to memory of 1220	1848	Dkljak32.exe	100
PID 1848 wrote to memory of 1220	1848	Dkljak32.exe	100
PID 1848 wrote to memory of 1220	1848	Dkljak32.exe	100
PID 1220 wrote to memory of 3596	1220	Dafbne32.exe	101
PID 1220 wrote to memory of 3596	1220	Dafbne32.exe	101
PID 1220 wrote to memory of 3596	1220	Dafbne32.exe	101
PID 3596 wrote to memory of 1816	3596	Dkoggkjo.exe	102
PID 3596 wrote to memory of 1816	3596	Dkoggkjo.exe	102
PID 3596 wrote to memory of 1816	3596	Dkoggkjo.exe	102
PID 1816 wrote to memory of 2688	1816	Dhbgqohi.exe	103
PID 1816 wrote to memory of 2688	1816	Dhbgqohi.exe	103
PID 1816 wrote to memory of 2688	1816	Dhbgqohi.exe	103
PID 2688 wrote to memory of 4972	2688	Ekacmjgl.exe	104
PID 2688 wrote to memory of 4972	2688	Ekacmjgl.exe	104
PID 2688 wrote to memory of 4972	2688	Ekacmjgl.exe	104
PID 4972 wrote to memory of 1516	4972	Ehedfo32.exe	105
PID 4972 wrote to memory of 1516	4972	Ehedfo32.exe	105
PID 4972 wrote to memory of 1516	4972	Ehedfo32.exe	105
PID 1516 wrote to memory of 4732	1516	Ekcpbj32.exe	106
PID 1516 wrote to memory of 4732	1516	Ekcpbj32.exe	106
PID 1516 wrote to memory of 4732	1516	Ekcpbj32.exe	106
PID 4732 wrote to memory of 3240	4732	Edkdkplj.exe	107

C:\Users\Admin\AppData\Local\Temp\ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ac926a04b3054c1be73435b77d1e9e00_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\Cacmah32.exe
  C:\Windows\system32\Cacmah32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Chmeobkq.exe
    C:\Windows\system32\Chmeobkq.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\Chpada32.exe
      C:\Windows\system32\Chpada32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\SysWOW64\Cknnpm32.exe
        
        C:\Windows\system32\Cknnpm32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Daaicfgd.exe
        
        C:\Windows\system32\Daaicfgd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        23⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        25⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        27⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        30⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        32⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        33⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        34⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        36⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        37⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        38⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        40⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        42⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        43⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        45⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        47⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        49⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        50⤵
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        51⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        54⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        55⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        56⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        58⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        60⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        62⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        63⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        64⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        66⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        67⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        68⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        69⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        70⤵
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        71⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3040
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        74⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        75⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1704
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        78⤵
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4460
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        80⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        81⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        82⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3156
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:324
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        86⤵
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        87⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        88⤵
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        89⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        90⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        92⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        93⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        94⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        95⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        97⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        99⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        100⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        101⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        102⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        103⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        104⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        105⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        108⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        110⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        111⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        112⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        113⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        114⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        116⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        117⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        118⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        119⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3024
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        121⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        123⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        124⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        126⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        128⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        129⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        131⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        133⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        134⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        136⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        138⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        139⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        140⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        141⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        142⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        145⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        146⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        148⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        149⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        151⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        152⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        153⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        154⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        155⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        156⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        158⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        159⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        161⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        165⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        166⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        167⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        168⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        170⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        172⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        173⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        174⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        175⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        177⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        178⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        180⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        181⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        184⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        186⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        187⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        189⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        190⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        191⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        192⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        193⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        194⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        195⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        196⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        197⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        201⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7236
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        203⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        204⤵
        Drops file in System32 directory
        
        PID:7332
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        205⤵
        Modifies registry class
        
        PID:7392
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        206⤵
        Modifies registry class
        
        PID:7440
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        207⤵
        Modifies registry class
        
        PID:7484
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        208⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        209⤵
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7616
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7664
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7716
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        213⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        214⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        215⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        217⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        218⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7964
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8008
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        220⤵
        Drops file in System32 directory
        
        PID:8052
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        221⤵
        Modifies registry class
        
        PID:8096
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8140
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        223⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        224⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        226⤵
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        227⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        228⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        229⤵
        Drops file in System32 directory
        
        PID:7604
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        230⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        231⤵
        Modifies registry class
        
        PID:7736
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        232⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        233⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        234⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        235⤵
        Modifies registry class
        
        PID:7960
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        236⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8092
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        238⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        239⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        240⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        241⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        242⤵
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7724
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        244⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        245⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        246⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        247⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        248⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        250⤵
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        251⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        252⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7976
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        253⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        254⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        255⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        256⤵
        Drops file in System32 directory
        
        PID:7996
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        257⤵
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7784
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7196
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        260⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        261⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8200
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8252
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        264⤵
        Drops file in System32 directory
        
        PID:8300
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        265⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        266⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        267⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        268⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8476
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        269⤵
        Modifies registry class
        
        PID:8532
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        270⤵
        Drops file in System32 directory
        
        PID:8568
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        271⤵
        Modifies registry class
        
        PID:8644
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8696
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        273⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        274⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        275⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        276⤵
        Modifies registry class
        
        PID:8880
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8936
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        278⤵
        Modifies registry class
        
        PID:8984
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        279⤵
        Modifies registry class
        
        PID:9032
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        280⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        281⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        282⤵
        Drops file in System32 directory
        
        PID:9168
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        283⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        284⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        285⤵
        Modifies registry class
        
        PID:8312
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        286⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8392
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        287⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        288⤵
        Drops file in System32 directory
        
        PID:8520
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        289⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        290⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        291⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        292⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        293⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8928
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        294⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9004 -s 408
        295⤵
        Program crash
        
        PID:9060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 9004 -ip 9004
1⤵
PID:9072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
186KB

MD5
2bb9425c87fc95a656abccdcabac171a

SHA1
f9035dad301d0eb0a0221170d51897fafb571094

SHA256
e33cdbd51c994f4a18571960b620e8c678145b55f6cba65eb0b7150907e97386

SHA512
108cc2725f293083f21b3a321cca9989b43ff0b78fac8589a6df9fc01eaf2da371f8eb97a96752261947f337b017bc65befce278898a0ecfc6a7575eb5fab45e

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
186KB

MD5
a9f9448421a985bb812eda13c243cf2c

SHA1
81df87e215bfc5abba41168e1fe68d415876628c

SHA256
530aaf872b350ef64ff3642a96a218792a1e454a50ed0a592c0e19479aa7f755

SHA512
403ae4420ce52ade67fb3e0bded269f4f3ba73020e93ff46a532938151a74d9d5f517972a68d34dc2f36ca6a56f4c5fb3e3fbfd4d4bd67cb572f81b8ac0c9ab9

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
186KB

MD5
aeda9a010e77112fdfcfc4015d5f9f08

SHA1
aed727c56d436d9ccff2cd07d07122dc6048914c

SHA256
0538e092f9ef226a1e625d77267311a2b6ab67b3c61fc7429466ad67b222998f

SHA512
51f563b2378e62e6654277218ac9e21b68a4b8287f3da5f27232e39822eb7919b5175a4258f099cfe38f732291f39f4d2ff1e1de8603f9e3ead5505b9e9f7a5f

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
186KB

MD5
73e0a9d599756b241cf79c168b1798df

SHA1
2bc874e83a858edf951ccb007c784374cc36555e

SHA256
bba3ad28ce5b60c3f03dbca8e6c068a67c761cd78769bee1c8df14b27c080035

SHA512
ed86e702f106a125f19575d5bc37f0f8a0ab0a9c221e7bee05baff1450e0a4a59769e4f87d0094192b761b25f3e2cd0fd4fa57c3b6ee93856e7e5f91deb2779d

Download Submit
C:\Windows\SysWOW64\Cacmah32.exe

Filesize
186KB

MD5
a7dc57b92779cbd98ae78ee52b242526

SHA1
0240aedb810d6e2c73344f28188cb4dddb636252

SHA256
a190564966303b603c0323e11897c9b9e5a055ce9cd9b4ea7e9cefdc1ec21a53

SHA512
c0df8e16685ccc7475fbb2805bf503525d5c9bb2ed9cfb03b3280e86196aad56ff4317df2caa2a64c55e13f22bd5520334d946fd280be7a85e68ea351e603f31

Download Submit
C:\Windows\SysWOW64\Cajcbgml.exe

Filesize
186KB

MD5
660f5221bd240a8218ef0a1e1f49bf16

SHA1
319611bc28301ec2e2e97ee5282a27a6e47c72ee

SHA256
264f6957c8d4de29079361380802124b5277719f1b5faae2cea67176f9372828

SHA512
311ed9c3c3c9f8ae5bcb62629fa6fd66b0345654b1c32e9c72865a44fa5d89260b3cbdb761a85401da43e6f3786465e757d80bf846976540226d3c8811a33bdb

Download Submit
C:\Windows\SysWOW64\Camphf32.exe

Filesize
186KB

MD5
0c68f6881dafc9df4d9a042c7fe896a9

SHA1
6fdf019b1e5cbeb2b64c364d444b90b92a3c1aa8

SHA256
e0e1cffe1d8c65f488a970b6be25e933bc1a97b56ba615bfa23e7911e47049c7

SHA512
b3c0fb2d09fbc04c2f18b3925675c28a087057856281f274a504525f3a04d9f4bd5e48834606573cb0617ddd930a718d3f44ac5d3e593d0872f9bb0ea2b0c1b5

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
186KB

MD5
99309204334ab6dc08080b01cc7299be

SHA1
1bd85723fb6020297acc93f05e22179baf802bf8

SHA256
968ae6232fcb2fa9e6f015cef29d63f86570674a850a900fe289a6bb54059fd5

SHA512
577cafcb28531cc97e562d8d090f3ce21331d5c2359c027dc12857bb8a8df88d1a9793805d5deff73f26834593a877988580d9d5545a7c7e5072aee304fe5492

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
186KB

MD5
e10aa2d1dbf537fe625be350663d5581

SHA1
3d83b94f37cf998da57457ffb0a08ad97ba39963

SHA256
7f39bf38515193854a166904fb9a05b9915f557a88cbc504aac11f8098f2623a

SHA512
5787b287ae29ed939a2adb0cf6ead2311559f7ecb2e05da94106365c9fc65fa1cc77008121a471fd515dc8bd4a53ded15d07266264ac89eca6c1d82e5a7a022b

Download Submit
C:\Windows\SysWOW64\Chmeobkq.exe

Filesize
186KB

MD5
c618c6051666b2b5db5b3c3ebfef782e

SHA1
c83690c78f949df902f41cd579732f390cefd752

SHA256
acccbe3bd9ebd5d14c0145cf45f6ca05b3864885a9f84a1c9e20c8a9bb6f64f9

SHA512
a23eec4dfb603a2d5c62c2cb8f97776321d3f2e3f1ba298cc869a001c3f6ee9d621c67fd726918122b1ea7cd0dae98ed5863bb4c4b4c9d86a2139f9c220a5f2e

Download Submit
C:\Windows\SysWOW64\Chpada32.exe

Filesize
186KB

MD5
6b8be48c52b82a41c178e8481a4a4988

SHA1
542432ad4eae26898061e13da83431d19e4b550e

SHA256
c61f3de5c65ff07ab3e037a1fdd7d7bc9e479de727729ea2855fcca3a7221d3b

SHA512
1e1348f3d34df918d997f8d58c94081be696007ab8bdf873718cc4f367b9824b5b11b734f5e20c45c8f92f3e3797e29828006e59d25c3f79a2a0b3d6e678357c

Download Submit
C:\Windows\SysWOW64\Cknnpm32.exe

Filesize
186KB

MD5
999c8076dcb563301cf8f8491b8ffa0d

SHA1
43fc8df7eec940bed1ab3f9932727764db8b14e8

SHA256
2b3027dbb4973db827cf82f62ddc7bffae4db505b2333180b15d36b976ea71f5

SHA512
1422f9a05778bcc4afbd33ff6d0f015ce6e55c36663cf041cc26301fed877a3273b1d01f750f2f04e58437a0a82708066ae08c361c418f916bc4f97c0baeb446

Download Submit
C:\Windows\SysWOW64\Clbceo32.exe

Filesize
186KB

MD5
597b415f576ce03b8c3089e284314f54

SHA1
ce558ae165fb6dc12c5ded2c9b7d59b7a456143f

SHA256
cd02cf50838ef3daedbef4012d508d16d4acf48cd6cd239bbe9cbed5f8742fd5

SHA512
36406d1da57666c0d1c6f979cba4245973246e769106e7dba810f7332154b0a52a640d9cbc64599cdf803de0089f7316f1e26e9da08a9dce0bddd7d96ba3880f

Download Submit
C:\Windows\SysWOW64\Clnjjpod.exe

Filesize
186KB

MD5
daea199f1b57d1857ecbca946193e4b7

SHA1
2ee8fea654108edf97448d3170139ad1e7be0053

SHA256
8971df367f006b0d915377f19cb18ac00da323b47b362fb0bbb26906effbc718

SHA512
ebb7df7fa3a641db3a8223e1577031ba34f8731e9cb8d9059d644d4c577c37c1945337c08c8c3089d25cca390e6e47640ed254ee22ca37ce3249f862623a5965

Download Submit
C:\Windows\SysWOW64\Clpgpp32.exe

Filesize
186KB

MD5
f7a2888964419b2dfbd0148eff51a015

SHA1
2ed50ce84bcd3ea68dfec3ab9a8814da0a6bfd93

SHA256
af815c880b265fd91da8ab834908406d8f3250d4524c6c36b9967e6a50266466

SHA512
fded4dbfa4f3494109f319b4f46402822e8d1278c9148dcda12d0d793106228a1ab2a944cfb23fde4d9cd78b9195fddcb1bc24ac4c544a7547974b4193e6d4e6

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
186KB

MD5
6a2fb56ba38464b5a561c4022d59f83a

SHA1
9b3182f3cdad6eb06d77b9028a056c8c1135ad7b

SHA256
6cfd389daf2626dba43a486cf121ab9d34f5abab45e4f5c0815d6834464889bc

SHA512
62a32e59b172a6cf883e42b33a777ba07d96fb1042f1d8c27d80579ced06e8492345d200da3ca45c001a3fd568df793ba159386b10d489010e93ee3d674153c1

Download Submit
C:\Windows\SysWOW64\Daaicfgd.exe

Filesize
186KB

MD5
2855e3aea8fa5563250ca93ce5336d80

SHA1
768b2b1005d0b909d54bff2ea07c674704830dd7

SHA256
577f405385368fc3d13af3f84a1ab303cd2fd96c4c00bfd44f218c1e0228490c

SHA512
e5cef130322af45a17dec522bb5d2a4bad15f47561177aa2e08704a10092bbb317d57524cc4b728f89b2d93ce50f6412bea8005b3cf79c877b2e1c7bc28ecee7

Download Submit
C:\Windows\SysWOW64\Dadeieea.exe

Filesize
186KB

MD5
06331814ac80029fe2a0aedb48961af9

SHA1
1a94ed0394124886319d38e19f01ee90af074fef

SHA256
6f4be2ff271b07c8d8395d3f82b017438decb8d7b8c98db06c0e7cb6bedb9b4d

SHA512
79113782be39c32d9df86d788c2fa30e6c2d63268ff66cb62df4353350269b18fe17cb4e423b8fb994f90084553d9c33f8bcd7f45287be08f32c6ed9a59ecd86

Download Submit
C:\Windows\SysWOW64\Dafbne32.exe

Filesize
186KB

MD5
df7e6f94ee510b947173f7426f68fd3a

SHA1
92244cb5eb8f819b199c482fabd25d6d306b95d9

SHA256
040efff66fba040459c1595fdc62a411b8a45842f8efb97384edc77d09aef75e

SHA512
c08790c9e42135b063490e37561e2f13498e57318f7282eace7bcf44e66ade285ee4db1842a682529c263cc4b7007d81473f87627be0fae4a7a2a2605c1ce9d5

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
186KB

MD5
5be0326ceb35aa362fefffd1ef58a593

SHA1
360c03a22c08bc5e86d36189027aea68bf5df49f

SHA256
cf74912990fa6676d52536e60a4373ab2f5befe1cbe0e6fd59893cfb406f16e5

SHA512
3489a4c6e3bdd4607842cfae111901197be3e4811368913cfc660c7480aa8372a84842991de64d95a23e4d1aea8797fec39957536d850cdafb289e828feeadd6

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
186KB

MD5
6ea9c301e88a7821fc1b356003a13288

SHA1
d05c6230e6ae26a32d5cdb148c1ed2e939c714f4

SHA256
8e3a9daa02a38639b9f4a7f3ec4eff69304623a2db9891f6315df6db39a9ca4c

SHA512
a660668cdd465e84f98adde81a0ce5956455aeae9bfa1bd252902c116c0f8e03af6804cee45789215681a4278818033693c008a6e07a10391bb8e4e7c309e8b8

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
186KB

MD5
206150d2295ff5a8e4b015153f3c35fc

SHA1
7af6f04e89ef867b970aef5c322f9d730f4d0394

SHA256
0bb0f48e0da95ecffb8fc5e3fc3201b70f8b062a4d42be46c951a9c4839ea77e

SHA512
38e53cb9e0558a2ae9fb2fe3ba125ebc06b18f06bf14a5ccaf3230535fda08fe00b3534f6b85f19847c963fd344f7b467c04ab4c93c602c80ff3f29d63f05ac4

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
186KB

MD5
1e62c76f658a351d32b0d4c2bb9556fe

SHA1
f58869cfb9eaee282d842c53daccb2244bb72840

SHA256
e4b5e44d3b60de9f517386a31952b2c171b8ce5c65f322bcc855d408fb1f8177

SHA512
20fda3440adc0dbc90e0f00db6d7499810cc5a3ff6c00d681e2b09c02ba02fb78c1e424b2b95ead98369b79d62c30874cca4084c1b9dd0106524ff4b85000ac8

Download Submit
C:\Windows\SysWOW64\Dldpkoil.exe

Filesize
186KB

MD5
c669ae62f5d319b36bd219b7e3de6c53

SHA1
30a7f5b08b9d248342317f59abf4a850be305d0a

SHA256
cdbb5f7c8657d25e4bdd25a892cd27f3f7aceb9d8e3b952e59181aa26eeeba03

SHA512
844abc9265297dfa43759da31daa758967ae2d7246e076f7644c4d5d2e48f285e41e1b06d698f7934d1839291ee76d9ab61a05d0e865e404f0de53f76a0bf635

Download Submit
C:\Windows\SysWOW64\Dlgmpogj.exe

Filesize
186KB

MD5
a547ed321510967c8cee510bb2b9e0df

SHA1
1b2411e83bb24cd883fd9ef62ea83a1abbbb2e3e

SHA256
c5a320318bcdc1f4c98538e8ed63ff74e49df39527ee619449972d766c74096e

SHA512
c3c5ab22e3523f8eb216c049627b7f1f14417763c8f20009d639fa3b66a7356bf0d772b0470f3d705e3e59f636fdc5dd9f78871df96c9d837668e4bc53f082d5

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
186KB

MD5
8cff3a121dff1ce4ce2ca277a0ff1873

SHA1
8490f4ec2d4e6a2f1e8b188d72c89fc369794696

SHA256
5800c0ac69ea49fc42485f94b30fef743c736a8f35c2ec9cdd93a82b2ba43155

SHA512
d97fa440e3dbef7066fc7bbbe654acedce826749c97fb30a33eb471ebf8ec6adf4775c50c11808a74d92201b9864123795aa0eb0c3b3e5b18222c34ba5107b1d

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
186KB

MD5
f1be8af5ae207c084d2c005055b8dedc

SHA1
88de9b7d00fbadbb22c01794c492f72ae6b6585f

SHA256
80c8354c58611380b657de1b6086eed64f62ebb96bbf5ee0a5bdc333431cd720

SHA512
cdef296cec102341eb79566a9a7731b59ccd89c7f9f187c71442a36ca753a00575cfdf530a5bcc9a06362579507e459eed135ae78d28da47789bb3b2293f91ac

Download Submit
C:\Windows\SysWOW64\Eapedd32.exe

Filesize
186KB

MD5
06c2f723cafa383638faf8967a843bd9

SHA1
6cf6bd1c21171e41fc8ceefeaa77ffefcc8643e2

SHA256
902caa8566bd951cfd42494fcb630bb7ef02e3dfe119136d71a49fd9d1da4f0d

SHA512
b4f5b77091eb2c1c4c7acc2df6bf3318e674a588b95516a52ebe3be91fe14b8acbe704343d79dcf42915f848ae39e231fe99df3a7b36d916c541a777517176c0

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
186KB

MD5
d1946cd299362578c037db96d5eb5c06

SHA1
c516784755c56f86e997e13aa54803a0dcf9b18b

SHA256
2f88a601ca7be3b675e37bf3cf11d772bf41e96d36db99635f21c1b8f41cf184

SHA512
32106e0c02c8a116c655bc703e6dfa54aaafd968e68c1f78a19c29fa4c163e869617d2dabef0010d3991d73e119ed5d4c005fa936796eb9cfc2565bed767f6e4

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
186KB

MD5
ed57b5a7c132cd17b53cab3dae183a39

SHA1
5cc2f0e27022ffc8cef13c74988a815553d1aa9c

SHA256
b7c3c636e51ead85d478ec0393926777895e2a9a7a578c7ade4b875a29034065

SHA512
a5d7d046e57231c832a01b15a42741e6ffe11edad2ce424298f942a79da03c9c5acd8a74ab3236f662e31e42182992ac1c9605c166d510c3f1a8d592f9263ee4

Download Submit
C:\Windows\SysWOW64\Eekaebcm.exe

Filesize
186KB

MD5
af9d30b893560badc8bea52cb61319fb

SHA1
5372eb9509d755966a1d9d5fdd1f204b5dd901f1

SHA256
81c7761a4f70c410677b46a1a8bdf19c43f51e249fd4413a087f4a0d9a8f69fb

SHA512
451531177fb001be7b0a0d4098b6c753fa89681048252b711def6dc7b0c690fe163ce65c465e4feac8a669ba91a6e6f9eedce268e89b81e1261abac648573c89

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
186KB

MD5
8507660a6749fb619bb55a7670930cd9

SHA1
6433a417ebd21e5901607181a8479007d03c8b65

SHA256
1e67a0b78bdd20f1848c2b4ca9ce4217282b7f36a7fb90097207b2149a442f21

SHA512
efa32ca3a3230f5ac14cc985cee20e192d740a0d70d5aaca09dca15bfbc9de7c170df6c77090ed59a374cff55098d6928071fcdb6cb63f77052e27d5a9e4d168

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
186KB

MD5
e48abf70e141475621c2734f18c95285

SHA1
1b943c5ae0423e80585d0a307ec27e1d892eeabd

SHA256
627e5cbda286623244609971f7e18e951130c3cc381cd5ab81a7592b4a9f6fe2

SHA512
2bbea87487af1aed108992952231e999ebdd0b11e4edce6454f77efedff31f14e47e91666c78b06962a66569386bf19d88f5143770ed4e036bd8138764c523b9

Download Submit
C:\Windows\SysWOW64\Ehimanbq.exe

Filesize
186KB

MD5
c9665c817f945e62d1e7789e569c0031

SHA1
374dd3137df7396ef6105d976b970e9ddb75c3b7

SHA256
aa014ffefe381b819ce79e14f05de2b50e8ea5399beb75bbc8237e2e27401fe8

SHA512
48e99c38f7627dad76ad89875a0c8e537c7989c16d10aecf3b46fd38902dded369b66121d7d1dfd9e2bf5e32a9c0b083247f462ad8b3d5bac1e43c8867e5fd5d

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
186KB

MD5
b72a47e06c9b22d931e1fc35b27b014d

SHA1
698b09660e14a6aa81b681ee25159c1d217784f1

SHA256
91a359144295b7e1a1b7a6515de501b5c80df6d68de7362e895614da8a8af051

SHA512
c1fe73b5f8469d4f3533b037414d69574e1cd9eed96f28e9a91d591f1493355b969b83812754adf84d6e9dd9789f40540fabe65239f2a2dd805f00e76f4701f5

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
186KB

MD5
5c327715818013deaf8f13d6e3f1812e

SHA1
f9e416fc8cbcc075e7ba5317fdc7516415009446

SHA256
4b796629d4b37401aa8c21e506d785d7535aa60954702a9a118525fade8e2170

SHA512
dffcc7542216595d3d2c1ef5e61ada00df25e3dc57a69bf69b7aaf90edd9b570919e75c377cec6466843928f58bd28293476e188eda8188092d803b5c5d4af11

Download Submit
C:\Windows\SysWOW64\Ekhjmiad.exe

Filesize
186KB

MD5
7ff123160cfec31aeea974e23dde7573

SHA1
5d10c7961edfbe5f02c1fa3ee708f389bc605d51

SHA256
c7f1610ebdd159bd12fa119b481385af62f9dbc185951b8b4aee5077f63a2851

SHA512
436b037998c1b69dfca7266a9b65cd3eb5a89a8e4c9ba801f42c4e382e0fb1b813b5536f854e9147288260a679fffc41c6db0403972b5830badf13facbf3cf46

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
186KB

MD5
ebc93494dc9f60ae8fb6ef17db8975f5

SHA1
b4e3517ab03d4d53fdcafe57cb304b9f84c26b55

SHA256
80860295963e4a5542bd059e6c5c61a47568774b335d6da78a756c04c5ce7fa5

SHA512
5686f44df72869f1a32f4415d35eb5dbe1e4b03da6c2c1b52702fd672c76ec8568974f292cac46777d8156bfa54c369030e2cc445c31d7a0afc319264d065843

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
186KB

MD5
af95f8508408e619bdbc0b219dfd2805

SHA1
af4703a90c0129f2cb5ec509e253029b96dcdb9d

SHA256
66fb500a649363a13f91774f318831591729f896bdd8560ce396bca5418cefd9

SHA512
a1c71bb8e86f4a79a6b6482c41f7359f9b76459ea1770c7d5e11acc900fa457b4c6e1badbb5a6176dcbd740aa772362dc89d65ae129672eb0050573576bec018

Download Submit
C:\Windows\SysWOW64\Eoaihhlp.exe

Filesize
186KB

MD5
b3d6242ea2a6f5ee40bb3cd3838bba5a

SHA1
bcb8a197d53d42d9fa4a0b32f3efa322f6cec690

SHA256
872ab480a7cc75a86b57358859450274e973685ed8445aae837a30f34e878968

SHA512
0c784bc8f1f681f958ef05052c5dd77373e70a9a14b092d557671c441adacf7720fce588bbf443c8b3f63346f640d9e0995d90913320f728061b4b243919c0f5

Download Submit
C:\Windows\SysWOW64\Eocenh32.exe

Filesize
186KB

MD5
86aad8c8097882186af835ba98f19dad

SHA1
3b47c03876c30300e28cb6f999b0c1082f571c97

SHA256
cbe1922b56b2cfc12e326fb49ce1334a3c7a88522e26ba112f2aed088b950f57

SHA512
4786b17eb4382eae86f5c7e9ac4baec86fc25ab7e85560cffbfb81f6c8258b5b45cc170c4f12fd24868aa530ee81b5631052c59934206bb13d129b526a28b923

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
186KB

MD5
cc4e9a8159b1ed58ec1b6615bf58a845

SHA1
92e37bdf003a17599771e7fc60f9e19364061f5d

SHA256
2086dd72c7907ad4f05b1b3c4d55232320e91349ccad1bc6c77248191d75e54c

SHA512
b1f6630b004a3ee18732e1a818b01aff0821f1d47b84f5be86fc20a0fd8245fd1cc36d2b97f693a8d6d2c7524d7cf8938c5d8009c72ba8c3e11f8605ab153550

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
186KB

MD5
7fe43c2bf93061255c1b28464b587cb1

SHA1
974c355ba3735bb4bb17a5f2c0543614c1d831d7

SHA256
51df1ce991d083a5871b1278de24a7e690d7eb68079846409833581d8107c67b

SHA512
04bb27a4e8eea789b4ec32b79d6ab99803feaf125ef05a96fd7a727cc3c1294e92a63ed02159f9335a1cb79634b0bd8e8ecdc9ebf94fb083bb03f480308b7551

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
186KB

MD5
ed2e9f985ae4c47916433b82a914a5ca

SHA1
c17fde09d7313a98a7c28dd7ac43d4dc72c5a0f1

SHA256
10d7abe74f2d90ca008af03149301658fe31c702eddc55745296feddf232583c

SHA512
74666e732f00a31d70c64d7825d9d07df23008e1239a93ded4a4741b02dd63da5915146c2d10b9a10bf8bac4eaf0f4ccfbd08e6cca75ec76f9211779deac8205

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
186KB

MD5
5c7398bdfe58f5d3fbce0d789d6782b8

SHA1
bf549ab2fcabcdaf55a9a7d593e08cb345e4ce64

SHA256
7015a8d619ea0561129e1e51091761bfcf44525172a9e81c8f1ae17f9a1c1a69

SHA512
964e5c5574c73a23aff135012d11787fc98dedeb3be5481ebaac5aec098998f8943f0ddc7e7b6fcbe6e531047aea4157da0318d19e92696343bbca78cd6c4754

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
186KB

MD5
216c6d37ca87be2a9f80dd8f78c5161e

SHA1
308b43048f3122661e40d0ef063740f38ab8a603

SHA256
310af2e8af4b2caa7d236efe5ea9332834e6b95c1dfeb8d47c0b2b3c164a3917

SHA512
e2f8fe7713635ca64d4e079acf3c04e27b995626680e0af12089383e19ae94368dc6d84f64c69b6dd98bf45722dcc0edc76ae0758d4fd7425f36363dbea83a7c

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
186KB

MD5
02e5316258cc019b206035711691c22e

SHA1
b1d50d07385257e4d79138d4a447ac8d118c2404

SHA256
6b3882514f31f9f2df27e9cc49806987bca02a60eb9ba5204b3a8b14c90bd269

SHA512
e3f3513d6387d3a7660e6c7bbc892e44498f82357f9603e0f9b96e3de7d808416aefe0780602ae82db1db7fcc88b2cdba20f8746b18c54ec8ad0c529ddebe5c3

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
186KB

MD5
e2a090a0b18a5af45015e1d1e5eda55e

SHA1
84584b4de4b6d77e40c4634584eb62195af70c4e

SHA256
3fb654ea9ad37e709649a301a1f33fab010ee7ba23c17e69b5c45752d247c43b

SHA512
3407c55702a8ecf139faea5ea56aa4c1eae17b895406b9ce55fefcbe6bc470df2897b5ec4710c1a26ccdb69dd43c7fe9fc2b0c6e08168603555d5cfe29a554c5

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
186KB

MD5
8e4eea8175e29a6095b9243476ca65de

SHA1
4318006f54ea42804006628f90b134fc85c2f881

SHA256
c137ffac76478f08a9f29143de6290af4854ff82e7a325203162f3adbc9c2f5a

SHA512
057020a0e70ee37599044cfa78c00b3c3f5afe343591a46c53d399d4d26889fbe152329e75f75b0fa73fd74ecdae96a7050173c9bfd8ae6b97c1107dd50031cd

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
186KB

MD5
d0166092c65926e782fa9d68f7c57dc4

SHA1
4a72e59271d0deb3855dc0dba0962831e5e526eb

SHA256
577dafb6430661aeaba2a69a9b5bfde09a08881a4fe5d5efa0b29ad949897d3d

SHA512
e2ed1eaa79dd1d356b33a6e4a38f89b6183dd88c4be3fe29c060f35f709a42fac166b0bde9dec6834060b3a972c7d4cd040345ebb9dc4da6ba557c1c4ce01d66

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
186KB

MD5
ae1309da4e7fc865db4486705b1c66d5

SHA1
069d564abd04fbe33b84aaef65ea94e176765d13

SHA256
124fa0e21e66078d2ef27303f25359626dd6e3097dd9e5f6f99edff3c7b29f55

SHA512
f7adfe80a7f81110837af6792e0d18ffdcaae8e3d6c4e7619a9fc30fd157b5dfae035dfebc23b72699e196c0c364bde76e44592fcb0d8e003f77f3ea4270f691

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
128KB

MD5
b6f764181f78371e567eb2667141294b

SHA1
778909f4e344abd44669efa211c7b7ed68f0d859

SHA256
78f0048192455e9b998cb427f042dbfa79855a5898d9a1c1f0fa0e492f0d4f8c

SHA512
06ef17bb0373375cefe915a40ea491443fef3e69cabb2e8bec549a1ea9ee8bf6c693589d11520b2e127f868062707af2f8f718f0402e6f786946da02e33f031c

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
186KB

MD5
806dbe40c7e2773cf4d0441c182784ae

SHA1
550680d931564e3f493ca73b6ab39804a62b3224

SHA256
960acee094fdb8e15f81d0bc01fdd99d433e9c3e1d8ea94a8ae092f7d927fd5b

SHA512
4f9e416ca9abb049f5ea41214aaa2354f0ed88368bbeb839bf9e1a0b98b13d56c0955a79444bee98db0f33b59d458f4206676a125de293d893a70c56168685b0

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
186KB

MD5
ac9ccbfebabb3b222009cb372abac034

SHA1
ada4fdec5cc70270d0ed09f5a451cfd18ff94f08

SHA256
1f9e97f42851a4ff590d4db5a73832fd1b19008c2b2ae54158abe47405a798e5

SHA512
ad3ba8ebb239b4715c947b9a3f5f3a69879d0ebe39950d4eaae565277bef9beba9ac05660b898ac5fd12d025dda90f7e275f9f95d07ca23f0773617af5bf97a6

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
186KB

MD5
3d1b86ed9d99debf4f4517657f07af9e

SHA1
f88f090e6a97744a44e2eacc764d44e9ef6d54fd

SHA256
8b79163ea47b6dafdc754fb6dd2013955fda5d6d15386692c716508ca644ff4e

SHA512
46879e0d78ad863703c7c72e9f058366728e664bd4048450f63246dc2f60bc6e1b651e49fbc7562b5a00af6b68b143410d988d37916241a6a46b641cde90c9d4

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
186KB

MD5
132e74bbf12cc040e078d2aaf0cc3a0d

SHA1
60a871a8fddaaafab5fe8d28baffc4c257986e3e

SHA256
790bb0f0c5f202988bc6e57d654def8fe29459cdad738077e91871a9d7160eb4

SHA512
9aa82d20de9a90fff1aac2e22ca004d529cb3022ca231c25b16efecb67656ef9ea2dd0ad0edb8d798e3dc29a7fab6bb2d78efe368e8203a096dd8a53271d410f

Download Submit
memory/208-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3324-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5124-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5260-606-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-612-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5352-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads