0e1d54945b8026596322c4b5562c8d13d5e230b63ddbdcade46b049778ceb651

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe
Size

56KB
MD5

ce6566c61fbba4236203f203444e7890
SHA1

90cb186899992a81b49363a52e8a2976ede62747
SHA256

0e1d54945b8026596322c4b5562c8d13d5e230b63ddbdcade46b049778ceb651
SHA512

d8af1f2c54700458942ca216dd05dcde118cd0d619de8ac2fbbbd015df22c669f26cb81078325463bf45b0c3d58519129af8adbb9dd7d58a65a71d14b9cc4277
SSDEEP

1536:J0T7QBByI5lvCbo/oTogVo2oyRJoKoa4fKXQKprfGEIaDlfzd6sS9RCsK:J47QNrgML7PnbSXHprplDlf4esK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifbbllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aackeqeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpedjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifbbllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiohl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boanecla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Domfgpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpgqpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe

Executes dropped EXE 64 IoCs

pid	Process
452	Aackeqeb.exe
3960	Aikbfnfd.exe
60	Apekch32.exe
5052	Aogkoedl.exe
3616	Aeacko32.exe
2156	Ahppgjjl.exe
4068	Aojhdd32.exe
856	Aahdqp32.exe
3028	Aiolam32.exe
916	Bpidngil.exe
2172	Bakqfp32.exe
3264	Bibigmpl.exe
1892	Blpechop.exe
4584	Booaodnd.exe
932	Behiln32.exe
2380	Bidemmnj.exe
2672	Bpnnig32.exe
2000	Boanecla.exe
4628	Baojaoke.exe
1788	Bifbbllg.exe
3224	Bpqjofcd.exe
4480	Bbofkbbh.exe
4692	Biiohl32.exe
1920	Bpcgdfaa.exe
2368	Boegpc32.exe
1632	Beppmmoi.exe
4408	Chnlihnl.exe
4332	Cpedjf32.exe
2344	Cccpfa32.exe
4052	Cimhckeo.exe
2860	Cpgqpe32.exe
1212	Ccfmla32.exe
2684	Cipehkcl.exe
4732	Chbedh32.exe
2604	Cpjmee32.exe
2036	Cchiaqjm.exe
4492	Cefemliq.exe
4968	Chebighd.exe
2584	Cpljkdig.exe
1580	Ccjfgphj.exe
4444	Ceibclgn.exe
4452	Clckpf32.exe
872	Cpofpdgd.exe
1944	Ccmclp32.exe
1760	Cekohk32.exe
1652	Dhjkdg32.exe
1348	Dpacfd32.exe
4308	Dcopbp32.exe
1916	Denlnk32.exe
5084	Dhlhjf32.exe
4788	Dofpgqji.exe
536	Dadlclim.exe
2448	Djlddi32.exe
1656	Dljqpd32.exe
1160	Dohmlp32.exe
4920	Dagiil32.exe
3652	Djnaji32.exe
3808	Dllmfd32.exe
404	Dphifcoi.exe
4972	Dcfebonm.exe
1820	Dfdbojmq.exe
5092	Djpnohej.exe
1676	Dlojkddn.exe
1560	Domfgpca.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bbofkbbh.exe	Bpqjofcd.exe
File opened for modification	C:\Windows\SysWOW64\Dagiil32.exe	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bpcgdfaa.exe	Biiohl32.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Domfgpca.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bakqfp32.exe	Bpidngil.exe
File created	C:\Windows\SysWOW64\Djnaji32.exe	Dagiil32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Blpechop.exe	Bibigmpl.exe
File created	C:\Windows\SysWOW64\Lfmige32.dll	Dagiil32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Domfgpca.exe	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Domfgpca.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Ehekqe32.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Bidemmnj.exe	Behiln32.exe
File created	C:\Windows\SysWOW64\Jpqikhah.dll	Cimhckeo.exe
File created	C:\Windows\SysWOW64\Cekohk32.exe	Ccmclp32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Oddojp32.dll	Aogkoedl.exe
File created	C:\Windows\SysWOW64\Aojhdd32.exe	Ahppgjjl.exe
File opened for modification	C:\Windows\SysWOW64\Baojaoke.exe	Boanecla.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bpnnig32.exe	Bidemmnj.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Cdahgfpd.dll	Cpgqpe32.exe
File opened for modification	C:\Windows\SysWOW64\Dphifcoi.exe	Dllmfd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8720	8632	WerFault.exe	357

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aikbfnfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpgqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchiaqjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aahdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljkdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cipehkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcicn32.dll"	Blpechop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djlddi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnhno32.dll"	Cipehkcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmiambh.dll"	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpjmee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpjfn32.dll"	Baojaoke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bakqfp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 452	4416	ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe	83
PID 4416 wrote to memory of 452	4416	ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe	83
PID 4416 wrote to memory of 452	4416	ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe	83
PID 452 wrote to memory of 3960	452	Aackeqeb.exe	84
PID 452 wrote to memory of 3960	452	Aackeqeb.exe	84
PID 452 wrote to memory of 3960	452	Aackeqeb.exe	84
PID 3960 wrote to memory of 60	3960	Aikbfnfd.exe	85
PID 3960 wrote to memory of 60	3960	Aikbfnfd.exe	85
PID 3960 wrote to memory of 60	3960	Aikbfnfd.exe	85
PID 60 wrote to memory of 5052	60	Apekch32.exe	86
PID 60 wrote to memory of 5052	60	Apekch32.exe	86
PID 60 wrote to memory of 5052	60	Apekch32.exe	86
PID 5052 wrote to memory of 3616	5052	Aogkoedl.exe	87
PID 5052 wrote to memory of 3616	5052	Aogkoedl.exe	87
PID 5052 wrote to memory of 3616	5052	Aogkoedl.exe	87
PID 3616 wrote to memory of 2156	3616	Aeacko32.exe	88
PID 3616 wrote to memory of 2156	3616	Aeacko32.exe	88
PID 3616 wrote to memory of 2156	3616	Aeacko32.exe	88
PID 2156 wrote to memory of 4068	2156	Ahppgjjl.exe	89
PID 2156 wrote to memory of 4068	2156	Ahppgjjl.exe	89
PID 2156 wrote to memory of 4068	2156	Ahppgjjl.exe	89
PID 4068 wrote to memory of 856	4068	Aojhdd32.exe	90
PID 4068 wrote to memory of 856	4068	Aojhdd32.exe	90
PID 4068 wrote to memory of 856	4068	Aojhdd32.exe	90
PID 856 wrote to memory of 3028	856	Aahdqp32.exe	91
PID 856 wrote to memory of 3028	856	Aahdqp32.exe	91
PID 856 wrote to memory of 3028	856	Aahdqp32.exe	91
PID 3028 wrote to memory of 916	3028	Aiolam32.exe	92
PID 3028 wrote to memory of 916	3028	Aiolam32.exe	92
PID 3028 wrote to memory of 916	3028	Aiolam32.exe	92
PID 916 wrote to memory of 2172	916	Bpidngil.exe	93
PID 916 wrote to memory of 2172	916	Bpidngil.exe	93
PID 916 wrote to memory of 2172	916	Bpidngil.exe	93
PID 2172 wrote to memory of 3264	2172	Bakqfp32.exe	94
PID 2172 wrote to memory of 3264	2172	Bakqfp32.exe	94
PID 2172 wrote to memory of 3264	2172	Bakqfp32.exe	94
PID 3264 wrote to memory of 1892	3264	Bibigmpl.exe	95
PID 3264 wrote to memory of 1892	3264	Bibigmpl.exe	95
PID 3264 wrote to memory of 1892	3264	Bibigmpl.exe	95
PID 1892 wrote to memory of 4584	1892	Blpechop.exe	96
PID 1892 wrote to memory of 4584	1892	Blpechop.exe	96
PID 1892 wrote to memory of 4584	1892	Blpechop.exe	96
PID 4584 wrote to memory of 932	4584	Booaodnd.exe	97
PID 4584 wrote to memory of 932	4584	Booaodnd.exe	97
PID 4584 wrote to memory of 932	4584	Booaodnd.exe	97
PID 932 wrote to memory of 2380	932	Behiln32.exe	98
PID 932 wrote to memory of 2380	932	Behiln32.exe	98
PID 932 wrote to memory of 2380	932	Behiln32.exe	98
PID 2380 wrote to memory of 2672	2380	Bidemmnj.exe	99
PID 2380 wrote to memory of 2672	2380	Bidemmnj.exe	99
PID 2380 wrote to memory of 2672	2380	Bidemmnj.exe	99
PID 2672 wrote to memory of 2000	2672	Bpnnig32.exe	100
PID 2672 wrote to memory of 2000	2672	Bpnnig32.exe	100
PID 2672 wrote to memory of 2000	2672	Bpnnig32.exe	100
PID 2000 wrote to memory of 4628	2000	Boanecla.exe	102
PID 2000 wrote to memory of 4628	2000	Boanecla.exe	102
PID 2000 wrote to memory of 4628	2000	Boanecla.exe	102
PID 4628 wrote to memory of 1788	4628	Baojaoke.exe	103
PID 4628 wrote to memory of 1788	4628	Baojaoke.exe	103
PID 4628 wrote to memory of 1788	4628	Baojaoke.exe	103
PID 1788 wrote to memory of 3224	1788	Bifbbllg.exe	104
PID 1788 wrote to memory of 3224	1788	Bifbbllg.exe	104
PID 1788 wrote to memory of 3224	1788	Bifbbllg.exe	104
PID 3224 wrote to memory of 4480	3224	Bpqjofcd.exe	105

C:\Users\Admin\AppData\Local\Temp\ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ce6566c61fbba4236203f203444e7890_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\Aackeqeb.exe
  C:\Windows\system32\Aackeqeb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\Aikbfnfd.exe
    C:\Windows\system32\Aikbfnfd.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\SysWOW64\Apekch32.exe
      C:\Windows\system32\Apekch32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\Aogkoedl.exe
        
        C:\Windows\system32\Aogkoedl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\SysWOW64\Aeacko32.exe
        
        C:\Windows\system32\Aeacko32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ahppgjjl.exe
        
        C:\Windows\system32\Ahppgjjl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Aojhdd32.exe
        
        C:\Windows\system32\Aojhdd32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Aahdqp32.exe
        
        C:\Windows\system32\Aahdqp32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Aiolam32.exe
        
        C:\Windows\system32\Aiolam32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Bpidngil.exe
        
        C:\Windows\system32\Bpidngil.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Bakqfp32.exe
        
        C:\Windows\system32\Bakqfp32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Bibigmpl.exe
        
        C:\Windows\system32\Bibigmpl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Blpechop.exe
        
        C:\Windows\system32\Blpechop.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Behiln32.exe
        
        C:\Windows\system32\Behiln32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Bidemmnj.exe
        
        C:\Windows\system32\Bidemmnj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Bpnnig32.exe
        
        C:\Windows\system32\Bpnnig32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        23⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Biiohl32.exe
        
        C:\Windows\system32\Biiohl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        26⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        27⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        28⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        30⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        33⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        35⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        38⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        39⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        41⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        42⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        43⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        44⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        46⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        48⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        49⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        50⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        52⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        53⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        58⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        60⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        62⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        63⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        66⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        67⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        68⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        69⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        70⤵
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        71⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        72⤵
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        73⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        74⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        75⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        76⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        78⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3496
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        81⤵
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        82⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        83⤵
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        84⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        85⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        86⤵
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        87⤵
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        88⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        90⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        91⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        93⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        94⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        96⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        99⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        101⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        102⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        103⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        105⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        106⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        107⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        109⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        111⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        113⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        114⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        115⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        119⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        120⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        121⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        122⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        123⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        124⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        125⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        127⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        128⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        129⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        130⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        131⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        132⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        133⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        134⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        135⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        137⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        138⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        140⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        142⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        145⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        146⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        147⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        149⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        153⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        154⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        155⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        157⤵
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        158⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        159⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        160⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        161⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        163⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        164⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        165⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6536
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        168⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        169⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        170⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6912
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        173⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        175⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        178⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        179⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        180⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        181⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        183⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        186⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        188⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        189⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        192⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        193⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        194⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        196⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7192
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        198⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        199⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        200⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        201⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        202⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        203⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        204⤵
        Modifies registry class
        
        PID:7484
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        205⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        206⤵
        Modifies registry class
        
        PID:7572
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7616
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        209⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        210⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7792
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7844
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        213⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7976
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        216⤵
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        217⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        218⤵
        Drops file in System32 directory
        
        PID:8096
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        219⤵
        Modifies registry class
        
        PID:8136
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        220⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7216
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        222⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7356
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7416
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7496
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        226⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        227⤵
        Drops file in System32 directory
        
        PID:7624
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        228⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7760
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7832
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7896
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7960
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        233⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        234⤵
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        235⤵
        Modifies registry class
        
        PID:8172
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        236⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        237⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        238⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        239⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        240⤵
        Modifies registry class
        
        PID:7776
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        241⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        242⤵
        Modifies registry class
        
        PID:8016
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8124
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        244⤵
        Drops file in System32 directory
        
        PID:7184
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        245⤵
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        246⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        247⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        248⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        249⤵
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        250⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        251⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        252⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        253⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        254⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7408
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        256⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        257⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        258⤵
        Drops file in System32 directory
        
        PID:8232
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        259⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8320
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        261⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        262⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        263⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8468
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        264⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        265⤵
        Drops file in System32 directory
        
        PID:8544
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        266⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        267⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8632 -s 400
        268⤵
        Program crash
        
        PID:8720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8632 -ip 8632
1⤵
PID:8692

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:7836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aackeqeb.exe

Filesize
56KB

MD5
9567ca05e1669d052384fa504aaf7f8e

SHA1
31c9ec57d21e8b23ac14067d979c222714fa0dd9

SHA256
9156724dc9f70be2f440b3f09e171066e7ece65ba341eaaa3756ed5e4aad777a

SHA512
7e81e2c6a0dc01b2fe8df53659bc680f7040124a91908ea2bc9bdaf69c580fc643b4f489b4e49b2127b4aa4755f0d8cc95b1dae0f757acc7b89219054eb68e84

Download Submit
C:\Windows\SysWOW64\Aahdqp32.exe

Filesize
56KB

MD5
7d29f49c06548659d461b4fac0e29037

SHA1
4499afae8cf59a12ca8d0caf57c7609c8fc0fb60

SHA256
ce531de65b97dfb918e0d692606c428d3d0cccd882a6a5736fc981982227c9d0

SHA512
6f54848dfe6f4553763960ddf5f14641b8eb05284765106c83f806ee5b98a477373ddfeb823a476e11c838d6145d62f60a82702e0bb2732323243b1abf90dc16

Download Submit
C:\Windows\SysWOW64\Aeacko32.exe

Filesize
56KB

MD5
1d3449f07c5d729356c5bd6b8074971e

SHA1
24623e5235aa328fbb50101ccced2c88446659b9

SHA256
d3b46d7c1ac72b6d383996678bf372a45f6c91671c40d004f8302594e2cd018a

SHA512
d4d00185807cf201c96905a2ba9ca761df30a2ab57da2be82840b30b57e5dae83a2421dcac37d9557255735232e1ba9fa3af1e5d36040e465ae2284be7d44539

Download Submit
C:\Windows\SysWOW64\Ahppgjjl.exe

Filesize
56KB

MD5
1f481f120ac3ebafe23e282a2aaf11a2

SHA1
039658dc34de61032544948bdaec808e7fe35dfd

SHA256
72bf1c068cc359270a58f635128f6885b4ddbd1dcee83ffca41ed7cd816738ea

SHA512
ccd1e7c9ea73c99fa26395f9d59a4012d1be7d63cf554cfd804aa0cae0891e5ff989fe4e3028f7ae89da1ecc5fbb6be347a915b16a569fbc35a1a4b43bf20779

Download Submit
C:\Windows\SysWOW64\Aikbfnfd.exe

Filesize
56KB

MD5
79abf502293324e647813fa901c8f5c3

SHA1
0f841dc26e41d6fb076494e2f36d41f421a1b136

SHA256
71d45f60265e578459af63e4f9e847d40feaa69978ca1985f88d613153121285

SHA512
43d3954406cb178d12a9f2311272e4cfe14a20565b723e7e0ba5041674e7d729d14e52adc7cfaa854b583afe9eb88f131c9f7572a59033eb1d7386936b0b6b06

Download Submit
C:\Windows\SysWOW64\Aiolam32.exe

Filesize
56KB

MD5
cd3d0a0c4fa97e275cd5b210edb57148

SHA1
b79a603aec3ef08012cd6e311897c34b883275f8

SHA256
8f172b743a9b287863d06392c857f18d72e56d17fa3ee8369884857e6bcd3033

SHA512
a25e1debae01059688761dd44fe2a74bf4b0faae505b77671ec6ae3d106eda9b56d79dec9769e182483e8629d334e3c5ffa4041f48faee47046a25c3d243b066

Download Submit
C:\Windows\SysWOW64\Aogkoedl.exe

Filesize
56KB

MD5
7f1edfa38913e2a198d58377d3c4e385

SHA1
be2ea64b8dba7ee258ad09e2075bf1b10a60acd0

SHA256
06d490863c08e22c559ad05669026fe6aa6f37c0a4801caf20c10b9b4d0a40e6

SHA512
b989013fc9c553c39af4e1d654d237e38544a4a2f7d21b36b824cc2dd9ac7f1debed8c8c1e5c5b6c34f57f2699eafab80e79947bee7cdb1980de772ebcc1c75b

Download Submit
C:\Windows\SysWOW64\Aojhdd32.exe

Filesize
56KB

MD5
cbc026d4cb515484aaa703a241b36cd3

SHA1
56be0af8d779f7e360df30ce907bb2443dcbf4a7

SHA256
34006de36481396689ab60660f24f4affe829282b8d900706e5b8ab07887a3d0

SHA512
9b51ef9304a1d44fa61818d207deded9164434c852e9aa751b12ea6ad680daa809c5937a6ff3b82d6722e551711d0c785063a2b900f268759e0a48871ff69702

Download Submit
C:\Windows\SysWOW64\Apekch32.exe

Filesize
56KB

MD5
a777aa77520b6bcba1d358fd8679da39

SHA1
9932be319879388b2a491344336b926d215791ca

SHA256
1b823a6c93499ba43dfe8d3309db7b6065692b800c3f9d9192c8026fe442f933

SHA512
1d94aa4e8efdf515473e08513e4aa1b99eca3052cfce322904434b04612580472d9fc931a3951120d8efa77f047dd74453cf852f2f30a3649134389e85b1cd9f

Download Submit
C:\Windows\SysWOW64\Bakqfp32.exe

Filesize
56KB

MD5
aa83cbbd87c23154941cdbc5798ba9b0

SHA1
1c330ba12b4279bc7f5fd263a12aa3009d25c0ed

SHA256
3b853cfa41b2978e7cd04be9463ef3bcbf69e36a335f2ebc291335b90b0cd4be

SHA512
54b694b4870ffa7e56c84723d52ef9bd9cd47a270cdbe91ea8abb526a90816fc07a8843e9d1d6f3a7f8f1e09ce7d834cfdb489650635af8c956c32744e1a0dc0

Download Submit
C:\Windows\SysWOW64\Baojaoke.exe

Filesize
56KB

MD5
57ce6dd6a6b5529cf314a9b004f05a89

SHA1
90a507abf74483d95aebe1fada134fdd64547baa

SHA256
8d2c7ab739b2fa1c1c379ac636ac827a41a09ce16c52867101316b513eb27a72

SHA512
ac3fb873b6dc1c8f94fbb1e821ff6f90995a8bd120ace36830f1a4f6b84519122beb866166152dde2720ae0137bc4bbc3cd450bfcacf171027f6a7acacb7e1a5

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
56KB

MD5
19a2acfa15f168bde3c44c3c1fead2aa

SHA1
ac264614f26363fccd13818f7e09f0533ced5716

SHA256
37e0fedb20fc223ed8cc07b85f18e254e743259abe3e9416749f45bdc946c182

SHA512
8999cd2424e88fcc88ee283e70932b85fa97817949a805488966f5b9bbf83eef8d82385a47ede2e0234c43a1b473dcdcccbc157a23ddb5181c66a4664de1b323

Download Submit
C:\Windows\SysWOW64\Behiln32.exe

Filesize
56KB

MD5
6acb0a6e21d7fe3d8b5ea122a72cd020

SHA1
0708d8db42673caeb551cd40e08aa344d90b8f81

SHA256
aa7052579f8605ce5e1028f204ea2550f320d6b48ee6770530b9c05e51e9844c

SHA512
c4e85599151483c91fe6a7dc6425a52bb373d9ef8275750e73b01f495d6f5883910a9058b34eb426b38d134b7fdc71f7797d6b78ec2af70b9202a995d7ed5bf9

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
56KB

MD5
ab7be169a145fa3da43f0681f5ad10d0

SHA1
20f7f9fd9076d3157e86f00551803381283a90a4

SHA256
33f53e5958cc4b573f76cca75792c623091ef6c2fbf6fb38278fc90709cf18eb

SHA512
03691b16c49d41b88768cd9b642372bf4855503014242981e80c39eab41fa613626db6461bd05e6f24d6d8e0a9807f5cf342e6143535d8847ce30150ef1f0d6e

Download Submit
C:\Windows\SysWOW64\Bibigmpl.exe

Filesize
56KB

MD5
0a336319d9c05a402f9a8edc128b5848

SHA1
757b67eea363eb587131519580508a925031c072

SHA256
d7a0a1a3e9a096b217b6a49a3d248fdcac101f3bd4a749aec6fed2599e837637

SHA512
1c9341085b8668a86b6a821bf1e374296e953a9e8c3d93e7b7cf6c418a03f35a8c91236769235a418f58bd9099bc80d2059d1c90a136599630143de13d491e27

Download Submit
C:\Windows\SysWOW64\Bidemmnj.exe

Filesize
56KB

MD5
1eb235955497b501f018bb2b2e3a9f1b

SHA1
8a97fd73de7af534c74e0e5058da58ef6f98f18e

SHA256
2965ab9978ef21162784b574d1f1ce367ec9a8317af6ea6efbd7a61bc49b9c4c

SHA512
7ce66bd8db464d916ddf45465e88e16467c479c3d66aa0ea09f11c073b5c2c67ead8e4ec91ae4f6ce2701f24152fd53fb94d7d7504cbc7105a2ad63ccb194886

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
56KB

MD5
7e0b0fba273ac593f65dde903011e27a

SHA1
8946ba5f3f71b9e52072ab1b247aed97718ebdca

SHA256
6d302b81ff486cb173c067fc9b10f3ffe45d0d998d121171de0587623b984e40

SHA512
e134ff21a011b2b53c43934289aaef9026ae2fbd876a2685f9b82fc97dbc4b4bf18a6bfdc311d13aae01b3e86a3d723eb5e969f2e72dee538d0e3f9eea3cc164

Download Submit
C:\Windows\SysWOW64\Biiohl32.exe

Filesize
56KB

MD5
d29d9569b1845731d838a59665f9cec9

SHA1
a436b4656f5e85f850c71a4c68bf35200be18f05

SHA256
bea911bca2e9596d658313aca569009a86b9e8820b864efff1e6d7c3a087c578

SHA512
6f52a409a00ce0832410c109438a45b0d4a8e0b8277d6644590e1494c5726a071fc309c559f3d03a87e535d92985b52a17ffb43af6c1de5d2ece75721a7cbb3b

Download Submit
C:\Windows\SysWOW64\Blpechop.exe

Filesize
56KB

MD5
f36db910bbb9ede0d01d3948ff6a9fed

SHA1
7db82c6615e8e586a2b854d34dce82b76346fb61

SHA256
e9ed9f48f441e1f54bed5a48c70ab68757fda008bbff8fff5e430eaa09cc56b5

SHA512
331441c946bc54edb0901a7c56f0326e9ea88fdbc15ff069a7ae98505821465f22c9407d88ed7b2635eb871b375d5fe8e9f81d82e392e91f0a0a1ee65c56dae1

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
56KB

MD5
d5c293460670d4893e054ad107687f76

SHA1
46fd5ae048b921ced1d67494cfb06f30b7528d5c

SHA256
e8b0cba99c178411bd20b7f03b6398d4996c96604d5325e3f8c143f7886c4593

SHA512
01c0bec8ca19b330b8db16b9e528c7e0293ade8741d88351bd216e4b91275c4487f16392e1094d0483fc47c5ad08719183dc539893e7d909e52537fc4b8bcc77

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
56KB

MD5
0148657b1057ab2c46d64f66f0529967

SHA1
edbd684eeae0514b07859cc8c8dcddc13d89a68b

SHA256
78a7c963ed866911881a13a3ae4bf19a2d0fc62db1087613a93abbab96c22d84

SHA512
aec8b651dd2d8ad6d2bdf3600284793b132d0766cc7c4bf63c639ffaa90ef6667fb22505c18877e827e0b4b5920a14089740c57e72d9f18929c45156c86d3c0b

Download Submit
C:\Windows\SysWOW64\Booaodnd.exe

Filesize
56KB

MD5
fc4ec64339e2b13ca44265f6dbcad5ef

SHA1
3aa99343868954f6d372e2500529d9629cc06dc6

SHA256
b245e4b63fd576d8eb39f2292d1ad98a690716049927c79c3eab12b706b29d96

SHA512
271414ab57b21ece8061ccb254b961e50330a7c091e8b95eeafe848b1fed1332d9938e95637110e495fa3e4f910bf7738bfc80510be4d4b5bf618911fafead31

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
56KB

MD5
f7421bd9b7e56ed553a0f1e1c4808aa4

SHA1
86bce432515833552cae483c28740544d79d9dd8

SHA256
cccb646bbb98d808f91cfe03d1d4e7b1ca73093aa6a60d2fb7d3befb64b9cc5c

SHA512
2bf23751003b284be3f7fc52b8adb8d8e5a36ee8a18572807cc99d1a5a79a02cfdfa13b400b648be9d7c397cdf9bd597f60207cf3ff5600fa7d55fa34291dec8

Download Submit
C:\Windows\SysWOW64\Bpidngil.exe

Filesize
56KB

MD5
b9a334c9c5f5a31abd2be7b482cf8d16

SHA1
94aaa8c44fd1963af94849afd1bcaae5df1314ac

SHA256
1644f108c0daa877bcf30bfc9e2ba3654e2650d4046399ea85ee48f597679455

SHA512
5d4077031568c672c4e36e51fb21e2c8773ae4c92a4307cf953baca3d48c60910c1e671f9f63c0be03f5d9cbc5e475511958cd867270bde5d06a5afbe08c8308

Download Submit
C:\Windows\SysWOW64\Bpnnig32.exe

Filesize
56KB

MD5
230e18d1de8da97e18427c581ea76a87

SHA1
5dc60f0ca55ab925f43c68adf4000b3df87b57f0

SHA256
4e0b067180abb0a7f5d352424bcd8b9a441b3dc8510c107457e2cafb6cf068d9

SHA512
c10e49cdd877ae41c56ba2cb852bef6dd63c423dda222ecf876d894103321b2e92a5e7577b57967b13f9d574a48dca3d3e12aa1b9b92a68c6183b7c4f2841d25

Download Submit
C:\Windows\SysWOW64\Bpqjofcd.exe

Filesize
56KB

MD5
363d504d0448dc7e9c05ffa82d202c7f

SHA1
b9e8a52097b82203c1d3f7637aab6a5c251c09b9

SHA256
51a38393658fd3cc0253a8fd5bcdf52507b41702923038c2ebc36e2a5ef9c0af

SHA512
d4ece861988ca4c120b4e6b3cedf170c4cc58d477cd6034aa52241196dbe9c45505aacf50f13f3e5081722fc5476b4616a22f1a82326b919e19b151bb2a49e16

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
56KB

MD5
9ce10700baa45f7a8e688884082bdacb

SHA1
060129701ad33dbd47619c7481a700cd9f50ec5a

SHA256
c9c1f86e4b5801153dd41be42357ecbaef35190af42afddf76e9c3f8d5bd46de

SHA512
c6eae98c69f71730b92b93de5e975b4704575453093f68c8db9beaff79911a2cffd0d178bd869e71f1d6168721814f69c8703bb5a44dd5a4070e8b4fb7c27b90

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
56KB

MD5
19ba7c35c672ed255dfb4d87d9e8f3c2

SHA1
735b1be383d596f5e8e56ed31430bf57acd7fbb5

SHA256
2ffb6f01508e5db75e6c64ebd0cc5a14f965d113814b7b48b50398fae9919367

SHA512
2c6d5e5d34de685bf6ead2e201c259593af4183fe6487585ebafc6765ca8baed371b94ebeb527fd13a63300f9b46a197e65fc7f3cd619d4787e548692b8083f5

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
56KB

MD5
c6aeec0dd846ae25176e8f3865d52e67

SHA1
25169b467ef0c3a284d18400e7c25d778782496f

SHA256
c4a5f80768f76be38225b7143fc4e1e2c943bb2227f18fbfd8ff9a1156134e74

SHA512
1b30d2538002e773cb28f756238da9f95a98de3a9705a44d263c3501feb83b29dddee4467870e63c31eacdb7df05af60bb3037feb76a2b9b197720b2ee415e0a

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
56KB

MD5
c66aed72e790c0bd36040e60a3b6902b

SHA1
3c41db12119a7462241a59801149b8e7d428e1cd

SHA256
da8c83a73c1a0dcb95b7258efb1631dc41208858040c07e81ca75227f2896624

SHA512
2d9a67982e13cffc3e9e56d53481085d52114945569a8ca42ae6ee42269a5f78ce29ce7a355876cb0617655cefcfc4fcae4d3fd3a78af2fc974ed3f8af18f4ec

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
56KB

MD5
0b9a19945eb2995cd39460c378303198

SHA1
53894fc6ab81ef44db88262eacdc697ba0dd8120

SHA256
022c66550bb302948dc1b162dbf218198f553bd138941351aad61e9b92cd77e7

SHA512
cb4a5a7075c13b4ff1f054061af8b44791b2e584e0ac573d6b82ab1e88b68138645aa17c94e696b83810b8ab74a1843256140c6a57eeaa6ab6ef7448251e4f40

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
56KB

MD5
82b780fcc1b2a8cc9b323f5373d65a98

SHA1
c12700b3422b31c74d8346eb62980b7cebb5d3d4

SHA256
ec226cef030387f2b4b8814441731203870cdc3606903adfb94702061e183437

SHA512
5bc64856e78dd3c8cfbdb0ad07f0a95d5b31275e7ca683fdcb0c6249a7f1824c16e62eb5fbafe417e6bab4ae6182539b9db04149780f03e8b568d218761d4618

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
56KB

MD5
6b667e61dffe8d2e965e129083971746

SHA1
4eb2b5f3c79a44be2269248467305697cda3a2f7

SHA256
5cbe1f32866ddec6b98f6642dd18f5526d63832f26b4a76ebbd77aff309a5610

SHA512
e7e6a5175fbbae5759def65a220047cb62d0e41af37a8f4d581e1c7e785853accd74f687dc6dbb6c16f6294e93296d30f2ae3c46317b6d0d27d191cc6fcdc660

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
56KB

MD5
fce1241fa51b69efcbed67b803b5bd0d

SHA1
5377612c62cce0f0c998b08a9b0134c14b564a19

SHA256
06187952219c47512cb960a47c1509ff4219598182e07f2adc8f56eb6a80fb84

SHA512
062a3cd27c2f918f737eae6615615b1c10672556cfa026e979cf1f288668cc26da16bf56c8dfa9d293ea3a178b3f40aae97db827f9be3d156093dc1937dcabef

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
56KB

MD5
9fcde08a5c58cd7671ee5b3703353d9e

SHA1
64774a1c7f01a869e8aa3b7841704c7288ae8497

SHA256
68b3900c2ff9be01e10d2da8a5f7a34ad323a8acd48bb0f4c4f29ab11b2ccd96

SHA512
57f3528f88f2199e55a2a1c63a225f9d06f3eff020c8b85891b537bc50ea22b17a4e1239ecb50eea534fa564ae38b93548d7f597a167c35997186b299288380f

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
56KB

MD5
f37e3847ba95a8d678b3926d8b6c62a4

SHA1
b28501e8df8b4b1f436995760b94dddcf4afe4d9

SHA256
ec0a81c7bb66ac33a0ce33038984210bd7e542a847c2b41b0abcc7dc466fcf4a

SHA512
f7291f362589cf5d7bdf3f745cc99fb4316565f6256c52223996ecb82c41eaefeaa7613779550d7a917e884dcd30debfd2f3fb772879f18ee43c2f39baa70054

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
56KB

MD5
a97e25282dce84aab4f4a112c7ba45e4

SHA1
ed8e09d3499c0b9acb824fe255408097b1a67225

SHA256
368730d47ec3aa23504a08a88a3a71fbcd51704476d69ed2edbc7547659ec56f

SHA512
08c23dae3bcfd4bc89e3762d46a535a71018691457b3c1678a4f3f2c8837252610efb0b16e80f4d85a21b4c58785d286c1a1eb5cff14e618f20cac68d53617f0

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
56KB

MD5
ffcae27bf23f9386c97dff7ca56e8d0c

SHA1
e6399c8db5dd866618b97f8f00048e2e09de4402

SHA256
6dcdcc7f204047ba3a94f24ac8d0d5cbe19eab8f65b244ea4db4d010bb113de9

SHA512
d4bf65315b5991f44e0c9ff7a700c920a7e5b963e7bbcf209fe3a817f72bd7192fe7555d308c5b2c69a69c5d0d60ef62a339dec5f375a1c7a8068a1532acd266

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
56KB

MD5
6b3d44500a8480f6143179bff89c5f1c

SHA1
ed771836d191495da31b4076c6f18f7e399eabf2

SHA256
adc2c16cc9dae289024c751bf3b65470c9b824a9cb53946c121578166c62e3df

SHA512
62daf99002aed940a5afa5a9946bc2c91dc1a95bdaefcbe23a6852ba537e6891d8d67c9e8eb2d3ff64f0b32afe5190571cae63a018659b7fa7d2b81278d87e6a

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
56KB

MD5
d624f9256851ec9d603acdd6b7f2b8de

SHA1
6dd2bfbec87d06c44140a2c77dd8fc14c507a065

SHA256
3d13db0bcb5f4260f9fc562dcf85aac84eafeddc72951ec2accdbc925f41bc7f

SHA512
633cb343f4a470c1fb053ad22c37e5988da0379d66342534450c4e1aa6e220a1a1d71cb16fcb96333641ae26720a890b956f131d566fb2db52fb9cca2ef444c3

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
56KB

MD5
c9568b5b840f4d1cfc9f4a04ee51e6fb

SHA1
25d6b2d1d16baa78a1a5cfd70daca360e4bf1ddb

SHA256
94264b08762e7786885ebddf6b327d8cfcb9e438755881870102c1cd4b710e8d

SHA512
2f15784fad17c029684cc8be1ca4f9d615996e25ed36698263942124a6080e450fcf5f34eaaa99dc1a52a181bf0ad72f3426ad6fec2f576539e6a3ea38571a74

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
56KB

MD5
42cf2d694e3b0fea1291770c9f76b9dc

SHA1
d23b296bef5237925a7228d5e33d871543571826

SHA256
0eaf9f29f85ee01eb63bf075cad2a8eed1bfc84e846853c05fdbc1fd44d17e7e

SHA512
71a2208799ad6c212efd8fac922653bb0eb1cd1479d0847e8f62f0a9dd7d7db4fa203cbb655e72a08313028cd08fdd30b38c058c9430115144142fe5b7289985

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
56KB

MD5
237d07fae2384577fc6695f0c44ea790

SHA1
2f0784309e4218970c8cde7dc8bfb466e43ded3b

SHA256
86203f3a858919ccfc6cde76ed1447bbf08f28a061416a78763d8ae1a535c86a

SHA512
68f11d04cb2ef8cbac08ea2c242a8432eca9951fab69370465111297a2162b35c5f28d543e75cf3fadd6230b576519b9c1aa6d8669285d0cbf3e6bc45e1219d4

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
56KB

MD5
47f11c80be94d32033ffcbd99bb895a2

SHA1
389ac62f14608574a572bd7fc3f3f17b6c666b47

SHA256
3a222c484cb58a0dec70ceb39eef9425894d966de35395522d0be5243225e945

SHA512
a13a18a82d44780d8f55b3ee51585209ed19dafc5b479ccf694357b3e6a86ac216407da728283636f3fd72e3e47c102c4bd4311897b790ca5b099d79eff44918

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
56KB

MD5
5cff474b0472a64856ec2d3f89ce5a59

SHA1
b81727386ee821775c5aeb7b2694d932d27e2d1d

SHA256
2d6349e15758db148349bea6c5473af60074194c19cde0aff1e5e4b3f8b66a7f

SHA512
cf38300dfc45935040f55d49986ca6b0226f5b2143872872eb28eaccba039630da60a2d56a3ae61e0bb15f857c4f99d1726e78ed3ae70cec4b3faf9511dd1423

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
56KB

MD5
a188e413070ec106836d2fc2e634216a

SHA1
d3a7aca6a175024aa75c52333c1c968ba0d08664

SHA256
067c80a3328ca4ab14a66abfb59fbd27d585981f4a337d616b12ccc6dcba5af5

SHA512
b954837b9ab49152929b6d4e00fa57318541ef7e6b7d5ae897c7d854d3a4ced107c73fc57761552a28da92ae0a6c986e21a79f80510042430dae90a35637c640

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
56KB

MD5
5b9b66d540cdd4866fd0e9bb70962326

SHA1
6287090d6ba3d888d04174ad06f2e92d576f9932

SHA256
414c92900caddf25471d48d67c5b98cd68f3bbb1a5d6bf9afa8142dd17285716

SHA512
e526bff72c8b1ca8c1b6840e58bb0f1a4754903ea09a4ac075bd75dab55ee0b0f135f49d04e78edf798fdc53a7ba23a39f724a0b62bb92c7a4b9b5e618d01c5d

Download Submit
memory/60-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4416-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7896-1842-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7928-1866-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads