03fa7f38d00eaaae79d2133ba1557b711a49b2e7bab4d29717781373cf7713ae

Analysis

max time kernel
91s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe
Size

398KB
MD5

4e14a3c3b5319087216c7fff0d99e260
SHA1

b38dd07d217b2859e7d683b50d74810e84aa05f7
SHA256

03fa7f38d00eaaae79d2133ba1557b711a49b2e7bab4d29717781373cf7713ae
SHA512

dbf1a7b237b370a9344d672ae8e16208fc73226824a0ed1ab53e5b908b2ce8993b8cd8c049abfbdd70c9a9d19a207fddf6c86f6172514dd4a551f4f52772bacc
SSDEEP

12288:4/TV59I6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:S59I6t3XGpvr4B9f01ZmQvrimipWf0Aq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Behbag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dedkdcie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfbibnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blpnib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkhoae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eleiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehljfnpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Angddopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobcpmfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cddecc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paegjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkhibmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobcpmfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adcmmeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baaplhef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklaknjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlgmpogj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekemhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cojjqlpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhkhibmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doeiljfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekjfcipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkopnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe

Executes dropped EXE 64 IoCs

pid	Process
3440	Pkhoae32.exe
2312	Paegjl32.exe
3860	Qjpiha32.exe
2608	Qbgqio32.exe
2328	Qgciaf32.exe
4248	Acmflf32.exe
4184	Ajfoiqll.exe
1680	Aelcfilb.exe
4364	Alfkbc32.exe
1080	Abpcon32.exe
752	Adapgfqj.exe
3348	Alhhhcal.exe
4628	Angddopp.exe
2736	Aaepqjpd.exe
3368	Adcmmeog.exe
2796	Alkdnboj.exe
4880	Aniajnnn.exe
608	Bahmfj32.exe
1632	Bdfibe32.exe
4660	Blmacb32.exe
4588	Bnlnon32.exe
3512	Bajjli32.exe
3800	Bdhfhe32.exe
3556	Blpnib32.exe
1512	Bnnjen32.exe
2400	Behbag32.exe
2208	Bhfonc32.exe
1904	Bjdkjo32.exe
3416	Baocghgi.exe
3948	Bdmpcdfm.exe
2844	Bldgdago.exe
1884	Bobcpmfc.exe
4896	Baaplhef.exe
4596	Bdolhc32.exe
2428	Bhkhibmc.exe
4516	Boepel32.exe
4168	Ceoibflm.exe
2024	Chmeobkq.exe
4616	Cklaknjd.exe
4292	Cddecc32.exe
4904	Chpada32.exe
1128	Cojjqlpk.exe
4796	Cahfmgoo.exe
3352	Cdfbibnb.exe
1764	Clnjjpod.exe
692	Colffknh.exe
1300	Cajcbgml.exe
4940	Cdiooblp.exe
4176	Clpgpp32.exe
1736	Conclk32.exe
772	Camphf32.exe
5020	Chghdqbf.exe
4056	Ckedalaj.exe
808	Dbllbibl.exe
2476	Dekhneap.exe
3644	Dldpkoil.exe
464	Dkgqfl32.exe
5100	Dboigi32.exe
2432	Demecd32.exe
3232	Dhkapp32.exe
2256	Dlgmpogj.exe
3364	Doeiljfn.exe
2480	Deoaid32.exe
4748	Dkljak32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ifgbnlmj.exe	Ipnjab32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Pkhoae32.exe	4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Chmeobkq.exe	Ceoibflm.exe
File created	C:\Windows\SysWOW64\Ecnpbjmi.dll	Hcdmga32.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Kikame32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Gfniiokn.dll	4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Echknh32.exe	Ekacmjgl.exe
File created	C:\Windows\SysWOW64\Iikhfg32.exe	Ifllil32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Alkdnboj.exe	Adcmmeog.exe
File created	C:\Windows\SysWOW64\Knkffk32.dll	Fchddejl.exe
File opened for modification	C:\Windows\SysWOW64\Dbllbibl.exe	Ckedalaj.exe
File opened for modification	C:\Windows\SysWOW64\Dkgqfl32.exe	Dldpkoil.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Alfkbc32.exe	Aelcfilb.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Gokdeeec.exe	Fkffog32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Dekhneap.exe	Dbllbibl.exe
File opened for modification	C:\Windows\SysWOW64\Eemnjbaj.exe	Ecoangbg.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ajbajd32.dll	Ajfoiqll.exe
File opened for modification	C:\Windows\SysWOW64\Angddopp.exe	Alhhhcal.exe
File opened for modification	C:\Windows\SysWOW64\Hbeqmoji.exe	Himldi32.exe
File opened for modification	C:\Windows\SysWOW64\Clnjjpod.exe	Cdfbibnb.exe
File created	C:\Windows\SysWOW64\Jlnnmb32.exe	Jedeph32.exe
File created	C:\Windows\SysWOW64\Cdbinofi.dll	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Kfoafi32.exe	Klimip32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Flnlhk32.exe	Fdgdgnbm.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Colffknh.exe	Clnjjpod.exe
File opened for modification	C:\Windows\SysWOW64\Fkmchi32.exe	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Iiggphnk.dll	Abpcon32.exe
File created	C:\Windows\SysWOW64\Naqcfnjk.dll	Faihkbci.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Eleiam32.exe	Ednaqo32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmpcdfm.exe	Baocghgi.exe
File opened for modification	C:\Windows\SysWOW64\Iefioj32.exe	Hcdmga32.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jehokgge.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Klohppck.dll	Chmeobkq.exe
File opened for modification	C:\Windows\SysWOW64\Ekacmjgl.exe	Dedkdcie.exe
File created	C:\Windows\SysWOW64\Eefhjc32.exe	Echknh32.exe
File created	C:\Windows\SysWOW64\Fbnafb32.exe	Fooeif32.exe
File opened for modification	C:\Windows\SysWOW64\Himldi32.exe	Hfnphn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8288	8200	WerFault.exe	367

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnenbk32.dll"	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophfae32.dll"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Camphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dldpkoil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgoilo32.dll"	Aniajnnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qbgqio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecmeig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinpgcmg.dll"	Dbllbibl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpphah32.dll"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdhfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dldpkoil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqehkaf.dll"	Dhkapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eleiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbegho32.dll"	Bdolhc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3440	2416	4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe	82
PID 2416 wrote to memory of 3440	2416	4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe	82
PID 2416 wrote to memory of 3440	2416	4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe	82
PID 3440 wrote to memory of 2312	3440	Pkhoae32.exe	83
PID 3440 wrote to memory of 2312	3440	Pkhoae32.exe	83
PID 3440 wrote to memory of 2312	3440	Pkhoae32.exe	83
PID 2312 wrote to memory of 3860	2312	Paegjl32.exe	84
PID 2312 wrote to memory of 3860	2312	Paegjl32.exe	84
PID 2312 wrote to memory of 3860	2312	Paegjl32.exe	84
PID 3860 wrote to memory of 2608	3860	Qjpiha32.exe	85
PID 3860 wrote to memory of 2608	3860	Qjpiha32.exe	85
PID 3860 wrote to memory of 2608	3860	Qjpiha32.exe	85
PID 2608 wrote to memory of 2328	2608	Qbgqio32.exe	86
PID 2608 wrote to memory of 2328	2608	Qbgqio32.exe	86
PID 2608 wrote to memory of 2328	2608	Qbgqio32.exe	86
PID 2328 wrote to memory of 4248	2328	Qgciaf32.exe	87
PID 2328 wrote to memory of 4248	2328	Qgciaf32.exe	87
PID 2328 wrote to memory of 4248	2328	Qgciaf32.exe	87
PID 4248 wrote to memory of 4184	4248	Acmflf32.exe	88
PID 4248 wrote to memory of 4184	4248	Acmflf32.exe	88
PID 4248 wrote to memory of 4184	4248	Acmflf32.exe	88
PID 4184 wrote to memory of 1680	4184	Ajfoiqll.exe	90
PID 4184 wrote to memory of 1680	4184	Ajfoiqll.exe	90
PID 4184 wrote to memory of 1680	4184	Ajfoiqll.exe	90
PID 1680 wrote to memory of 4364	1680	Aelcfilb.exe	91
PID 1680 wrote to memory of 4364	1680	Aelcfilb.exe	91
PID 1680 wrote to memory of 4364	1680	Aelcfilb.exe	91
PID 4364 wrote to memory of 1080	4364	Alfkbc32.exe	92
PID 4364 wrote to memory of 1080	4364	Alfkbc32.exe	92
PID 4364 wrote to memory of 1080	4364	Alfkbc32.exe	92
PID 1080 wrote to memory of 752	1080	Abpcon32.exe	93
PID 1080 wrote to memory of 752	1080	Abpcon32.exe	93
PID 1080 wrote to memory of 752	1080	Abpcon32.exe	93
PID 752 wrote to memory of 3348	752	Adapgfqj.exe	94
PID 752 wrote to memory of 3348	752	Adapgfqj.exe	94
PID 752 wrote to memory of 3348	752	Adapgfqj.exe	94
PID 3348 wrote to memory of 4628	3348	Alhhhcal.exe	95
PID 3348 wrote to memory of 4628	3348	Alhhhcal.exe	95
PID 3348 wrote to memory of 4628	3348	Alhhhcal.exe	95
PID 4628 wrote to memory of 2736	4628	Angddopp.exe	96
PID 4628 wrote to memory of 2736	4628	Angddopp.exe	96
PID 4628 wrote to memory of 2736	4628	Angddopp.exe	96
PID 2736 wrote to memory of 3368	2736	Aaepqjpd.exe	97
PID 2736 wrote to memory of 3368	2736	Aaepqjpd.exe	97
PID 2736 wrote to memory of 3368	2736	Aaepqjpd.exe	97
PID 3368 wrote to memory of 2796	3368	Adcmmeog.exe	98
PID 3368 wrote to memory of 2796	3368	Adcmmeog.exe	98
PID 3368 wrote to memory of 2796	3368	Adcmmeog.exe	98
PID 2796 wrote to memory of 4880	2796	Alkdnboj.exe	99
PID 2796 wrote to memory of 4880	2796	Alkdnboj.exe	99
PID 2796 wrote to memory of 4880	2796	Alkdnboj.exe	99
PID 4880 wrote to memory of 608	4880	Aniajnnn.exe	100
PID 4880 wrote to memory of 608	4880	Aniajnnn.exe	100
PID 4880 wrote to memory of 608	4880	Aniajnnn.exe	100
PID 608 wrote to memory of 1632	608	Bahmfj32.exe	101
PID 608 wrote to memory of 1632	608	Bahmfj32.exe	101
PID 608 wrote to memory of 1632	608	Bahmfj32.exe	101
PID 1632 wrote to memory of 4660	1632	Bdfibe32.exe	102
PID 1632 wrote to memory of 4660	1632	Bdfibe32.exe	102
PID 1632 wrote to memory of 4660	1632	Bdfibe32.exe	102
PID 4660 wrote to memory of 4588	4660	Blmacb32.exe	103
PID 4660 wrote to memory of 4588	4660	Blmacb32.exe	103
PID 4660 wrote to memory of 4588	4660	Blmacb32.exe	103
PID 4588 wrote to memory of 3512	4588	Bnlnon32.exe	104

C:\Users\Admin\AppData\Local\Temp\4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e14a3c3b5319087216c7fff0d99e260_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\Pkhoae32.exe
  C:\Windows\system32\Pkhoae32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\Paegjl32.exe
    C:\Windows\system32\Paegjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Qjpiha32.exe
      C:\Windows\system32\Qjpiha32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Windows\SysWOW64\Qbgqio32.exe
        
        C:\Windows\system32\Qbgqio32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Qgciaf32.exe
        
        C:\Windows\system32\Qgciaf32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Acmflf32.exe
        
        C:\Windows\system32\Acmflf32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Aelcfilb.exe
        
        C:\Windows\system32\Aelcfilb.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Adapgfqj.exe
        
        C:\Windows\system32\Adapgfqj.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Alhhhcal.exe
        
        C:\Windows\system32\Alhhhcal.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Angddopp.exe
        
        C:\Windows\system32\Angddopp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Aaepqjpd.exe
        
        C:\Windows\system32\Aaepqjpd.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Adcmmeog.exe
        
        C:\Windows\system32\Adcmmeog.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Aniajnnn.exe
        
        C:\Windows\system32\Aniajnnn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Blmacb32.exe
        
        C:\Windows\system32\Blmacb32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Bnlnon32.exe
        
        C:\Windows\system32\Bnlnon32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Bajjli32.exe
        
        C:\Windows\system32\Bajjli32.exe
        23⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Bdhfhe32.exe
        
        C:\Windows\system32\Bdhfhe32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Blpnib32.exe
        
        C:\Windows\system32\Blpnib32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Bnnjen32.exe
        
        C:\Windows\system32\Bnnjen32.exe
        26⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Bhfonc32.exe
        
        C:\Windows\system32\Bhfonc32.exe
        28⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        29⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        31⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        32⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Baaplhef.exe
        
        C:\Windows\system32\Baaplhef.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Bdolhc32.exe
        
        C:\Windows\system32\Bdolhc32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Boepel32.exe
        
        C:\Windows\system32\Boepel32.exe
        37⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Chmeobkq.exe
        
        C:\Windows\system32\Chmeobkq.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Chpada32.exe
        
        C:\Windows\system32\Chpada32.exe
        42⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Cahfmgoo.exe
        
        C:\Windows\system32\Cahfmgoo.exe
        44⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Cdfbibnb.exe
        
        C:\Windows\system32\Cdfbibnb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        47⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        48⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        49⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        50⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        51⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        53⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        56⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        58⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        59⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        60⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Dhkapp32.exe
        
        C:\Windows\system32\Dhkapp32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        64⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        65⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        66⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        68⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        70⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3296
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        72⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        73⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2016
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3052
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        76⤵
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        77⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        80⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        81⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        82⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4788
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3612
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        86⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        87⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        88⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Fkmchi32.exe
        
        C:\Windows\system32\Fkmchi32.exe
        89⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        90⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        91⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        92⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        94⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        95⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        96⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        97⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        99⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        100⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        101⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        103⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        105⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        107⤵
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        108⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        109⤵
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        110⤵
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        111⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        112⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        113⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        114⤵
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        115⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        116⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        118⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        119⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        120⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        121⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        122⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        123⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        124⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        125⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        126⤵
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        127⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        128⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        129⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        131⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        134⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        135⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        136⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        137⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        140⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        141⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        142⤵
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        143⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        145⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        146⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        148⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        149⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        150⤵
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        151⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        153⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        155⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        156⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        158⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        159⤵
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        160⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        161⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        163⤵
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        164⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        165⤵
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        166⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        169⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        170⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        171⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        172⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        173⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        174⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        175⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        176⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        177⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        179⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        180⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        183⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        184⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        185⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        186⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        187⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        189⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        190⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        191⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        194⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        195⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        196⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        197⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        198⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        199⤵
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        201⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        203⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        204⤵
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        205⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        206⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        207⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        210⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        211⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        212⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6208
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        214⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        216⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        217⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        218⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        219⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        221⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        222⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        224⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        225⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        226⤵
        Modifies registry class
        
        PID:7236
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7284
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        228⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        229⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7376
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        230⤵
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        231⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        232⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        233⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        234⤵
        Drops file in System32 directory
        
        PID:7592
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        235⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7672
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7712
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        238⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        239⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        240⤵
        Modifies registry class
        
        PID:7836
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        241⤵
        Modifies registry class
        
        PID:7872
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        242⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        243⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        244⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        245⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        246⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        247⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        248⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        249⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        250⤵
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        251⤵
        Drops file in System32 directory
        
        PID:7324
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        252⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        253⤵
        Modifies registry class
        
        PID:7500
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        255⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7748
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        257⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        259⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8016
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        261⤵
        Modifies registry class
        
        PID:8068
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        262⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        263⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        264⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        265⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        266⤵
        Modifies registry class
        
        PID:7584
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7740
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        268⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        269⤵
        Modifies registry class
        
        PID:7952
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        270⤵
        Modifies registry class
        
        PID:8108
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        271⤵
        Drops file in System32 directory
        
        PID:7184
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        272⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        273⤵
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        274⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        275⤵
        Modifies registry class
        
        PID:8080
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        276⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7640
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        278⤵
        Modifies registry class
        
        PID:7924
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        279⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7360
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        280⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        281⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        282⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8176
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        283⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8200 -s 416
        284⤵
        Program crash
        
        PID:8288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8200 -ip 8200
1⤵
PID:8264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaepqjpd.exe

Filesize
398KB

MD5
687d51f179238347e8d0fbfab8b5e891

SHA1
534f2b5ef71f3007afced125a64af7419fc0ceef

SHA256
ae097b1a0ad655e1d91e02595a360c1aefd1bbdb4020fb3b8136f08c658bb85f

SHA512
5588b3fb85b19b636d8bb95dc72c5280b3815c9c2dfef8dc7f10a693eda061456ff6d72a25ff29d119bdd396d94ec78ba44e94b8823db1c8c17badc7507c646e

Download Submit
C:\Windows\SysWOW64\Abpcon32.exe

Filesize
398KB

MD5
0152191511c0513a07843443ecc94052

SHA1
93efc121749e92ce1b6c21c26d04739460951512

SHA256
8d00cd84cbcedf7a2b5ef7675045ac0f02abf825307172705fd90503bfc18d0d

SHA512
f0097e7ed177fb2d52e79fdbd26748474b900e1e4792c2bcc2f271bb34c54adca97cfedda3ad3454aa0b0986255a4b0834fcc1a6a47a8250a848be2ad86e6bc8

Download Submit
C:\Windows\SysWOW64\Acmflf32.exe

Filesize
398KB

MD5
504a115f97ceaa60f0aa5b8ce503ce1a

SHA1
c75a6ba1e5eddb70a35b6c4c39e16d263ad6bdfc

SHA256
e31771e4440709ce7852017f78209d06576b18ea02068bc9d14b9cf8a76c9f58

SHA512
aafc63f68063bef416692656d58e5727177e9bdbeeff7f8afed5c23fa40b265935b65088f8aee1dcccff472586c19971adf012a009558c55cdc278ce36f47ca9

Download Submit
C:\Windows\SysWOW64\Adapgfqj.exe

Filesize
398KB

MD5
d19134a2c666176f3796fe9dd9d87d8d

SHA1
9f0a5326d6dbbd748924dccdd954e4f5974500ca

SHA256
514defc764cebd3def0a71cc2f67d858fcbb271e415dd791e2004c674b21d7d7

SHA512
351be16decb34b2ef62ecbb1517ac7b4437219f322042a0f8aa4e97f99ff8b3726e9b07ea8d4f300c13babbdf10d1bc796961f013eb64f1b82da1b6c6f3ddbcd

Download Submit
C:\Windows\SysWOW64\Adcmmeog.exe

Filesize
398KB

MD5
8be8924b1d64ffebb80c2036e61459c2

SHA1
0c70272d9a38773f389c737b3cd71309c2f675d3

SHA256
7101109e36e66a7c241113a02b731bb1d64fd9a384bfc0c9de8b6ff31bc73fe6

SHA512
93106ea3ab934c768c4781ef48ee8eac12e91a7628ce2cd1d65d14190e79722fbca3d6cac787990bd6bc63630c79f050b1a7fef468648520a0234ea73d89a335

Download Submit
C:\Windows\SysWOW64\Aelcfilb.exe

Filesize
398KB

MD5
211b99420c1db754891cf6121fab595d

SHA1
080a473f9361ce20ee41181749f287de0dbcb028

SHA256
c485e68459b166c19bc999166842b0a6783ff9ac238db8f601559c8b1440dbf7

SHA512
bc311fdffdbe6a2a2f83658279630e33b40e670fe1b6d4d7d0f4a0f4b9286cb666fd75fcdd8a74df10bf3898f58668f97473ac3449ebd007c2c3fe79378a017b

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
398KB

MD5
32fcd1dafe4b8515a1f33273a2a3aa73

SHA1
67d3bc362fff0830002f93186f86c43db2877d51

SHA256
ee8ae2fa58314b78ebeb4826ebe9d1cc5510905373b6a1ad617941d191a4acf9

SHA512
437cad35c2bce77e1ad8cb0941d83a3f0ca71ca179a3625c80763e8825d0e5224624c8c06d0102169f60d88302d3b39ceff496e35034d6490ff694e293cb65c9

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
398KB

MD5
88a28e232eaefa24f020c2b699cbae72

SHA1
7b6c95954af50df89e577b76c3136b19fb056524

SHA256
d9a6400d1cb376027adb207d408752c7cc57b1e4a1d4c9ab5c0c6d7c33efa36a

SHA512
0c99002925ba8538fd6df66fc36baebcdde6fc7cecb2f231cedbceb2604108abea48b35ead2248cc368c0fafc96ee7b4fbe4bd5e4ce7a053d41288668c968a6d

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
398KB

MD5
52af17f9a79de935ed0df19c4f13db0a

SHA1
f88ded6da31f415b6107d1332004e692ba07aae1

SHA256
c93efec5b8ea5055cdb48154d47dd25b0cabd03937954627613812bb5501f87e

SHA512
f04f336a8915da88c8496d479590f83ddfbfbda80415358203d153fe7e8e4e4f6811d60a4c16b2a1ed194af2a44e99248a366f80359781c44b893c709fc5064c

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
398KB

MD5
d8602b8d592a9a9a08efecd0144f79c4

SHA1
cf4e93956e1b768ed11c6e7bd4312f3a7cfe0bab

SHA256
1549720b9026ad7aa8b1f4d9d58b7d60c4aa893af026d8e748619f383a1be0d5

SHA512
cb4f3b28f86187b88adbb5b991def22641738211ff6ccf85680a4c0d0bd733b23ab195284aa491ca7a3db4e573aedd75bb665ea528b06dfc759dcfc6afc7a98a

Download Submit
C:\Windows\SysWOW64\Alhhhcal.exe

Filesize
398KB

MD5
162b558defdc4c70e0ce53e3038a55c4

SHA1
fd4dfa81bf8634f9f3d638db48e1e45f5c025d09

SHA256
61136b35a9518b9c8a1c1de2704bd972ef9b290c9cdf58374b707747516b93b5

SHA512
4f24ff059f4c71dc6be18a95ae7d3adbbdff32fe1106c5eb230045f32aaedf15ca13cc21c8bfcaeccf5ff8b476741c67f24e5216553292022480ba79673ef9c8

Download Submit
C:\Windows\SysWOW64\Alkdnboj.exe

Filesize
398KB

MD5
86bd18aabb9c6193f38b9b4a62d9e4f3

SHA1
17b12f101aa999e5ea78f69abee4b02719268000

SHA256
56d05a5444007942a7c9de825ca048a460c9d5257c449562dd1f6390ad672952

SHA512
4ba33dcfa68badbdfd74f179d5efab6732c7273aea6d70d0a21ac89fea0b0ee90fcb3a6a5bafbd0cc51d8d7391625163101db1011c0d31abb34a57114b4622b9

Download Submit
C:\Windows\SysWOW64\Angddopp.exe

Filesize
398KB

MD5
bec9777a11ce8c2384c7ddc5ec3838ee

SHA1
0c89b32c3805c3ac57dfb84b4393f259510c83b0

SHA256
01975db470b3180922e8ddca861ca58134352531b8d7ff50094ee39a4392f053

SHA512
4c2e5e6d257579df82c5a9d895eceb8547e8115bd98d8b9006e96ebae3a62330e7fab71c6c938cafcb5e4e18902e73ec528c43c08dbd9272c6a3018b4a703dd6

Download Submit
C:\Windows\SysWOW64\Aniajnnn.exe

Filesize
398KB

MD5
32980b63b566d8ef6ab0fcd317148136

SHA1
55e7f4ede3c6c33a74cd157c698e433890a1eea6

SHA256
4ef2512e30feef6939cfe42812ae45faf701d592574cdc73ed5eda616a5ca79c

SHA512
d53d62384aa48fbeb2f55f77a80f18c57f6b1a6fd76c933fc61715594f804fa89712dc718b07940498d14549f341bb580719ec3a95195b9bcf5c7ddf0ff42b13

Download Submit
C:\Windows\SysWOW64\Bahmfj32.exe

Filesize
398KB

MD5
5f3141a56bba015d1f509e2ff7fefcd9

SHA1
be378a9505c98cbc52afbeba6a83f2bbfba72c67

SHA256
3982f4914aefa0d89d76996588615a865a7ee004186e10ddbd898b8484223d35

SHA512
c400d7fc0e181c9a15ea84e94f77a6da53a5c587600381bff8095ca5aad4dac1805dd1bf896704e87298982f01741c7811f5bc943181562d5d9613b6673aae54

Download Submit
C:\Windows\SysWOW64\Bajjli32.exe

Filesize
398KB

MD5
4746d8869c82e03e433ce4d3be2c2e8e

SHA1
518aba735ecdcaa68bbce903e1f68b4cdd3ac0bb

SHA256
d31ad3429726cd293b2170bf068fa6987378632b20cda9c2733f57ba2bc1e59a

SHA512
6e00fd10c5315cc58c01af09c40f8bb5d4abcdce18eed300313b182e4e061fc2667dd029841b5fea8e8a4431707f8b8a8dd23b74117173947bb795e22e1815bc

Download Submit
C:\Windows\SysWOW64\Baocghgi.exe

Filesize
398KB

MD5
dcac5a0a304bd81738bd8559b035365f

SHA1
3ef96244e1d982d9104525a1179453c34207ed73

SHA256
261324508dc4a602bffec307bec1961f8252de40ed3e34b10d71550f3fae825c

SHA512
c03a9ab3b8ab2b76630255ac9b487a107ac98643d85615a0e124ebbb300959ffc74f2e48af292ea45d2eb37d06cdbbfa9c64415aabb1f29ea3bf5cb6ab244993

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
398KB

MD5
4c6385f7351d7faa11be061635b52daf

SHA1
e11f52fe7a40ee0663c64258ccf3cb7a9e0eb193

SHA256
51919c9c591f71cd072e4713cac9e103043fec6173cd233d062e17aad38d1961

SHA512
544e5e0a538c11c23f86f1d786faa3a3cdebfb2d4704be294ecc67335c26b816e88729d726ad4e6b3fee7e96390dca1df1e595ba497e6ce3e1bc2566eb382ace

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
398KB

MD5
51b0af9c893d1a84d033a78adb66b0ca

SHA1
629b52660c09bd37510ac9e8d3306f0aca98fb56

SHA256
632a897a13d0788172b205f60cd43facd666c7adb5cbca76511ee8e4b0252678

SHA512
7601c147f3318f379229bb0fa8961d17e3ebc017c477e267e62c97525b9bd0ce5464b5e4140370a7a1d3963016ed4a88a3166193d8c80c4e09ee91f8beaed11e

Download Submit
C:\Windows\SysWOW64\Bdhfhe32.exe

Filesize
398KB

MD5
6b441ff8bbfd5f46c461dcce7eabedde

SHA1
a5cd7747dd6a6ac6344ff8c714e67716e71f2836

SHA256
3271608aec3b607e6a86b247233914ff820bc706875f082e3dafc158823ccb26

SHA512
66f4e7b0fbab82f88de0aba9806b4d984b63857621fbe1e0b20dadeb0eaf108f38713cd812bad67408d3a2cbc2216cc56c55be90f6029c0285c289c083614e21

Download Submit
C:\Windows\SysWOW64\Bdmpcdfm.exe

Filesize
398KB

MD5
e9124cd3eed4c477d6a9cc3de842b8f5

SHA1
082706ada83e4176bf43db0bb31f48c76447d6b2

SHA256
f17762a1229b58d4d51a3328687ff4354f494cf748608d45484ffe6fb8747bf8

SHA512
0a3a2360830b88db3e5cecf180bcc6baa3361c2d711fdffd390cf8cb0a6756b4a15cefabb2345a995284275c6bc630e95a8867e284fcd9267a42d704453ccf67

Download Submit
C:\Windows\SysWOW64\Behbag32.exe

Filesize
398KB

MD5
0e873f740a27c85c07694ac3ffc2469a

SHA1
3ac11eeae7abe6fadf1ff369d168cc45c4b5e7cc

SHA256
2f098dc0b73e6da3f31f38e7fc705d6e55864b3163849c95272236aff9138ca4

SHA512
4bc0709b10501e4094c68d378a62dcda467230532b1c7d12bfd619081c2a5ec8e7817a98eaf55b12abfce9729073bfbe1d9b53632d5418df85f0451cc2c1a420

Download Submit
C:\Windows\SysWOW64\Bhfonc32.exe

Filesize
398KB

MD5
6b641d5bd6126861bef942a7513dd798

SHA1
2bcb0b998c19505a778cd52f36c7312899f2b863

SHA256
0422364308ea4026abdd864092d11aa1f77361b6ecaba49d549d1c35bf64ed93

SHA512
e7d921303bb44d5ee574bf9e5df95acc7ffc8fe1f29c337b41e942480e965e83ad8bbbbe53f50d3cf46d64d385bcbfe1a4c1a0748809c61b655f78237edc9f36

Download Submit
C:\Windows\SysWOW64\Bjdkjo32.exe

Filesize
398KB

MD5
3124ccbdeff107821fce1031ba43491a

SHA1
8f883c8c77d1088be7520b24b6a2121a20c243b0

SHA256
bc90e40fd48697b9ced4a0b01b3ba5cd3dac12f89cf55f041d494729cf450ea3

SHA512
ec3d2442fb30cf151633c62500245d5b669795a313eee5209fb28aa79a33bde6f4f35f1d42ff3eae70422533a2d832a83801473a9ddc1e07d5d99380eee729a5

Download Submit
C:\Windows\SysWOW64\Bldgdago.exe

Filesize
398KB

MD5
be03e62e71e394d93cbf8eb2d8ce557e

SHA1
094e8559fe93c9191a39d1ed3805be105edc111a

SHA256
3ee73c62508f1a86a4ee8035e0b9b71c12c0b535491f574286e7c77c6cb82073

SHA512
9d504e8ee2e956671fc19727f08ae4f02fff16ed8fdda6dfc232c1da6ad0ca8f28b1c5ffe2fd46b7dac150f3d31aa40121e0cf6335db5964da24c1c73c921152

Download Submit
C:\Windows\SysWOW64\Blmacb32.exe

Filesize
398KB

MD5
990b516682bace6b23b094add7fa77b5

SHA1
e967e0ae688f507917876eaf63097a8556dfe04d

SHA256
f63ff6d2917918330e8e43bf79b200b9881ff21bf70cb1edfaaaeb6738584dac

SHA512
d720d8ab87aff42a091bc2aca7a4c5f1b6e150b67e71558f4c49c86de44a4d1923f96e3d4deb108314bbd73654191989254aa1c3510ed1364bdfb8c239141233

Download Submit
C:\Windows\SysWOW64\Blpnib32.exe

Filesize
398KB

MD5
de4902d733b4c62021bb3924201123d4

SHA1
f2f589a5aeebbb3daeb81e2db2ea166e6a4a7eed

SHA256
92f14a16e53007f81a20b1edad573c7efebb96dee55b51c460711d3414da4673

SHA512
a9e68c354a626c09ac678ac1f95fe33306ff54f574f4d2acdd24b50bace81ba895bd1865c65bd2ae025a1fbd9ff0348034b6a29f7f49e57ca6bb1caa90858f2d

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
398KB

MD5
2431d5b957cde00ceda269c3ae481b8d

SHA1
84de845665375c5c1a48e11fc36c69fb8fa826a8

SHA256
3bc11f83eee659ca62875d0d24f4d4ebb2d8e4b40fd4f425d3a20ac2d9fa0ede

SHA512
7831ebb66af0096f87ed63beec99c4d8851a8df766bb86015ec62ddfa208bce21d49ffe8f182ed540d990021ec8d7f489562ed84ff488232a984a141498809d5

Download Submit
C:\Windows\SysWOW64\Bnlnon32.exe

Filesize
398KB

MD5
a87d777195d38e858ff6fd7a46161192

SHA1
f38b7e98e04d9877722ec0bc90f5b28c399d6e68

SHA256
3b7b3785cb95b70c510378535d52f665503b340e7a5b8d744a50a980518466fa

SHA512
2200e9b9ee9d0bfb76d11b505173a6b9e9009c42369aa7abf31e615d49dfc66c6c0723f9769965896c6316714f61ec59fb59e35406e79b3c496f2436d66565fa

Download Submit
C:\Windows\SysWOW64\Bnnjen32.exe

Filesize
398KB

MD5
f44933908baddb103af2c2cd523ddbc6

SHA1
ad18cbe65e1acb9afb118883cb0a7401ea0f178f

SHA256
8436e8d9d2d05d12008902c258f503d2ab18e9e7cbbff09e427e67b634639541

SHA512
479bac39018c55e22313511828df132fa5648b578518d9e8da773d7387e912f9b2e5c3dc395ef68c3a5a99b5b2697f64a41034bce46b60229b1cc5f99a6deef4

Download Submit
C:\Windows\SysWOW64\Bobcpmfc.exe

Filesize
398KB

MD5
dc0ff8be73bcbf16452ddef779d0f8c2

SHA1
a2efa513bdb389ac39ecedddba19ce8a90c72a18

SHA256
94d80ecd27d18ec70a0b458beddb7e2b3a03496a4ec1d2a63cd1c7818e78da5f

SHA512
97be4fd045114c898e57575e1a2a26f06232bb8546359f6a0ae35c53d14a0047698769d84672d7258410396a06daacbb596e773b3117d50d032975956eafc467

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
398KB

MD5
8f29513a5fcbdf342ad1f984af1bde16

SHA1
b54e05cc62100ee177de5d315cb98eb0bd20d2d0

SHA256
06a64623883a219a4ea15ded3dd29b8645a2a52801bcabbbd2df5d85a8f3d560

SHA512
73a5a14befa5787d0b6fd10df3dab2afc9bde5ea896b5c251e8110d9cb2987cca5541ed0aedfbc13e79ea03c8a7a94b8ef8a65d8775083c12d43f87507427c33

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
398KB

MD5
0c914650e28dfdc065d4c5b541843637

SHA1
d183f8038c49eb5b3a2cd6726ce7cb75adc9f4a7

SHA256
70b8b4a5804fa4f71e25859659a8b62c1d5b706e94155da8eb1c11825af9e552

SHA512
690490ea364c966accbdbf9de941b6b6fde391b51f7ba28d733c067d71964dfffd5615320aaae3004875e1073d36aad8c1388c45ae147908c4e52bd833e9efcb

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
256KB

MD5
14cbeab7b17b0206d897636bda89c060

SHA1
2b68cbd72445fe57ff9d13b3a8d38560aa85cf5f

SHA256
a15eb487f899496e047253205d6c5ee995e8a41ad381ce7eab711670168c6622

SHA512
3bc80296c09b94595dfa20c14aed266413c1bfcf06005f66bbd1303645f86126b32532bba1ba43a956b86a257ebd3df8a302b7c8f93739cadce925c5452b0b71

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
398KB

MD5
7dbee70366f60841bfa2811de5e28b4e

SHA1
409d4f09be4b5bd15bd55aa3d2c1b5e456486f16

SHA256
d5760e98db61cbdf09801f0087311d5de8070064d5a0319f895a15bf525f225d

SHA512
ba176249c9fd22d79299d992dd370e250982ea4f364fbbb20153b9fa15bd4aadb9a831d6f5cfbc081d8a3d2056f7d3ab18d8d61a51a231dd515e8d501a82208b

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
398KB

MD5
c3093d5f83fbfd5645c22ed0112033c3

SHA1
ebf443a318d0d8d71bbe4c5b8713f9f8f5da661f

SHA256
c40d2d23792d82187e5fee594fbb03bf66445a6cad4fcb48e446ec884c320084

SHA512
1c24c521ebc7cf0f793256882f99615fa14811ad4de5ed5fb2c9c240c71fe3fe6a1016ce0f1c410fa17ca2b9e82d9babc21f414a0092367a7f6a339b7fe3abb7

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
64KB

MD5
21b87aa4b8a70ea181a333e2aafaf34a

SHA1
8c0421b1a44e365f9551705f1ce2f4bfdc17aa56

SHA256
45d7950552ef2348e645e0b1b11686061b0bf1047d1d6b42316c72c842684a0c

SHA512
3e2359fff311c127f4a19fc1462421d2b11780e28d91490786061e8cff0c2354fc94b6f2cf2f226d61db569198a0d20d78227492ecc91fbdba4f949bf37ea479

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
398KB

MD5
ad2161d5380a4511144026a0c1ac4fe8

SHA1
9c1938ce1cca1b2f84cdaa42a4332dffbb08be26

SHA256
180ad9bdb359280c5954c811a1806a341a0702a3808b0c756f15fdaa527475ad

SHA512
9c67af8d10bf8e69c6066ac0314c9b5171928fe6ea9cdf64e350914807584a4244f279e17b3c71c553c552f694ddac23499456be5267d288b1dce0f0ac8607ed

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
398KB

MD5
fc406ef684f26163a8c654f2f0fdd543

SHA1
c7f770fd65d8dbb66a1e329fc97a43dc8cc879aa

SHA256
44468f03a4db2caf2d27d9503d20e5acdd31b6dcebacb61db219b7420710a4c7

SHA512
861b958d75358a3fd6f6645a2d5fe1e7837f0bec531282f6319df4240c0f0e485a79673a27a6d4cb366fef833ce8a8cc0175cf9c0b6a44754019907b79bc1f84

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
398KB

MD5
06fc6f9db631bc43efd979f43ea74d34

SHA1
b39fe4f957734a048aee187d34ff6baba9d03e60

SHA256
6c60c6dfe7d35d18f767449f0b93c807b2fe3f1462935f8573ab934c37203bda

SHA512
1d3a02a92f8ae17037d1948a9927b7f6fa5698a91cf46456d7662cd21d25729181b83f5156b2b8cc7ce81dd334c8052464e4c5922e1163dfea5b8b7de8150da6

Download Submit
C:\Windows\SysWOW64\Mjipjg32.dll

Filesize
7KB

MD5
eab7a6b49b06a1fad6f5b237366286e5

SHA1
7f4c310cade8a73597616d8ffe39c88cf330aa15

SHA256
b2811984a39cc3d47e0ab228752cf76644ad3d4aac67ed5523e7b78fbf886b20

SHA512
67e40fe7145dc12bcbe4d820b8e9176f5a2bfbca3e74b86bdfd4c487ea528a4832258ad6b16c72bf3a95ee12ab82c9e9d046ceba1ab9944cf9ec176807de8372

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
398KB

MD5
1157b7c894ba08cb21900b14f1229427

SHA1
12562504ebc92d3f002056748e14b93f0b8f6d56

SHA256
686c62af547fb3ee1d39f907095a5acbe7f844eedbdaf849a85920fcb03d527f

SHA512
e4989e3ceeebef6099c0cb6c71fa8380387ec9f6536de8bd0b86ecee4b0af49d561d6e8c1fce27a60bc7857559c7bcb52c69b2246c6bbaddd797eab7389a73d2

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
398KB

MD5
2893ad23b50b3998408e4f287fe38607

SHA1
2b1d0bca51b8d32fa0b92a2225551b8e2ede78bd

SHA256
aa2bbcc790a4cae2e27aa39a4b873b42f5b9e2dd4254b7c4c767b948607a2f7b

SHA512
a51fe863f2c51f784437dddce59d4b7845befded8a6e7e341f4b1817192ef8b41709c429020199b217554a2b6dbc32419665f49fb2ce0f8a8bd772100f630bac

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
398KB

MD5
b5044ccc02d780675fd8dfb2d4cef140

SHA1
67272b241574c23e1bd748e9a8dd7bd41d6b62b5

SHA256
1278edd82de096b4a35fef5d3783a103427008cc7d8d31b18eb0348197780037

SHA512
a733b67b8be0f7ac69fd6626faab25f8a0ea77e8b8c262adb821380c7b93f2d617eda02e11113e17554167ec860aa2a940e3f7357d393f57132c878de47f6df2

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
192KB

MD5
0491b77efbc0595c892b89856f394a77

SHA1
0f2703412748073b5a6d898c02cd874a4d39e466

SHA256
025a129e32d76b8b0e0ac9e3565e69d716eaa6f7592103f84036de70b334d222

SHA512
d152d6b867ca25874881615e7a4396fd4b1b889794fddc466ab7bab079e12620df6cc7327c8192dbc271a3c42eefb2b380a75f127eae2ec95b2c4497655e552d

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
398KB

MD5
213d655112078f12454cd8d386b0d02c

SHA1
f7d4cc5e4847ada8e6a1906b1e6d2e3336291c90

SHA256
34e61d9e5956d9e52780b81f4dd5805118cc47ed0cb48a8e68ee89237f68b236

SHA512
34adf86fb20726f426768aac34a1bcf78c5f0e5d1bb75a43d020a758e771df123b487ab55a2e9cc471eb16e4bc5902b87cc39ff322bbfcf7f41f2132dd0d2cad

Download Submit
C:\Windows\SysWOW64\Paegjl32.exe

Filesize
398KB

MD5
76fb3cc4627e834a3b7c86e7c670dc1d

SHA1
1a8d29e387afc455a1e67baef620a122775390e5

SHA256
fb0df5d4aa38c6e0c50af1d6d2e2a3170ebfc04ff8b4bbdb597be8487f47e90a

SHA512
66b2e21ea6a6d9aa1a5977b6b85f2f258b1c5f87de64f5090ef199948bfb5e03374c5a7298868cc76662125c9325ed70bcde24f32411664a2f3479d58e9e167b

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
398KB

MD5
7b12032833f7deac920948d62539decd

SHA1
8855e7d42f75d6497b3a4c6221f72530bfdb51ec

SHA256
40a9faf61bfa13464cf09e80cfd2347668de42499274b3d343126f73d48115e4

SHA512
cf7040068defe20a6d086d7a3e341f6b44ead8c8788d73c2424aa2edffbe8b7846d9bdc55e4514376ba7a18f70b9a16e0d285e71dad94b423f9fcd50b335a708

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
398KB

MD5
8447e8cb67eca3942ce4c282d94b21aa

SHA1
45f6066be6b36eb80a8a2db288d79cc5da9e4217

SHA256
aa1bc835f8162bd8a1ce79b10afcb4de861c3697ee2fef2e5e29d726d8bcaf32

SHA512
e614d9a24f41424291feee6399c850beef89d8660cd732928174900cb34f8e6d78cf16b4a0f2a8ff33be9db4055b76a674610eb771a7310fd761bd144dafeb9b

Download Submit
C:\Windows\SysWOW64\Pkhoae32.exe

Filesize
398KB

MD5
d46c7570bbe94ea55faac61b84287e72

SHA1
4f5ec8a15e1448004b9f66c50a0353fc33c54859

SHA256
ac4c17f1bfc82f60b4b93e3ea11e5c81fcdd862fa69ce228f0c0eb9eb089fdb7

SHA512
75669f37acc34831d10b8331739cc036f60a66b8e4374ee4a7544e2e0f8b1161e4c871b62d955c38956f3da7e11ae747118e939e2c61274f21aa65fe7b1d0d4e

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
398KB

MD5
c4ece7ee69eacf4bca4df6b6843bd30d

SHA1
9fd4784f4ff3e236e3d09fc4f1e935b7289aad4b

SHA256
4b321770ee735d89ee69d97c7209939111fbbcc4b133179a92eab286b5eafcbb

SHA512
52364e3d05bbde90bd7ddf549930703cae6ad23892a8d98443107c0c4b5eb7f475d729c18ce15a59ed173a402a1933834d98fe7d0ae7cc47d1e8339d055d1fed

Download Submit
C:\Windows\SysWOW64\Qbgqio32.exe

Filesize
398KB

MD5
f895ed6fe4a057e2de7d8a6c9012358d

SHA1
795af2c594f838a480f74818194b84d3d236ba43

SHA256
5c6d3a113cf56d74211bb45712fc015155025000e2db90b7a2e315f9bbb46b54

SHA512
3e81696bc3ec88c3ef223496b61288280223a651dbd10505c8c2b2bcbc20738cfad52f55582547bbff455de3203ea0f3dece680d1c2f1857db379b3f8ad539f7

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
398KB

MD5
9f161595ba5e95fcc637408793d7ea53

SHA1
ac04f23d758301c60e77823e6b1211911e0a56fd

SHA256
4587ee5b39daf1b089bcc8ee460e804a8043c1183f3b692aadbd22bdd9976375

SHA512
471bc9978879acd18086a7e51e955c4a4d29a82a61429bc3c74c34bc3ca9e4018c29d40788eb4cd37783da1768df3305ebf264b54b74dca256d2e786c3d7f82f

Download Submit
C:\Windows\SysWOW64\Qgciaf32.exe

Filesize
398KB

MD5
e3e0435676c0fbf447a1908af1a6000b

SHA1
5e974f9ab899c97bf169c04b87247dc65e4a9154

SHA256
a1680179614378179d437821f00487a5ea6c139b3012e3a1a44608a30394b382

SHA512
1c24f717d22c81e643489fdbc42f41263f064b49c2ef57c5864447c5998bbbba645cb9bf49f1cbf4c2f6659507b9b616d939a053d8ef152eb0cb875825d4de7f

Download Submit
C:\Windows\SysWOW64\Qjpiha32.exe

Filesize
398KB

MD5
83497bbddd0ad727b4c31a975cd3b60e

SHA1
1712516522e3f9c4d8d1a58e21a6847fa0918000

SHA256
6ea5c10419aef1ca98c15a8bc2f0b7a266e8668028b496f59943dddbbce16220

SHA512
a6a3327132d7115767fa92711cb0b4ef8303cec33cd9b7acb438662085fec84db6bec5ef2e799fdb417b0735d1594eb877887cc0f309de93ad40cdbaef354863

Download Submit
memory/464-446-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/608-396-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/692-434-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/752-389-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/772-440-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/808-443-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/864-653-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1080-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1128-426-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1228-639-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1300-435-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1420-649-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1448-654-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1512-404-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1632-398-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1680-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1736-439-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1764-431-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1884-413-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1904-407-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2016-647-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2024-422-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2204-655-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2208-406-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2256-450-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2312-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2328-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2400-405-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2416-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2428-418-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2432-448-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2476-444-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2480-452-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2500-651-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2608-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2616-652-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-392-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2756-645-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2796-394-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2844-410-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3052-648-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3064-641-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3124-643-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3232-449-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3296-644-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3348-390-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3352-428-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3364-451-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3368-393-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3416-408-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3440-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3512-401-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3556-403-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3612-657-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3644-445-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3784-642-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3800-402-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3860-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3948-409-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4056-442-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4120-640-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4168-421-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4176-437-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4184-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4248-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4292-424-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4364-72-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4516-419-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4588-400-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4596-417-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4616-423-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4628-391-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4644-646-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4660-399-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4748-453-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4788-656-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4796-427-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4880-395-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4896-416-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4900-650-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4904-425-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4940-436-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5020-441-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5100-447-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5128-658-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5168-659-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5208-660-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5240-661-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5280-664-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5312-667-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5352-668-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5388-669-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5420-670-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5460-671-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5492-673-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5532-678-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads