992c80afde08bda9ed8059ca7e209c0817600657957a43e35950747f3e41b57c

Analysis

max time kernel
137s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abaf9d77c56a3d585c47b84c7b4492a0_NeikiAnalytics.exe
Size

128KB
MD5

abaf9d77c56a3d585c47b84c7b4492a0
SHA1

639275e5e6457cd05ec368ffd2e218d871759e8c
SHA256

992c80afde08bda9ed8059ca7e209c0817600657957a43e35950747f3e41b57c
SHA512

69a36578dd3392f7f67387704cadf18d1ad386225ab9aab5ea625f1cb8f1097ae5432b477fffb92f8f9524633b050b5ad0f1ed0c59359383620db423cee274ca
SSDEEP

3072:YSmvPAg+3tuLgTEGS2UpLXG7BtN3FfwQ9bGCmBJFWpoPSkGF:Gv+/sib3FfN9bGCKJFt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fokbim32.exe

Executes dropped EXE 64 IoCs

pid	Process
4412	Chebighd.exe
2064	Coojfa32.exe
744	Ccjfgphj.exe
840	Ceibclgn.exe
920	Cidncj32.exe
1016	Chgoogfa.exe
4040	Cpofpdgd.exe
4676	Coagla32.exe
452	Capchmmb.exe
1316	Digkijmd.exe
1532	Dlegeemh.exe
3036	Doccaall.exe
412	Dcopbp32.exe
4416	Diihojkb.exe
3320	Dhlhjf32.exe
4432	Dlgdkeje.exe
1464	Dofpgqji.exe
2404	Dadlclim.exe
2636	Djlddi32.exe
2372	Dljqpd32.exe
4580	Dpemacql.exe
3712	Dohmlp32.exe
4744	Debeijoc.exe
1804	Dhqaefng.exe
3092	Dllmfd32.exe
1944	Dphifcoi.exe
4056	Dcfebonm.exe
4780	Dfdbojmq.exe
3720	Dhcnke32.exe
2924	Dpjflb32.exe
4280	Domfgpca.exe
4656	Dakbckbe.exe
1176	Efgodj32.exe
2088	Ehekqe32.exe
4752	Elagacbk.exe
3876	Eoocmoao.exe
876	Eckonn32.exe
4072	Ebnoikqb.exe
5108	Ejegjh32.exe
3552	Ehhgfdho.exe
4060	Elccfc32.exe
5068	Epopgbia.exe
3716	Eoapbo32.exe
3708	Ebploj32.exe
4604	Eflhoigi.exe
1808	Ejgdpg32.exe
4344	Eleplc32.exe
1700	Eodlho32.exe
1720	Ecphimfb.exe
2052	Ebbidj32.exe
3308	Ejjqeg32.exe
4648	Ehlaaddj.exe
1992	Eqciba32.exe
2540	Eofinnkf.exe
3660	Efpajh32.exe
2940	Ehonfc32.exe
4064	Emjjgbjp.exe
2348	Eoifcnid.exe
1124	Fbgbpihg.exe
3508	Ffbnph32.exe
2096	Fhajlc32.exe
2528	Fmmfmbhn.exe
4444	Fqhbmqqg.exe
1872	Fokbim32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Capchmmb.exe	Coagla32.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Ffekegon.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Dcfebonm.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Dpemacql.exe	Dljqpd32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Dofpgqji.exe	Dlgdkeje.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ebnoikqb.exe	Eckonn32.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Dhcnke32.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Efgodj32.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Dadlclim.exe	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Ceibclgn.exe	Ccjfgphj.exe
File opened for modification	C:\Windows\SysWOW64\Digkijmd.exe	Capchmmb.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7920	7600	WerFault.exe	351

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibpam32.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlqig32.dll"	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbehnol.dll"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddomph32.dll"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbopfj32.dll"	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 4412	968	abaf9d77c56a3d585c47b84c7b4492a0_NeikiAnalytics.exe	82
PID 968 wrote to memory of 4412	968	abaf9d77c56a3d585c47b84c7b4492a0_NeikiAnalytics.exe	82
PID 968 wrote to memory of 4412	968	abaf9d77c56a3d585c47b84c7b4492a0_NeikiAnalytics.exe	82
PID 4412 wrote to memory of 2064	4412	Chebighd.exe	83
PID 4412 wrote to memory of 2064	4412	Chebighd.exe	83
PID 4412 wrote to memory of 2064	4412	Chebighd.exe	83
PID 2064 wrote to memory of 744	2064	Coojfa32.exe	84
PID 2064 wrote to memory of 744	2064	Coojfa32.exe	84
PID 2064 wrote to memory of 744	2064	Coojfa32.exe	84
PID 744 wrote to memory of 840	744	Ccjfgphj.exe	85
PID 744 wrote to memory of 840	744	Ccjfgphj.exe	85
PID 744 wrote to memory of 840	744	Ccjfgphj.exe	85
PID 840 wrote to memory of 920	840	Ceibclgn.exe	86
PID 840 wrote to memory of 920	840	Ceibclgn.exe	86
PID 840 wrote to memory of 920	840	Ceibclgn.exe	86
PID 920 wrote to memory of 1016	920	Cidncj32.exe	87
PID 920 wrote to memory of 1016	920	Cidncj32.exe	87
PID 920 wrote to memory of 1016	920	Cidncj32.exe	87
PID 1016 wrote to memory of 4040	1016	Chgoogfa.exe	88
PID 1016 wrote to memory of 4040	1016	Chgoogfa.exe	88
PID 1016 wrote to memory of 4040	1016	Chgoogfa.exe	88
PID 4040 wrote to memory of 4676	4040	Cpofpdgd.exe	89
PID 4040 wrote to memory of 4676	4040	Cpofpdgd.exe	89
PID 4040 wrote to memory of 4676	4040	Cpofpdgd.exe	89
PID 4676 wrote to memory of 452	4676	Coagla32.exe	90
PID 4676 wrote to memory of 452	4676	Coagla32.exe	90
PID 4676 wrote to memory of 452	4676	Coagla32.exe	90
PID 452 wrote to memory of 1316	452	Capchmmb.exe	91
PID 452 wrote to memory of 1316	452	Capchmmb.exe	91
PID 452 wrote to memory of 1316	452	Capchmmb.exe	91
PID 1316 wrote to memory of 1532	1316	Digkijmd.exe	92
PID 1316 wrote to memory of 1532	1316	Digkijmd.exe	92
PID 1316 wrote to memory of 1532	1316	Digkijmd.exe	92
PID 1532 wrote to memory of 3036	1532	Dlegeemh.exe	93
PID 1532 wrote to memory of 3036	1532	Dlegeemh.exe	93
PID 1532 wrote to memory of 3036	1532	Dlegeemh.exe	93
PID 3036 wrote to memory of 412	3036	Doccaall.exe	94
PID 3036 wrote to memory of 412	3036	Doccaall.exe	94
PID 3036 wrote to memory of 412	3036	Doccaall.exe	94
PID 412 wrote to memory of 4416	412	Dcopbp32.exe	95
PID 412 wrote to memory of 4416	412	Dcopbp32.exe	95
PID 412 wrote to memory of 4416	412	Dcopbp32.exe	95
PID 4416 wrote to memory of 3320	4416	Diihojkb.exe	97
PID 4416 wrote to memory of 3320	4416	Diihojkb.exe	97
PID 4416 wrote to memory of 3320	4416	Diihojkb.exe	97
PID 3320 wrote to memory of 4432	3320	Dhlhjf32.exe	98
PID 3320 wrote to memory of 4432	3320	Dhlhjf32.exe	98
PID 3320 wrote to memory of 4432	3320	Dhlhjf32.exe	98
PID 4432 wrote to memory of 1464	4432	Dlgdkeje.exe	99
PID 4432 wrote to memory of 1464	4432	Dlgdkeje.exe	99
PID 4432 wrote to memory of 1464	4432	Dlgdkeje.exe	99
PID 1464 wrote to memory of 2404	1464	Dofpgqji.exe	100
PID 1464 wrote to memory of 2404	1464	Dofpgqji.exe	100
PID 1464 wrote to memory of 2404	1464	Dofpgqji.exe	100
PID 2404 wrote to memory of 2636	2404	Dadlclim.exe	102
PID 2404 wrote to memory of 2636	2404	Dadlclim.exe	102
PID 2404 wrote to memory of 2636	2404	Dadlclim.exe	102
PID 2636 wrote to memory of 2372	2636	Djlddi32.exe	103
PID 2636 wrote to memory of 2372	2636	Djlddi32.exe	103
PID 2636 wrote to memory of 2372	2636	Djlddi32.exe	103
PID 2372 wrote to memory of 4580	2372	Dljqpd32.exe	104
PID 2372 wrote to memory of 4580	2372	Dljqpd32.exe	104
PID 2372 wrote to memory of 4580	2372	Dljqpd32.exe	104
PID 4580 wrote to memory of 3712	4580	Dpemacql.exe	105

C:\Users\Admin\AppData\Local\Temp\abaf9d77c56a3d585c47b84c7b4492a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\abaf9d77c56a3d585c47b84c7b4492a0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\Chebighd.exe
  C:\Windows\system32\Chebighd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\Coojfa32.exe
    C:\Windows\system32\Coojfa32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\Ccjfgphj.exe
      C:\Windows\system32\Ccjfgphj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        26⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        30⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        31⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        34⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        35⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:876
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        40⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        42⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        43⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        45⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        47⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        50⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        51⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        52⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        55⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        56⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        58⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        59⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        64⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2700
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        68⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        69⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        70⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        72⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        73⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        74⤵
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        75⤵
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        76⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        77⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4284
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        79⤵
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        80⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1784
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        83⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        84⤵
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        85⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        86⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        87⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        89⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        90⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        91⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        92⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        93⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        94⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        96⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        98⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        99⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        100⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        102⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        103⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        105⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        106⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        107⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        108⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        109⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        110⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        113⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        114⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        115⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        117⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        118⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        119⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        121⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        122⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        123⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        125⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        126⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        127⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        128⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        129⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        130⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        131⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        132⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        133⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        134⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        136⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        137⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        139⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        140⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        141⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        143⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        144⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        147⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        148⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        150⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        151⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        152⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        153⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        154⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        158⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        160⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        163⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        164⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        165⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        166⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6716
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        170⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        171⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        173⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        174⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7140
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        177⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        178⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        179⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        180⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        181⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        182⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        183⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        185⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        186⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        187⤵
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        190⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        193⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        194⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        195⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        196⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        197⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        199⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        200⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        201⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        202⤵
        Drops file in System32 directory
        
        PID:6700
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        204⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        205⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        206⤵
        Modifies registry class
        
        PID:7264
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7308
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        208⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        209⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7448
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        211⤵
        Modifies registry class
        
        PID:7496
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        212⤵
        Modifies registry class
        
        PID:7536
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        213⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        214⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        215⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7664
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        216⤵
        Drops file in System32 directory
        
        PID:7700
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        217⤵
        Modifies registry class
        
        PID:7748
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        218⤵
        Drops file in System32 directory
        
        PID:7792
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7832
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        220⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        221⤵
        Drops file in System32 directory
        
        PID:7924
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        222⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8040
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        225⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        226⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        227⤵
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        228⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7328
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7412
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        232⤵
        Drops file in System32 directory
        
        PID:7488
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7564
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        234⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        235⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        236⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        238⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        239⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7988
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        240⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        241⤵
        Drops file in System32 directory
        
        PID:8136
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        242⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        244⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        245⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7628
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        247⤵
        Drops file in System32 directory
        
        PID:7756
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        248⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        249⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7944
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8060
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        251⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        252⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        253⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        254⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7688
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        255⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8048
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        257⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        258⤵
        Modifies registry class
        
        PID:7436
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        259⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        260⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8020
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        261⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        263⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7600 -s 408
        264⤵
        Program crash
        
        PID:7920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7600 -ip 7600
1⤵
PID:6812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Capchmmb.exe

Filesize
128KB

MD5
c6212ec25c1ed9b5973bcf0a866c91b0

SHA1
f08c15598da2132520f9fe5c7784a2c6ee5cb119

SHA256
3ca12eb3b7bb1e9d497f7a9c4216f95506eab2407bc2110433ec48f6a4141429

SHA512
70f28e6167551fdbb216beb2fd3b0acf2102ee5fc8dfb4809d2cd0e3c8e8a86f3036162ff72d7a1f166d6902eef5c549ce5bc379a751b80a501452198fb66bc5

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
128KB

MD5
1edf8e74a2ce360008c7c718f3341c5f

SHA1
23e047bdbf4521759ca5654eec0d2f69fc505435

SHA256
8c286fe73fe389fd5b0e12c9373f6e0f39d0b7e335ee4e1fe0b86a97baac861c

SHA512
297ce19923be8c8f167e05938e9a68062e33ca522dd5e6cb5046dbb3f6aba100937b878b7fdae28e0d10c3c34fcfa9cf3ba551dece6ce3235f732232d7a40050

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
128KB

MD5
dd49def78f3b64b127426e04f9f0efb4

SHA1
f11a989424a4f74e992f58ba9c3afeec22655148

SHA256
052768bb9c5849f5191c296ee672daa509241a1099360aa105c3a77bdc90abf1

SHA512
4cd10c2bb147d5e2186d77716b2900f2d0943dc2be3d9fa6df736d061edb1d164b361695f1056fd9bd65567e49b914ab9981749dc8b92ee6a586698c0bd94599

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
128KB

MD5
ab155da7b6d051f595bdaef2e33df0c7

SHA1
bfc23f06e563e923c139812c7f949c9d13d1b0e0

SHA256
ece6d9e7291ca3827b89eba051ac75e53db7d5b280162bb276ed298609e8666b

SHA512
830c41e66353fbd8a0988e39103a50355c1de45ca2dcacf178802f79dd69894fe1f86924df721c79bdac4f1be191af90628ffe8eed6c6ba313cbb1a2b1762382

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
128KB

MD5
c369c55878707f0e6a86f26f12854d61

SHA1
18646fdd3c432641f244d6a25f957291a91a25f6

SHA256
6c03666ea6079a74dcceefcd7adc806b3a7ce195cfa8beb62acb92eef8be9d1a

SHA512
e1ae16d92b546596dea6c25aeaf8eca3e92840bb5d71a63ccc40e565274d2d2689d47d437fb76ef16d855ef5bd03187c0983607a784fc4ad0192bb0d336f91df

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
128KB

MD5
87d52e01460149eac6440cc63aaac348

SHA1
fc2dd4125182b4bf66f992ece559d1b2c536d412

SHA256
de2618df5aec95325d4ca6af1f6d2395cb8baaa5fb4af8a985e3a47ec4b592ed

SHA512
be50a5f16f8206d95efc7d09480d41ea4581963f85285eb562f8ffb1cf2cac9be38f1b3a770f083f46763775ddcae19dcc3b611057dd7b384b947de88f836f5d

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
128KB

MD5
348dcd77291b2a7d266b3dc6c5a9a3ae

SHA1
28ee4c41156ab81e624ac2c8ba9936cfe92d0013

SHA256
3dcb0ec0bd21a972a3333b74e2a12ad3b59e9dce38f02ef7665a404d2b4d675d

SHA512
637b986aa966b2e9bf9b84c0a0c6986cc880a39b5a130527934b90b16438b9b698ea29ab1320d80372d8eba13b8e23ba2e47841d380330b2ee244e58e73b6490

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
128KB

MD5
eb49c622c12a96cf01b9418afb3f46bc

SHA1
1f710ec4cea4e791ba7a02dcd29f619c8ebd79bd

SHA256
53206c955d5f975705efe02d3320c0eb4536da455017e252b7d90be9846ec2d0

SHA512
c1bf703a0776c8b5c8685ab13426c37a1ea3a23eea6046e38875ab56f13e4f58c54c49b19d1856ae60fc6607ca56aad3fb605fe4bc422dc7c3129b91d15bf270

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
128KB

MD5
7754961810228ef257c47fbcef66b93c

SHA1
9a08731e79cb29b9d0240fbdd38fbe028f6fc2ec

SHA256
50fb831ef58df674256879c1a3ed44d9d3be7ec0e52f0ec6065dff17099cbc66

SHA512
738c9363e48af01baa5201cfac492e350b92573398cc3883b739b77d1118d904bf15e67de67fd927b4c4e8e459796d47b894682c3ed77e41ee16d4b4a3df903c

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
128KB

MD5
0f23e68e8c946547a2368aafe7db0fae

SHA1
17d3aec1ed0e4978c26a2e07d324f88b9280c2e5

SHA256
b64cbcadcdab5241e168d2a6578044327c48ff78a7238eafda29da41eb00a629

SHA512
768a3d46469ccca223399000d819ba1db86049ed9a4b2f58ba0fc254dc29824952deb29cdd216b1c36d5c6458097561293b2e6b8132e91c5bb3567b7b30f754f

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
128KB

MD5
617eb4614acc0ab2483b97ffd97f920f

SHA1
4af70818a0582375fa76658e0d5ad9f3352e014e

SHA256
1f40926311532e7b34ecd3293870ee72d0a70fdc52707121badd1f6fdd539f6c

SHA512
bace8d63fea657176b88f06e3ad2ba43b7908485081a3a7f6d893b6337e43f3143569d7d426f29f73641aacd325ec580ee1cf5943c1ba41d7fe60148fa7052f1

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
128KB

MD5
62e343b665ce7aedfd6b6c36f5c112e5

SHA1
09dbb3c9cdeabb6d84e0df9e37d8fc81e6b01c5f

SHA256
02960a2391e343d86b2873261344d7941c68f5b8854f594e946eab69a4632de4

SHA512
5a827c1e5d8368da4a50ff17ca67475cee3845b1e27f935ddc3b79535e0abc78dc0555d6c7f1491dc2f72de9fc9a5eceb9d675f6e3c5809c7ff4684496cf20f0

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
128KB

MD5
070b54917d230e4eb09378d54024ce71

SHA1
bb431be0dcb51d9bf57cab892f27dfb0c3df0acf

SHA256
edae9e56871150b582da03bc775ccecdb4abdf9c1fb671c30d5ef337b73893dc

SHA512
3939395e2ec043c2ad263a53679a29637b221f7c24c7185b834ac85cb02adc50d692104d8a925dc9901e265eb6c20fc19e88654b497e6e7d1e418f321d7f8a5b

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
128KB

MD5
18a9191e3b90a3900436e9cb8796dd95

SHA1
5b25beea920eacdbbf7d6e98473281ae1037fa5b

SHA256
a92eefe0b77031d0de54b69f8146be9e27ab59dd7ca9034c1d16760532ce55e9

SHA512
35f85496cb8703ad61e936140aef83cd932d61481f89e1490e814822157456abedaaad6225ac12bac1f028b0218f25294c438a2eef735f71ce2c5e4d64a62301

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
128KB

MD5
cfd960b65cf0a3e9739ab2729dc54dd3

SHA1
d68ec07cfc20bc971f4c8d87661324fc744f7cc5

SHA256
e6c90d7f9cc80ecf1761507d36a92f3ae77187d1c6e36dc9631ca3ec838a662a

SHA512
fc75c33f3a6f970738fdd7a6f70e20472e07829b5aab0744c88fd5ed128f59852e9b4a28eb485dbf78d43f40d1b91c4712477c16e88e581ce1f3f345cead59cc

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
128KB

MD5
8ef95d406665403be5d43d48d6b334f8

SHA1
ca4ca8aa10aa0a22bf1bc97904f7d7c1833d256b

SHA256
d0694ec4db91465f6266ef2e9343e78415d0207abe29bbb8a0e757b46b3e7344

SHA512
fd6a44b49b4a01fc263197154a9662f8bd8a3952757bba416f542874156e5cbedbb9c36817007e8479c7f2f328c1eaa75a24d97ac24ae3f5202fd8d80da1866f

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
128KB

MD5
672096bd75b4a2496d66495382d91031

SHA1
67386922e22c0893502a3ea1fdb15fd0c7c82c2d

SHA256
6ce776194e8150dae4da8e6545dbbd0c18b33c35154cf1c6fe19619a9bebc271

SHA512
af450540122c8c75f8a714d135646cbf158a06fa052a78fac6a941a3ff244ad4468e8f07346bb06c197089c5ed1a870760c8bef3b802fd319b58cd048d9de5be

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
128KB

MD5
46e5a67e843c51f3b76298196acbf238

SHA1
176f6e77dbdcb0ce3cfb7b2f0c55625263a8fe1a

SHA256
37999728b8e15eac1c0c0aacd3c0759b20dcd61c9bfabb665ce56160efd2ca69

SHA512
05ee41b8b1bfe81df57b0f13e5a28255a46ec5a345ae91f1e64116c8946c7aa42a4d437823987566ae30e1476543de44b0fd8d2c0fed5f28fb5c1c4ea07e2fae

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
128KB

MD5
97d578a39b63ec9ff5a189ca328d6983

SHA1
b8a35e9a4d7907147ff062a1f8d23ba4743a74e4

SHA256
a49091ce4b928352ab5723a8e791f05faafefabbc0eb0a0730e843106c8aab67

SHA512
09babf75b077be0fe882588312c50d2686524786ab31a576d91fc74041831ee359fe3b8f4305a5514da9a3392dd19ed610cd050aaee31a24a5759a352c2d0b4d

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
128KB

MD5
2a71a59dc65e248e00c248512ea2d002

SHA1
775ee27aee0f65e30eba0a024d89be44f71b3be1

SHA256
98b2f1d40a60544ad50f7d2faaab881d7ba31b5571d251134d6331ac5bbb34f6

SHA512
7f3cfd52497bb6c79d5bab6297336a1cb0e89c5c76e971e058041fdce9b057bd5a21d3e4d017250f13b83617ca54c521bb117edbdff2c9e924a0fba765f7894c

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
128KB

MD5
7286d4550f797ddafa45241f04233f77

SHA1
f54fe5538c0d1c947e97a95053401b0e6d348b3e

SHA256
18fad0582c8cad94c10467f153a93541c5955906117c0518584c7103e7aa2dea

SHA512
f1e8d5370716b2742442f9af7a54ea3231742e237221ad3476306b4f1864a701b8ff6fcbbb0f56a7cc367f54c51c97bc671439f57e16da1589b82966552c3dc5

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
128KB

MD5
9c6dd1a812635b7f3e0c76f4d46c4419

SHA1
14b72f3235af17ca644b930c9036d89986f69262

SHA256
12acd858fab06df0fbb7c9890c355a166030b365956b3a157367a5d2a2822dc6

SHA512
a6bf4ef80d85aaf7021d988b15b21daca90c43eac4dd79ba23d8d457b1796dd1993798104c0b72946af96c6cb56cc699ba845c801d6d108f49d276870e8bfe1f

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
128KB

MD5
925b7348a5f62bc982e8304f785e6fa9

SHA1
889bf72bf8b703b5d3f49a97cf041809f60ebff0

SHA256
c053a070d1692a6853b068ae9f02e33892b6b3a8d8e7d06c800d86f612bc9c39

SHA512
889cd2a8a3d34eb7bc7da0693cf6e69bc78561432e51a929c94d1db853bd0e38c22bf077358871c180a74409c1c40bf032eb72c063bc196c3c389c77d7c62fb9

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
128KB

MD5
e344b80403e19f4291fb4da6514e33b2

SHA1
439db10fae598b827bbc329d40cfa646700f8f63

SHA256
18ca280a7b54e7bcc77edd701efa6b97053adb90240622c6245612d85b2e054f

SHA512
1c51794ffcf193b4bca85cbda9773472d2fcc8f8aa26dc7b2730e25fc88beef54a19fe1eda82bf32bbfb60c866302a81ed8a10d6b027639dac93884df73554f9

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
128KB

MD5
c4370d7c43062f642719989c440d6712

SHA1
e51c643963a622312230dd08aabac08a32c8a801

SHA256
f6caec702a1c222bd1f393dd1524e2761734112483dc606699c978b2a4c35c1f

SHA512
479bcc4679849f1de76a9721420a202f5df7abfb2047ae50aaf117ff05a54f0d83c73b497eed842d13f939f45368dd453f793fafa10c2d9eb3f6dcfb43a8ea1e

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
128KB

MD5
149675c067bf8d3eb6ae67f0b11be429

SHA1
67aa1848f8f0ee0f623d911f66a182cb6f607091

SHA256
a42ce2d2e4cbac2566e2690a415a5cc7859307595206ad6b04d8eeb59d62db63

SHA512
64008b7e24187c8801247037c3ed32132949b45a51baee72f22da078f639d1b746f97815c40c48ea58f5e48b30cd2b548c04b66fd39c44c216dd2cf946302526

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
128KB

MD5
bc46f36f090f6d499b52ab731709324e

SHA1
19523a990e9db0f6595680329f99b5083a639eae

SHA256
476c4ae735a6f03469ccf9f3b3f2bb2b949123bf4a0bb100966028c6730bccdc

SHA512
306a9dca74969e40914fa83644748984b28f7ca6c80495a3656e4417bbf0764d75af6723adb29ed2be6ef9047567a24f1b336c6feaddb00433b13aa7fce42617

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
128KB

MD5
bc60920464b5065694773b2293be1725

SHA1
5fd83af17b1cf95c11a373e6486d59405c240dd8

SHA256
14c703276ebfce29635f92a750b2896939220009e93828a63c57dc5758292dde

SHA512
d7798277efc02ef23cb86819327045d00a4e8e96648717b618d1d2b53f6c567052f070526a44fe6ced418041ac2d1e72fc8a7b753128da4b18ff9e9ce46934cf

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
128KB

MD5
1ad87aad4929bad343cc2fac59755c31

SHA1
571edeb51b34e0c6369cbbb00588689746a97c1a

SHA256
142190af335355b07eac6e35a09cc94590046bd6e4e61d112082a963eedf12ee

SHA512
555a543b6ddc1787d42f2c2e1e644b0448163d5bed706c70be0db10ad053abc0bd357b7e10c5d1dd0bd5c3264b5bb69ba14a6e24922a12441d6a763615cdcb80

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
128KB

MD5
830b48cef34e1baf0733f09afe3f304d

SHA1
b90259851963f150f8da3629452a6736ccb833cf

SHA256
68e846a0747ddce06400c4c317e5e0f0a0fde63c6296b01e111cd2e64788ce61

SHA512
62597207a0b8025874a05a72ec6fe198b5ce7d3d72eef786d6f766bece31e8de82b2f250bde6ed19f905a155fe390040cee769cba07c1cdc11a06b123a9f85c8

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
128KB

MD5
033a0e07ebbb6367c36181e868f2d61a

SHA1
b05bd0d430cf23a768048e0873ea8e24784aeb83

SHA256
e5eba8dfbbc928076c429c31fbc999934458a58934688e9aa6dd8e823047cc5c

SHA512
522839f4dea49d50aaa7b40da116c6b2544f0f7df8d4aae08e84f56c1d9c1ff6dd503ba59050ccd36158359c85f9cc94c9ee1eb17eb522a55efbb009fcbf40eb

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
128KB

MD5
c7e66aac59589256206f555813550ab4

SHA1
653ccf3458a90a6516efc51e163628fb6a9b3ef3

SHA256
cd9634a21ea434d2206f0c1c2e808bac63ea6da9ec844508d043fe3f789262ab

SHA512
cd685704965bd619e73fb9cee51db609f3c30879b3030372af66dad65452fb9b634985c6e620ace4da528e6b711a03f524fa3d346c11b8a7f52c8db0763e02e5

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
128KB

MD5
7a0e913334ac90fbc0574588b7fe6715

SHA1
6df3256a902605172e0cf2c2705f50187904bc34

SHA256
424d404f52d245fac752cdb32b33ff5a77a2c9dcebb4ba1d9a1d162fa0ecea3a

SHA512
49e81d547cd501a9b0c85424c1600028b51bba2ce3f55bc6f01a9bec67379415f78ef07658230ff234c7301f439343419d76c63d271dd48ebaa24e12f3ea6577

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
128KB

MD5
bf61aa388844514135c0f017c80916e0

SHA1
aeb0c66ce372891b45fbc9e86b9e6314e76fded3

SHA256
57e2959b8efa25b1a597f6f34e1187afd04e9b7bb9f772347b3e743730624082

SHA512
a7e7b9b7182ff83e1654aeeb29a4792f55bf1c2c70d9eee284db8dce8f3d10dd8e6964e171c0cdac62ae94098ae669670cecac09b5709c31f169761b97ed98c7

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
128KB

MD5
06d880e3e9d056920ae8aa4326bc3988

SHA1
a799b374cbc9b9e4655d74c34fb9a6807db24009

SHA256
2f4aaaaef0028415a3c20557113be50febe7e8f4ac53dc9251f63763ce9fa607

SHA512
6de807abf0fecd2ad0a453941e80ce88d2d1d3ecc1558f4d503d545acf1e60bee9c91c3fbca0dde4c5d1d3e9e7e9ad2169bef4c9797324a30a9f416ab79b2899

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
128KB

MD5
6008cfca1cf1614591db146a3b3a58ca

SHA1
4ded0bf86a53033d25bbb61bee88a52ce60ea497

SHA256
6d3ee501a4b192809d3f0b609a50195c7ac18d6f6ffb9d4e72b553dec4f2c984

SHA512
43b0533f0f70c3ecbddf5cc7e02e9cde0c3e23e1f21a42c9ec0f792b0fffd6ac64e8c2c95d803c27444c6f5b0277d7f93da41c86443d86c2bdc093c359da7a30

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
128KB

MD5
0032e8a18d848ff3f44149a9a6df0cb8

SHA1
02714377889570124b9634c974f528c9c2a18cfe

SHA256
93ce6a015451168f48d8739ef07b7fd34441c946fb46e57f30ec8a0414438662

SHA512
93a43ce3a8a2d6b987389cc279b5ae7e645700bc7516fadffe1b1fa154504751d8874d3570245418fc1471efba328351057a0a5408ee1cbfd1d447ac54ca2b95

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
128KB

MD5
d3d8d8527f0652f3715804898632476b

SHA1
cbe4320fd891bf5b293861bee64263adaf85736a

SHA256
2a701d8791ff17757f3d3bc6b5a16ffcde20c2a6051a449c3da835aec382609c

SHA512
a85e389c754d8a304c7ea6d16841b0b5dfcd063d960545f5ba323cf3b3bba6f22576c65b8dbed42fc3c7be51c24e7382080ad8dd24421c3f4f28f4134ca0dc5f

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
128KB

MD5
5292ddf2a8fac56f53686d2b2bac2377

SHA1
d1d598a26c9ae7bd9f4728b282885a84ce847f66

SHA256
02af7b7c526dfcdfcd8c8b815857de6b45e4525c6601e6e6af9447de5250bf3f

SHA512
9a1403622c59799adfa1c2f0e82790651febb4297196890383d6a54a1d18b3af59705787c844c9dd39674eac91c57370d9cb3995ed5f2e7a89c2d52bac5882af

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
128KB

MD5
e245849083be97552a79611ce12928b2

SHA1
6a12a938a84e4d60b7aea1e406cd88aac1f05161

SHA256
fdd4f97b3011cfd19718417e2657a6ed79ce6bee5058aeb8f143d49334a626f6

SHA512
a3e4b17c460f2f14ab45af7bbec152d07c67a10b43f7622f549b93ad43b301585f9613bbf260ab0d030ea4486bda4ffa46dfed732f7470a3f204f6a1d586a7c9

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
128KB

MD5
f064e98f362448477e7702e7e09b6836

SHA1
b380d73b4ee56be61270dd9e4b0954c890dd4cf0

SHA256
b3079beb1ee015deec4bbbcc270c1ff0747e3e402e3138e94e869b224c452977

SHA512
6d2eba2c6eb63d36bc780f8d82c9fa286e0dc3b72edfaaf42b85c5df9b14a0d80f5d16583f841acbe17a75661bf2380fc5708d50e0681d1dc7a47aacea66c3ef

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
128KB

MD5
ddeb5c7d5e5e34e723bcad8b8f78e051

SHA1
3ed5caee7ee4983766c0b0d91fd7ed4165ab0141

SHA256
171d96f8f55ddbda78f5c3496b8e827a37c716927cf575d4886ce8f5a65fa7a6

SHA512
8c986a60e5634741c272e88cf3976a0bcb5388e9cb8b01804a644ccd6eff2ba4cefc5239a895bb5e55d64dbe9fa6addaa057214f0746ad2c535c40dae54e41a5

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
128KB

MD5
f9f539c89bb604161f4131b747bd6572

SHA1
8a7a8dac25ed488dbd09d606f60fcdb0c113ec86

SHA256
1027946cbd7b8adb9eee9a4aa321a9f3dc2bbfb379541bf5cb9f54dd4f37d517

SHA512
7a186376712170135a5267d406a768582221d36cd01b8788001e4fe4412c155359653baa20cf4667c00d9ff3eb3e0c5369312a9e1b442104f900ac63d9679b08

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
128KB

MD5
041e7341e25a2909f8d3fd256f88b9fe

SHA1
750a97859ecfd27c5befaba704173ad83d8e9bea

SHA256
7b426d2771308a62f0f7a034cb94e6ce2f9a8b5ca1e22a5f38a768752b3479e6

SHA512
5470c8ab048b600000f1d7cdb537ba8b42ed8d3b6aa31d84d3aa7122ccc9de3b846181d5e529f214f3ba67f71fbb9932f76342694fff64a7fc373ab69ac17181

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
128KB

MD5
fafdb9b5b6e0b8d63e6fc0a9bcb14204

SHA1
4c5c5d12711effcc4682293c58644c5d304348b0

SHA256
1fd4aa1b7c98322dfdbdaedac0780dfc415d72456622b5ce19bc84926af95bf4

SHA512
45afe3166095a652ce4523a670bd2628ae31b837b25bc25a178dc6f549e2ff8c7e067e39d6a6cfb775ccd08b04faa6ffcffe46a952b394753e7942c67d20c620

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
128KB

MD5
c7e711987ec33cdf4e45dcaa63a16500

SHA1
3ab0a338d5986e6c29994392f087745f92612724

SHA256
58f2a488612174950c1069086d2264e801def591e9641c65b011f710728f12fb

SHA512
4d5da57bcc6f022691775424e253679ac3a2f6d546c5cecaea28314a5b33fa6d8972bd1487f27d35f8ef244ce47fe8cb009aa8db05ef8b35217ec828f0f04697

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
128KB

MD5
cf21565f06913d2359409886b3f47cc7

SHA1
2afb037a5c5ea3e0a8745c1299f6306ac9c2324d

SHA256
0c3ee34f659d1ab9e02f7f67f3d7b3a881056efda540269e0b9ed9e1bd69614f

SHA512
e6ae033fa4319710e3315131725422d0831ecfcc4d3982d4d69a523500e918ef759458a0ce8ac0a8c2c8df556c5a0092d82b94ab6a4ca587c3031736b939778f

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
128KB

MD5
892fcd28fc03d174d9c698cede6e8c9b

SHA1
89568593028df05e618ba4b1a517fa07727b0984

SHA256
2e2415c7c3873046135ca27c1f67fc8ec76d975a3d95575b8c61de1f9b9d1ca4

SHA512
ed0e4ec93c838ecea0e43c78feb33f4bd4bc813ee34698b342ba02eab03470d85744596f7990ab6004af2c7eff04af1747abd21318f67b897c7e2633ce8514da

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
128KB

MD5
88953786b824fd4690be429a2e3e5295

SHA1
1cb17a2d6b56739ea42b0e8eda6e13615d9d66dd

SHA256
44d357d690590731efb74af50c0eb7dab2845b5267aeb076c982ae64537141af

SHA512
cc14593f8fdbe727f99e23a004678603041ab799ae79fa20e8ef111f2f54f28d6b734605e80451f272956a0f359d6f4e2f471c538705a9a227453a9fbe2ea5a0

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
128KB

MD5
4819dc0e39d3b14e920f483789af48b1

SHA1
6c687365fbab339458d9d2b92ebd7eb846f5e102

SHA256
c7a5e62d6429b2f9c979e3711292ce365ad7945abd30c400826a732814942408

SHA512
ad7b72649c09f2eeff1666fb4fa9b6a0dd502d09fefd1fcdbbc2dd27594bb357d3507a584dd75a70d039aef49c9f5ec39c8e4d730abf3286a4220cf4d6110747

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
128KB

MD5
7c39e92f2bf1c4110c8531a8faa9e6b0

SHA1
429ae855c19b9943894899c6f93d897520d43fa5

SHA256
13a57fab5567bb8feffca3dc62400a8a757b62481b95e878e646cb7c02898e6e

SHA512
58fab5e37f3b0368a8b321ede06cdb11d69b6bd136db68a78cf16ab5aba16f57ff68cd788e5888df394af461255c4b95d2aea8362cf5687a4fd1a22f8b2974c1

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
128KB

MD5
d5124f3e8c2bf76cfcc371f808579bc3

SHA1
747d7150e0189068e27c218a1915a6e730623739

SHA256
aadbc3451ba55bbbc7d5f3399b8f92b1f64fa7d36906406eec256950fb4f3a03

SHA512
07b29bb07679106e798bc30fa3a9e96d5350a391d2b159933df4bbc03df629bd8a7e5e1e8276817b59ee0c0ee27468d0ceab88f3496513f9dfe430c97bca7a29

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
128KB

MD5
765142cfafb833b06633adcfe832e141

SHA1
1ca8c088c99693cb12cc1697dede42df8464e7a8

SHA256
5c28ae208eec72237a1abf8d3fac54a975b5774c3a28417574724c1755320080

SHA512
edc81b4659220bace32a2a2cf0055ee5d1adab5ef8c493623d0b9e1dbace5fd571dbb820f619393512cafd4e9586a40a2629419175c3bbc635df51bc697906a6

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
128KB

MD5
248362c233c3e4bc34a572e6d85b705f

SHA1
062c21d8afc6f0baa4fc1f1752ff367a258f4998

SHA256
5ee1a0b4f5b714c43ed49fefe232a9ba29e1faf8a7b533a8323122c5c10bd7d1

SHA512
e634a9e58659fc23a864f8ac13747a98119434758240b091561ce40b2eac120fd3976541b3d6aff03a1c699155197f70ecdef4facee9bcbef82b44a6529b491d

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
128KB

MD5
9ae09010294b9ee78987e317faf788aa

SHA1
d466f8bd67f9695579eef2bfbc8d34a6024af266

SHA256
fead97e5bec2a09bdd398b67c0281d7ba7a3909270172ebb37fa550d4aad042f

SHA512
6ce0f326b8fb5cfb99998e48873bc652ad047d3815a3e55247e28347f3de29d8188eed3767ab54fc1d01cd15b8adc21a50595d457f9d84debe08e062e7bb61e1

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
128KB

MD5
5d680f2534cc5e2e82bfc38a715b75de

SHA1
2a9a50fdd454f37f04346c1781ac84fd322da546

SHA256
33d69d6448148932d176f63bebda7a74a2dd658b28b5f2361570745ba1cc2b59

SHA512
241bbf3ddfe4525b030cb1a5aeb3f096deece13bc203c01b64984be17d37b5df4b48bf260162bf080f6e79e8739608f1b96f1fb0d5fcd7564966339089d44ee3

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
128KB

MD5
e4b62b1171aa82e41bd2c6f2b1188b1c

SHA1
395ad127327dc3a9b03a664e0609eb686f093330

SHA256
a87d36f4b88caca68a3b8d141ce19afbbabdfb470d150a0c953a04d56dd31a90

SHA512
19e8116767591a4e5f1c0f5a3b1790e2aa40f793d060b066ec77ae4e4817262842961d7b63e81058e950ed0f72a0b3baf056d35eabe95ed1f883ab457bfcca11

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
128KB

MD5
bb3821fade4fe3c5be65f473ac3666d3

SHA1
045a8cb40ff4396f758f281c76acfed7e05c3fdd

SHA256
ed67da8e4bba6183a70d887f7d8dc662522f020ff5b5db768764477850cb55ab

SHA512
680bf31495877795a066b42f79c763fcab387b10cb1b5edf649ac8ac7aa83408cce7dab57c1e9e56f68f4e7aa18a8fa6b7c852831c62d25ee2241733d1c477d8

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
128KB

MD5
d5c1298b385a9cb3bb8ef47f96e489d0

SHA1
d1828cfcbce45a8049d4982b18cc054b2e6405e0

SHA256
c5820439f2bf44fd81a04630887a9365365f2712334705608e347619b12b35ae

SHA512
7ae8198748fab8b695d0b4ea7b97139d0f09655202eb8c611b6d26e87e08053a7e23c7a8512910a53f4036a2163c93a9f872123c6211f4a104346566e5f82b01

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
128KB

MD5
b5abaedbd725e77d1d28fc32ccb4e75a

SHA1
204f184b447f50d73d9ab5cb5b44a9edbe6adb60

SHA256
99e4b3c24a5c3fc1590088e42b2e12751f698f300bb1239d764f6f9d8b7c3636

SHA512
97cf219a32fb1412fa40566c3f6e33b558f907c74ad201e4f06290411f47134f236b4f477d49e5018ee3ced39fa03895aabfa2d090e979c77c89d78ae09dc1a6

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
128KB

MD5
4c465db55e580d09acd2b9a7307a6f9c

SHA1
926af11309c8c47fcdd9d58c145a041b463c3ca4

SHA256
40e5fe2ee380c97cb2a3799a866a938590a5686dfe4ca9a5302c5e543f98233d

SHA512
184b4b7ef826e9198b8acca615f950e10cda37671956bf2e15723f144804d77a3f25250cf15317b7b7af6679c87e5da47419f409c608604bbd16ce1cc2837468

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
128KB

MD5
cdc82ab17dee2d966166de18b595789c

SHA1
59dfd7aec9713ca22b36d04439747caa8dd2adbc

SHA256
09994a693135fef2c73c1394da54b3fe2b61898c4ef3c5a22e88607c762ac462

SHA512
64f8b0a073d3b612625baeb458a92ddc05f63f51a20aa568b354c0a3208edb4e2d9c556f8542dc2ca874182b013b8ef95073ce3f982932cf2777a52e0aa17cca

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
128KB

MD5
3ac2f531cad9e7b08dccaf81019a0935

SHA1
3ebc29f6d99a076509c6c356e828ba7a2931dff8

SHA256
fc6352cbd61d760bf2ab6bfe5faa9941f8ca5d183d2cefbde96633802b43ac22

SHA512
4315b6613ca1dc9b69665ee83c7ba3256f7718ac091f5574967bcb0b67ab98cd39bd93b5c37b6b5d5b71d60a43feda3fa9ee511b2dcafa1a745f55212aae2f07

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
3042c82d6a953a7c228170f7c9f41922

SHA1
a841e3edac53cce67bbc680ff16f2331af8986af

SHA256
8d019d954ed41a155048ad173deb527c31d8312a56e458bb46d94534731cb507

SHA512
c91bcf9ce2b29a6293108838c7f211788142e9aa8c3299f6cd33dcd4e9ab17ba112014c2aedeb197fbe45a8dd6930b818a1ed2411fae9b19f7c06a2c9581a2e4

Download Submit
memory/412-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/552-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/876-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/968-557-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/968-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/968-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-602-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1176-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-519-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1464-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1784-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1808-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-525-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2636-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2940-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3036-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3120-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3308-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3320-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3508-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3552-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-533-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3592-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3612-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3660-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-609-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-570-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4648-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4744-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4764-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4780-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-301-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-607-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads