b4276915850f32c7c596607d9c98607298ff43e5ee26270bf66f7c65bf4aa533

Analysis

max time kernel
134s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea44dfab9a910cffe01646c577031020_NeikiAnalytics.exe
Size

245KB
MD5

ea44dfab9a910cffe01646c577031020
SHA1

7a61bcf6eefddec49255af3dc1e1583ce15dbc32
SHA256

b4276915850f32c7c596607d9c98607298ff43e5ee26270bf66f7c65bf4aa533
SHA512

f0a9a1a659cc984bebc5c300d6d6e16dfed700952905d7e77c07990edc6119c75bd50cc32fdc170052c8a49679bd919dcb6e6df5c9ae88df3f7323f3fe8a4f3c
SSDEEP

1536:/N/V/ktXvwrnVlKQdNKSX7D+oo/4cXeXvubKrFEwMEwKhbArEwKhQL4cXeXvubKr:/TwXvwrVLOSXtowago+bAr+Qka

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hopnqdan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedeph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iifokh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaephpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhqcam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehgqln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehedfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekacmjgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbgqohi.exe

Executes dropped EXE 64 IoCs

pid	Process
848	Cdiooblp.exe
2856	Cehkhecb.exe
3400	Ckedalaj.exe
720	Daolnf32.exe
3624	Ddmhja32.exe
3512	Ddpeoafg.exe
3912	Dbaemi32.exe
4948	Dadeieea.exe
4092	Deoaid32.exe
4212	Dhnnep32.exe
2192	Dkljak32.exe
2364	Dohfbj32.exe
916	Dccbbhld.exe
212	Deanodkh.exe
4976	Dhpjkojk.exe
4940	Dllfkn32.exe
4612	Dkoggkjo.exe
532	Dceohhja.exe
4716	Dahode32.exe
1104	Ddgkpp32.exe
4340	Dhbgqohi.exe
1400	Ekacmjgl.exe
1516	Eolpmi32.exe
4732	Echknh32.exe
320	Eaklidoi.exe
3372	Eefhjc32.exe
456	Ehedfo32.exe
1356	Elppfmoo.exe
372	Ekcpbj32.exe
1704	Ecjhcg32.exe
4832	Edkdkplj.exe
2220	Ehgqln32.exe
2596	Elbmlmml.exe
2464	Eoaihhlp.exe
4328	Ecmeig32.exe
4192	Eapedd32.exe
640	Eekaebcm.exe
3700	Ednaqo32.exe
760	Ehimanbq.exe
696	Ekhjmiad.exe
1796	Eocenh32.exe
3028	Ecoangbg.exe
4628	Eemnjbaj.exe
2460	Edpnfo32.exe
628	Elgfgl32.exe
3716	Ekjfcipa.exe
2212	Eofbch32.exe
1848	Ecandfpd.exe
4272	Eepjpb32.exe
2356	Edbklofb.exe
2840	Ehnglm32.exe
4724	Fljcmlfd.exe
4836	Fohoigfh.exe
4488	Fcckif32.exe
3544	Fafkecel.exe
4640	Fdegandp.exe
4368	Fhqcam32.exe
1500	Fllpbldb.exe
648	Fojlngce.exe
1528	Fcfhof32.exe
4492	Faihkbci.exe
4856	Ffddka32.exe
4844	Fhcpgmjf.exe
3960	Flnlhk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cehkhecb.exe	Cdiooblp.exe
File created	C:\Windows\SysWOW64\Fjpqmmkb.dll	Deoaid32.exe
File created	C:\Windows\SysWOW64\Ecmeig32.exe	Eoaihhlp.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kibgmdcn.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ehedfo32.exe	Eefhjc32.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Bapolp32.dll	Deanodkh.exe
File created	C:\Windows\SysWOW64\Jeaikh32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Dceohhja.exe	Dkoggkjo.exe
File created	C:\Windows\SysWOW64\Aipoal32.dll	Eolpmi32.exe
File opened for modification	C:\Windows\SysWOW64\Edkdkplj.exe	Ecjhcg32.exe
File created	C:\Windows\SysWOW64\Pnfeqknj.dll	Gmlhii32.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jidklf32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Echknh32.exe	Eolpmi32.exe
File created	C:\Windows\SysWOW64\Dndgjk32.dll	Ifllil32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Jeaikh32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Nknjccol.dll	Edpnfo32.exe
File opened for modification	C:\Windows\SysWOW64\Hkikkeeo.exe	Hcmgfbhd.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dhbgqohi.exe	Ddgkpp32.exe
File created	C:\Windows\SysWOW64\Fakdpb32.exe	Fchddejl.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fmfmfg32.dll	Eemnjbaj.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Dkoggkjo.exe	Dllfkn32.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cecenn32.dll	Dadeieea.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kfjhkjle.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Eaklidoi.exe	Echknh32.exe
File opened for modification	C:\Windows\SysWOW64\Fdegandp.exe	Fafkecel.exe
File created	C:\Windows\SysWOW64\Gcojed32.exe	Gododflk.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ognpebpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9260	9040	WerFault.exe	413

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edpnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll"	Ekjfcipa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eepjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhkcaln.dll"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fohoigfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dceohhja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll"	Eekaebcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgkpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkljak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcinbcgc.dll"	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deanodkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpqmmkb.dll"	Deoaid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll"	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcckif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gokdeeec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ea44dfab9a910cffe01646c577031020_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fllpbldb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecoangbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himldi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckedalaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekcpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 848	3536	ea44dfab9a910cffe01646c577031020_NeikiAnalytics.exe	83
PID 3536 wrote to memory of 848	3536	ea44dfab9a910cffe01646c577031020_NeikiAnalytics.exe	83
PID 3536 wrote to memory of 848	3536	ea44dfab9a910cffe01646c577031020_NeikiAnalytics.exe	83
PID 848 wrote to memory of 2856	848	Cdiooblp.exe	84
PID 848 wrote to memory of 2856	848	Cdiooblp.exe	84
PID 848 wrote to memory of 2856	848	Cdiooblp.exe	84
PID 2856 wrote to memory of 3400	2856	Cehkhecb.exe	85
PID 2856 wrote to memory of 3400	2856	Cehkhecb.exe	85
PID 2856 wrote to memory of 3400	2856	Cehkhecb.exe	85
PID 3400 wrote to memory of 720	3400	Ckedalaj.exe	86
PID 3400 wrote to memory of 720	3400	Ckedalaj.exe	86
PID 3400 wrote to memory of 720	3400	Ckedalaj.exe	86
PID 720 wrote to memory of 3624	720	Daolnf32.exe	87
PID 720 wrote to memory of 3624	720	Daolnf32.exe	87
PID 720 wrote to memory of 3624	720	Daolnf32.exe	87
PID 3624 wrote to memory of 3512	3624	Ddmhja32.exe	88
PID 3624 wrote to memory of 3512	3624	Ddmhja32.exe	88
PID 3624 wrote to memory of 3512	3624	Ddmhja32.exe	88
PID 3512 wrote to memory of 3912	3512	Ddpeoafg.exe	89
PID 3512 wrote to memory of 3912	3512	Ddpeoafg.exe	89
PID 3512 wrote to memory of 3912	3512	Ddpeoafg.exe	89
PID 3912 wrote to memory of 4948	3912	Dbaemi32.exe	90
PID 3912 wrote to memory of 4948	3912	Dbaemi32.exe	90
PID 3912 wrote to memory of 4948	3912	Dbaemi32.exe	90
PID 4948 wrote to memory of 4092	4948	Dadeieea.exe	91
PID 4948 wrote to memory of 4092	4948	Dadeieea.exe	91
PID 4948 wrote to memory of 4092	4948	Dadeieea.exe	91
PID 4092 wrote to memory of 4212	4092	Deoaid32.exe	92
PID 4092 wrote to memory of 4212	4092	Deoaid32.exe	92
PID 4092 wrote to memory of 4212	4092	Deoaid32.exe	92
PID 4212 wrote to memory of 2192	4212	Dhnnep32.exe	93
PID 4212 wrote to memory of 2192	4212	Dhnnep32.exe	93
PID 4212 wrote to memory of 2192	4212	Dhnnep32.exe	93
PID 2192 wrote to memory of 2364	2192	Dkljak32.exe	94
PID 2192 wrote to memory of 2364	2192	Dkljak32.exe	94
PID 2192 wrote to memory of 2364	2192	Dkljak32.exe	94
PID 2364 wrote to memory of 916	2364	Dohfbj32.exe	95
PID 2364 wrote to memory of 916	2364	Dohfbj32.exe	95
PID 2364 wrote to memory of 916	2364	Dohfbj32.exe	95
PID 916 wrote to memory of 212	916	Dccbbhld.exe	96
PID 916 wrote to memory of 212	916	Dccbbhld.exe	96
PID 916 wrote to memory of 212	916	Dccbbhld.exe	96
PID 212 wrote to memory of 4976	212	Deanodkh.exe	97
PID 212 wrote to memory of 4976	212	Deanodkh.exe	97
PID 212 wrote to memory of 4976	212	Deanodkh.exe	97
PID 4976 wrote to memory of 4940	4976	Dhpjkojk.exe	98
PID 4976 wrote to memory of 4940	4976	Dhpjkojk.exe	98
PID 4976 wrote to memory of 4940	4976	Dhpjkojk.exe	98
PID 4940 wrote to memory of 4612	4940	Dllfkn32.exe	99
PID 4940 wrote to memory of 4612	4940	Dllfkn32.exe	99
PID 4940 wrote to memory of 4612	4940	Dllfkn32.exe	99
PID 4612 wrote to memory of 532	4612	Dkoggkjo.exe	100
PID 4612 wrote to memory of 532	4612	Dkoggkjo.exe	100
PID 4612 wrote to memory of 532	4612	Dkoggkjo.exe	100
PID 532 wrote to memory of 4716	532	Dceohhja.exe	101
PID 532 wrote to memory of 4716	532	Dceohhja.exe	101
PID 532 wrote to memory of 4716	532	Dceohhja.exe	101
PID 4716 wrote to memory of 1104	4716	Dahode32.exe	102
PID 4716 wrote to memory of 1104	4716	Dahode32.exe	102
PID 4716 wrote to memory of 1104	4716	Dahode32.exe	102
PID 1104 wrote to memory of 4340	1104	Ddgkpp32.exe	103
PID 1104 wrote to memory of 4340	1104	Ddgkpp32.exe	103
PID 1104 wrote to memory of 4340	1104	Ddgkpp32.exe	103
PID 4340 wrote to memory of 1400	4340	Dhbgqohi.exe	104

C:\Users\Admin\AppData\Local\Temp\ea44dfab9a910cffe01646c577031020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ea44dfab9a910cffe01646c577031020_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\SysWOW64\Cdiooblp.exe
  C:\Windows\system32\Cdiooblp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\Cehkhecb.exe
    C:\Windows\system32\Cehkhecb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\Ckedalaj.exe
      C:\Windows\system32\Ckedalaj.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\SysWOW64\Daolnf32.exe
        
        C:\Windows\system32\Daolnf32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:720
      - C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Dbaemi32.exe
        
        C:\Windows\system32\Dbaemi32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Dkljak32.exe
        
        C:\Windows\system32\Dkljak32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Deanodkh.exe
        
        C:\Windows\system32\Deanodkh.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Dllfkn32.exe
        
        C:\Windows\system32\Dllfkn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Dahode32.exe
        
        C:\Windows\system32\Dahode32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ddgkpp32.exe
        
        C:\Windows\system32\Ddgkpp32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Echknh32.exe
        
        C:\Windows\system32\Echknh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        26⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\Eefhjc32.exe
        
        C:\Windows\system32\Eefhjc32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Ehedfo32.exe
        
        C:\Windows\system32\Ehedfo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        29⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Ekcpbj32.exe
        
        C:\Windows\system32\Ekcpbj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        32⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        34⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        36⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        37⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        39⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        40⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        41⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        42⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        46⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Eofbch32.exe
        
        C:\Windows\system32\Eofbch32.exe
        48⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        49⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        51⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        53⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        57⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        60⤵
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        61⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        62⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        63⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Fhcpgmjf.exe
        
        C:\Windows\system32\Fhcpgmjf.exe
        64⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        65⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        66⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        67⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        68⤵
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        69⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        70⤵
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        71⤵
        
        PID:184
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        72⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        73⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1764
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        75⤵
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        76⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        77⤵
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        78⤵
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        79⤵
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        80⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Gicinj32.exe
        
        C:\Windows\system32\Gicinj32.exe
        81⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        82⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        83⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1560
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        85⤵
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        86⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        87⤵
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        88⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4084
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        90⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        91⤵
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        92⤵
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        93⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        94⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        95⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        96⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        98⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        99⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        100⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        101⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        102⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        104⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        105⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        108⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        109⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        110⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        111⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        113⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        114⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        115⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        117⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        119⤵
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        120⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        124⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        126⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        127⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        128⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        129⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        130⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        132⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        133⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        137⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        139⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        140⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        141⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        142⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        144⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        145⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        147⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        148⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        149⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        151⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        152⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        154⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        155⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        157⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        160⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        161⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        162⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        163⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        164⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        165⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        166⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        167⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        168⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        169⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        170⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        171⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        173⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        174⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        175⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        178⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        179⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        180⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        182⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        183⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        185⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        186⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        188⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        189⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        190⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        191⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        194⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        195⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        196⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        198⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        200⤵
        Drops file in System32 directory
        
        PID:7172
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        201⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7260
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        203⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        204⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        205⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7428
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        207⤵
        Drops file in System32 directory
        
        PID:7472
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        208⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        209⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        210⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        211⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        212⤵
        Modifies registry class
        
        PID:7684
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        213⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        214⤵
        Modifies registry class
        
        PID:7772
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        215⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        216⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        217⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7912
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        218⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        219⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        220⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        221⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        222⤵
        Modifies registry class
        
        PID:8128
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8168
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        225⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        226⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        227⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        228⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        229⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        230⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        231⤵
        Drops file in System32 directory
        
        PID:7668
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        232⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        233⤵
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        234⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        235⤵
        Drops file in System32 directory
        
        PID:7988
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        236⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        238⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        239⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        240⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        241⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7948
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7480
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        243⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        244⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7812
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        246⤵
        Drops file in System32 directory
        
        PID:7936
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        247⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        248⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        249⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        250⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7424
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7584
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7768
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        253⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        254⤵
        Modifies registry class
        
        PID:8028
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        255⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        256⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        258⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        260⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8116
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7896
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        263⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        264⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        265⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        266⤵
        Modifies registry class
        
        PID:8320
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8368
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        268⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        269⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        270⤵
        Modifies registry class
        
        PID:8492
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        271⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        272⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        273⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        274⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8672
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        276⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        277⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        278⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8792
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        279⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        280⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        281⤵
        Drops file in System32 directory
        
        PID:8904
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        282⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        283⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8976
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        284⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        285⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        286⤵
        Modifies registry class
        
        PID:9084
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        287⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        288⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        289⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        290⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        291⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8264
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        292⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8364
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        293⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        294⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        295⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        296⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        297⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8740
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        298⤵
        Modifies registry class
        
        PID:8824
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        299⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        300⤵
        Modifies registry class
        
        PID:8984
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        301⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8996
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        302⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        303⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        304⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        305⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8404
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        306⤵
        Drops file in System32 directory
        
        PID:8588
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        307⤵
        Modifies registry class
        
        PID:8684
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        308⤵
        Modifies registry class
        
        PID:8820
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        309⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        310⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9044
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        311⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8624
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        312⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:9188
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        313⤵
        Drops file in System32 directory
        
        PID:8408
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        314⤵
        Modifies registry class
        
        PID:8572
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        315⤵
        Modifies registry class
        
        PID:8800
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        316⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        317⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        318⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        319⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        320⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8708
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        321⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        322⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9040 -s 404
        323⤵
        Program crash
        
        PID:9260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 9040 -ip 9040
1⤵
PID:9228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
245KB

MD5
53a86b15ba9bad932df34be2cef766fe

SHA1
50f6db2dc0fddd3998e42f97b9a1fda3c79fd367

SHA256
e7b936dcc5a76d39870badb06a9c151b52c1312bb54773d505d276ae8e206619

SHA512
be89d7848893857c1852c5dda99d2f6fe14debdd4ff43557dc9e337787a9587d397d8548e9a0e883d414711cacb7031ea061d8db4b6cf9bf762f6fc456d82c12

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
245KB

MD5
757e20351067fe638ad5163755c00c43

SHA1
d92ecb033ce52903de79b0dad668bfb76a29cd36

SHA256
d9f12eb49ff40aa18c28baa89703f4cc130b122e083040b18754b570943d2729

SHA512
1cc0d99d7d2a86976aa6dca0f0c1110b770cba53d2b6f86d1f7090e7d49cc61c74f617c0b52d24959bdc554db370330c27b49d009f9918d98490d9cdf7c1ecb1

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
245KB

MD5
6af0e0f0938889bd1c5078ca056f3fff

SHA1
ea9dec7c71ecc801f288e75600e5474c411d5532

SHA256
d9d2bfffefa914f5ee53a456b4a01a7f3c597fb70e04acd91ec23de121aae5b4

SHA512
d24381402d7a8c0be9794d6edb27f1c7102e89886316c9718ecaf919130e5dcee5f45c704c6acb18ab2523cc8b6f60895338edaa2244d032cf96617851e6acfa

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
245KB

MD5
ee3ebb9b9eaadf97f2222e936b8ee16b

SHA1
f8b7a56683f982550f93c902193352b535876837

SHA256
e6d0596de859d4ab1a2de0aa5499ab9fcdc8250a04831cf244e598ce57ec80bc

SHA512
64a542e3b71513dbb348f99143c3ea2415a858c3f1ea7a9616340851ea78346a43b2b326dd07724bc4938fd2d7f10efddac5f8918638d7280f17a2bbe0e42754

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
245KB

MD5
2e53f7d9ae14444fde1fd876d4ecbd34

SHA1
db554ecf9d22be99137e2acd641fccc9c418f075

SHA256
8fe7610527d82bad00ee773a67232f3119ae063977ff6c3a3cf85429a28e66b9

SHA512
89f21f55f27913fd386de669b6584bdaa7b76d453f66e6115ba80f4f83417ef812c347b8a9a0be8dd41135143f1f9a04f3b6feb57f48f5d6d428201968ff908e

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
245KB

MD5
b815bb6a1169c9f9c4b46387f2dd6913

SHA1
058ffcb7b8612673cad9d552a8c68c62e66dbd6b

SHA256
487b6580213bab9901c983751f5193f8e151d290c369551b43677c5e858e2480

SHA512
372bc501dbe94236057ea7e7227f9a1ddfe4b80bb4f92e02daf3f8ce2deedaa3d63c28fd8303557e18b950825ae6cd6422aabb524f2a98824acae6d89325e0a9

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
245KB

MD5
6ef4e55e124b17d45524b9ac68ac0a40

SHA1
f38fbc4003a60c4232d259cbb3f5145f7e8d92f6

SHA256
555f39dbbe6f656f6e8f56e79732676d84cc15ad3adbf8c5f2481d8b5256b6f3

SHA512
ff5590307d94c0f8f725b5354c52d7b1a39dc7a493da5938646941bc7762d0744b404e9fc656a9071bd471ad39a37a632a9f2e34d3acb7aa275c02f601163252

Download Submit
C:\Windows\SysWOW64\Cdiooblp.exe

Filesize
245KB

MD5
efb80293adb15b3767ea9592958105dd

SHA1
e03b56573d529d1f5344d13e83bc66b68b37e7b9

SHA256
fcd4180b4477b082119c932ce633794f1193c7b2159f3b08309ac5884c1e2e39

SHA512
f6ae12b3dd39cf09217a60ebf768ec0e2c600360cef28023c4b9f0ca2c5932e28c78cb77d57c71a3dcfc465cebf00a22bdc1616667114a3d80380346a5c53726

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
245KB

MD5
9e6eeb59888154675088da6c2906b924

SHA1
4ed916e16a6daaf57b3589e1cca6f5d18f2b7158

SHA256
ad3465b38b672abd5aec041032d134fbd31ac614eaa73d2abb69c2797c83768f

SHA512
4698f427a045b758f5f7e7603f7a32c49833eb71c0e1ce7c3fab58fa31320ad639ba0de4a29392d5e7bd553546fac71acba1106ea299bd45da3489659cd31ab5

Download Submit
C:\Windows\SysWOW64\Cehkhecb.exe

Filesize
245KB

MD5
3fc828ead31213bfbd9e25786baccd2e

SHA1
257b1903965e2113f884542994893b69c3f39643

SHA256
c284ce2367b2826c235e09b94384678b7e1734068570c77ac95e0c8f7c4f7dc4

SHA512
b955fb8d5f04335bda1e7ea0f05466eefc10bc627b0e7f67c812e8cff63851d631df0fe7705cbabeba8c14476e09b9c953c8d04a059f5d84c82f77271f4b5091

Download Submit
C:\Windows\SysWOW64\Ckedalaj.exe

Filesize
245KB

MD5
92bc71a6a8a5bf826674cb55f92f6135

SHA1
8875a1c45f0238f388fc3839e3f79ead6a4a26c0

SHA256
d3160ee4e61e28247606a36ddf7823aa9e71d6fd04e5daff24b1a88b4e146d57

SHA512
74eba57aabdb8f4ac7295de0ab9abffb6d56e103b0843357a1e8cb21ca0b0bd2407524cc58f4636c036a7ca20c940edfc45970b4e124c7229014460c92a7a116

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
245KB

MD5
c6a154f492a7b0e656d870d07608d3be

SHA1
eb12d8965d9a39cd5a3c9e5def57ccc61789ad9d

SHA256
771dde239858d991d55d0109bb1bd553cf0c53f5ae6c744bf87772a7d4594487

SHA512
04c49ed3707e6f09b39bf3f7f866d6f4001b5dc679a6b1649444771322165518c7d82fdae9cc6ec496f89e82506b4af0dd5d172af2c2713c1493a0c63072abf0

Download Submit
C:\Windows\SysWOW64\Dadeieea.exe

Filesize
245KB

MD5
7c166cb3fd057d6bfc71480e02357fff

SHA1
ef20f1491bdb7bb1085d836e99cf69201162ac64

SHA256
1f70c292bab54b5c1c049ee8b705a03faf9c603535d6bc54b7638be73543f291

SHA512
208b00b01008816af2cd1fadf496b29314eee635af32d0521db9cb13d1e03cb6d8b0216d0da2d1594f8b97e5aa164a1eb76276d8281a2117bbb5d792af980703

Download Submit
C:\Windows\SysWOW64\Dahode32.exe

Filesize
245KB

MD5
467de8ab24d64ad6f92d3a735a72c102

SHA1
98dc74cc557a05060634bee6918997aa58b6b42e

SHA256
be54aff94a1d3281d9737cde0ed2ea6534aafbabfc1ed304b098a8238f8c7193

SHA512
b9f67dcc736f335e4e122fef0dbf2aa1180c3da2925a305678dbb26a4772e2c3f3fa27f6b5fe8444447bddb0919147d80404c6d03c88e737fe3bcb1c6c72d271

Download Submit
C:\Windows\SysWOW64\Daolnf32.exe

Filesize
245KB

MD5
7578f81a242c8f7d678fef0ea9af0fbd

SHA1
21e4ae284f1cebb4bc719bfda7ae247767fc7bbf

SHA256
3324699fec46b40fdc360383941f3067470a124b261dd6a0f2c9f273026b3fe4

SHA512
cfe05aaac066dd985e5211107c5278aaac67bea55beaf62a8742b1099c8e1092298f490c714a46f9f9b5cf753997b379e138de98bc9edd74fe7d709135184f09

Download Submit
C:\Windows\SysWOW64\Dbaemi32.exe

Filesize
245KB

MD5
1113efbe532f71a489ccee765de043ea

SHA1
920d2b58ec1a60b4a73de4638ac33833a0901e38

SHA256
469ed123776f106c5d63755fffbcd10b50ddff69dca6e9f24ede370285268b45

SHA512
8b53a75c3bb2f1936ade4aec516b5c2121c48bda5d8b54278ebb4fca8bc30aec26435d8d86fb9b2bd46f90094ed8fb4db6762892e31656256663cf611e868333

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
245KB

MD5
29f11d86399b72e22b62d530c59d3737

SHA1
f90e4e20d0c99ff8177b4076fee76d5ecd55fd72

SHA256
9161ecf23c8102cae4b7203368398e562fc34de449d251a0079069d523b81432

SHA512
c76b006b1e92b2f8c1ae54b3b62178b8a64e40bab33f8ccf73441bfb0016a6b7cf547d593216906c02cdb218603105cd3a1c38fbe1474a0c0198fb017ba32a96

Download Submit
C:\Windows\SysWOW64\Dceohhja.exe

Filesize
245KB

MD5
21f98f137685082a877f485c6ccb5252

SHA1
728ea8b0ad138d86be85425432d9b0926a70a76e

SHA256
d1be8e1966ac4823388ba0eff75633bfa7d723557affcd4121fd139765c93842

SHA512
13ba17c7e50b9013680823f1e8871779d635884d37e1ec7dd3707d92125d2480ffe44509a3a27cdbf3aaacf17c55cafba93ff2f176062bafe95954d8ec377623

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
245KB

MD5
eec97f65719350522cf19707ce21fd19

SHA1
5295170889efafa9b1601e3a849fbbf131f89664

SHA256
b59e88bb70e76200489aacef8d8d110fd39e1df18e81a0c95b3b028aefd45ce6

SHA512
88749dce9fceaff38b70812a3809ec9e8858251ec23e66fe08d1c306c3634642bec63bbaa5a9751c96a60bb5f1c556b4e596dc932e06b442cd8ddf920c6df02b

Download Submit
C:\Windows\SysWOW64\Ddgkpp32.exe

Filesize
245KB

MD5
8b25b2e2a91b641425f35d3bdc3fcbb7

SHA1
94504507c8667706d52832a8f6ccf8206dc55ec2

SHA256
18055b90147b5ada8a94c9f2831afa79a5f12fb180863ad33ee6b0a794880eab

SHA512
b2e9b9f0128c96e82c9c83b0afb8cf4b000846ccb629d79e1421e76a9f98208472b5766051d9fc1ba556e00e0ef7e259b6a64a8b277ab8a7ff97b6e4fed68e55

Download Submit
C:\Windows\SysWOW64\Ddmhja32.exe

Filesize
245KB

MD5
597e83cc2d864a59f19b2fa72e70c6bc

SHA1
2881c748888e41ba1b6cf92175656d4680b97564

SHA256
7b8b9e50fd30adea31b2a7e2eb9a2a730e000fdecc0f502b3c9507255a32174a

SHA512
113ffaadc38a3790d385b0ce7f4fa3d63ad1525f7cec9654dda77664268020633afd5303a22ca9850b82b4f97817456c0d0fe953a1e95c06eb6aa84f952df34a

Download Submit
C:\Windows\SysWOW64\Ddpeoafg.exe

Filesize
245KB

MD5
d4e5903c5fccce0b1428ea0c5b91d8b1

SHA1
1bd8f1e8b3a091e20fcd7e39a2e6f67c9ecddd58

SHA256
1e47f26a9d2994184ec6c2bc4b0327faf913cd2aed81b2adc90b56e960ca0605

SHA512
a2cb563076652cf3834e86ba02f1281d110223f91884d264861f1b01a3a7935646406f0961d169c6f12399db289a9fb011631e0f63cc525ff61525db97a42128

Download Submit
C:\Windows\SysWOW64\Deanodkh.exe

Filesize
245KB

MD5
83dbff4a35585175a506894073c61234

SHA1
d291732c3bdd40e6e0cd7d11f5501d76381922a9

SHA256
a16fb584caf287990de242ea0004b0b7705b27e52c23f21ae4c6faad263e44be

SHA512
f2ae37940e6af88a8c570c7ee1125a9adf204e4f7d514fedc5924d6e86882439b3aa120daef860b8f2f96261c2369f3c07751bbb1ef012d5e22dd7bd4d41d313

Download Submit
C:\Windows\SysWOW64\Deoaid32.exe

Filesize
245KB

MD5
9a18a0be442fd18c2086b63d11fa78b4

SHA1
420d5d995148ee9cb8a4cece79919c8246a9cfd1

SHA256
766fdc725f7135f4d2a5331f83e75be8fee10bb0e2cb47478a1f757d8c2bb63d

SHA512
7a3b312c0092e09a79bd0244f495d3d0c29b766d59cffd77dcb72cacb7ae2924e78096c524bb6c46d43a11f37aac641405a0a3fbdfb77ce7b4b8920a1ce7a11e

Download Submit
C:\Windows\SysWOW64\Dhbgqohi.exe

Filesize
245KB

MD5
2beea44d1268c479db15117bd9d9cd15

SHA1
b517181d1eb52c3281cd36efc031e476a45c0746

SHA256
f4bdb5a3b579573f3b88a8dafce7aeb3b77ba7738b894862ebda0d745534ed5d

SHA512
7984ff85b1bab114e5368e129fcbd386b347a8115a37de62888131bd9980b3c027ba17ffd788e4c793f79b10b05ec14a7224b4e568079e22784c035792b9028c

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
245KB

MD5
64944e69d88ba6e03ae9fd90e80e8fad

SHA1
e9ea9f50bd1bd50b2c875ba39c875f2d143eb74a

SHA256
53f1fa1a524ad1afa7ef3ce073a15c85479b823d89188de6e8f0318a430989f7

SHA512
a7ea3813a82625260954ef8e135e893da73ae0755d6cfe4f98f655c5033bfd2f4df81d7c737e0aa73f47fd04ab06b1bd85d43ba54cd27d5bec3bcd59fc4db9c1

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
245KB

MD5
5ccc4e9124ab14114d35b3e3473eca95

SHA1
b5cfaa2f0008e0f834f17ef29de4cd7d84efcffb

SHA256
4c339f389a0c3ae51cffa9dc7f19e148345baadc9541f39d0e8ceb1d908f3d0d

SHA512
fc4408ec05315dff34b4d650e28307b014119a0e5bb3f4feac407e60d0099461e59fe0ba844a57e93f0b33db16a145a88e2ff54aff2807382845812db0a14f2a

Download Submit
C:\Windows\SysWOW64\Dkljak32.exe

Filesize
245KB

MD5
ebfaadc09954986b42b55a3225d215ff

SHA1
38bf542f940a25aebe40e1255042f229f3544f1a

SHA256
2e1542c54801589963d7da0b204037cfb5894923787c8be1f516cd2020535079

SHA512
02d0a25b639868f492146bc9d780d3f98a21ca11360d36e204fe232a953cf032133e21803e900f9c18219943d5baa2963077b3fbbec5818f74102e0ea21c7c6d

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
245KB

MD5
1317b69892e09d25726c18225c57cea0

SHA1
5e7b279b0659aec7574d8c04f600176fcbf69ab1

SHA256
e1d33ad5d437486d86e45e21282dcbc877cccab1f2e694fffee5ee6f06e47e43

SHA512
f4dc687f67ad332a00686d8160f33bd4dab89dcd12539d8e9d88136be585c39dbaffb396f7f876a11688d821e24e772314e9f97634b1fb8396e5f9646ce59657

Download Submit
C:\Windows\SysWOW64\Dllfkn32.exe

Filesize
245KB

MD5
076248870212e5613c39f3105c611b1f

SHA1
53049aaa2560df7df2a623cb007537d06b67f646

SHA256
6fe871b977d1ec3b286c70d27767ee111590ba6795d3bf6803d092d51a55da2f

SHA512
d9b9d20dfdf2c2641a26b8693ad49c629b0243748a78e8e8775f5d8449728be5ead04896289b97c168fed4381b2654d638a92e09a28e4cb19a73a613e76c04e8

Download Submit
C:\Windows\SysWOW64\Dohfbj32.exe

Filesize
245KB

MD5
cc93e3f442ccd6ffb92178c110874c23

SHA1
f76992715453480904e6ca0dbfb7cdde9af88227

SHA256
f4de864201dd78bb37acc85dfe478939647fbb77e6ef3db44415f8d4cf2948c5

SHA512
3876367c99a15a1a5e30a02ebb20130c2b706d3e30f37dbca5b1fa62ae8c000409235e3e992cdc0fcbb6962b3da6cfde883d895d8343cfaaf87ddbde7a7a191b

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
245KB

MD5
fac2bdbeb53922e333d3d432feb9e6d3

SHA1
2ea7260608c7b1a457c199c76fa622272836115e

SHA256
cfe516f7476cdc6c2de465ce639d6c2fabdfa9dbb74d4ef23e6ed5a7a8440200

SHA512
6b1e5d9b4a7db9939e9fe6f6a8e86a33242748be72c00613fba631efe533344e206b4297da21fb3c536d25defe9bfa1e77081d4970482075f34676006b34abe4

Download Submit
C:\Windows\SysWOW64\Echknh32.exe

Filesize
245KB

MD5
331d47a548fd532b54bb7676a55c5ab1

SHA1
03e5f6d28aca5d70f4c783e969cc6ff04a4332ca

SHA256
683328a9c7f0c1752fe545cb68741ae116c859e2ba2471595ba97575c69ce150

SHA512
d3d69b3afa4095a3c350b7568721febf871ee2f4f88b052624c31ec2d7c5096a90760061c15338ccc7c021d2854a0c9f59c623cbd4a1e693ae78f3bbe5218e85

Download Submit
C:\Windows\SysWOW64\Ecjhcg32.exe

Filesize
245KB

MD5
1b49f4813f0ddb47a1a5495b0a521750

SHA1
77a6456b5673145e38fd6a6fd040997e9850458e

SHA256
1d5781bb4796448511841aaff499ab8d728bbeb920b0e3b52a1ab429a9e5605c

SHA512
e374963b934656721b451f1d522ccdbd72a50849c4ccdb5084a98092897d313f920c90601d33f451ff23d8484f363dd2dba10f7905994584502327ddbc7e869d

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
245KB

MD5
667d89b7994f930bc26df429945c4108

SHA1
ab0f030aa37422e93e3c3a90928732ddcac81ef4

SHA256
8edb5b62e6f08a89db9883be023216b9ebef7bdb979342c647f261642c19f06b

SHA512
3cd12ff9c49e4754a8d3d01c2af5869f2dd15278d5ddf4326c8a14fbf47be7cad47141b1b98abd21df98d5f461612e784015e18fb7303c6ca5d0e84184eea65b

Download Submit
C:\Windows\SysWOW64\Eefhjc32.exe

Filesize
245KB

MD5
1522fa11564473dae37c3b0f33d97d48

SHA1
f8f52cc1e1d726890b38e58ac54b31c0fc53f8c5

SHA256
9a9a3672c67549d85148854cc9752504e73a922cfe8459f092b0bb4d20473205

SHA512
d86f84a060248d412b861f58f03cb4ce478e66b4e99c123100f99a5c5c8a0321698e06aca0aa330289b28b972aa2be100ede98c56e0e0c92b13b449be546d579

Download Submit
C:\Windows\SysWOW64\Ehedfo32.exe

Filesize
245KB

MD5
292ca7dfdfc56780f26e78e06e7f91a5

SHA1
6ce09396ad44607cd013e50c596c198cbe557a62

SHA256
e9f15f9a243739790886b0677aa4c746c0432c31e7354f98059219ad7a74303b

SHA512
d3d5226e4f6bee1dbb2f65532925250b827141563ceda08d5d17cb690e4c7866ff13d319e66ebd58647447d17bccc3488695ee7d28899a6a4d75d2734d6cb692

Download Submit
C:\Windows\SysWOW64\Ehgqln32.exe

Filesize
245KB

MD5
41591350cf2a3a017cdecd3427afe126

SHA1
1fc876e02e7e19674f76e0a5607d10e3560fd373

SHA256
5330d41fe2bcdb115ef63686277d82b2e97eed8cdfdab50933e92678c6b4ef4e

SHA512
d2dd5f087ef07b25478e5346648cacc1f31f4d7fe094dd8f68a17aea60f2ba7956b2263e9101d6bad496c9d8870e14f63ea4f150bde5408814176e7399e153ba

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
245KB

MD5
0d45ed1ee760c31d4116d3f33bdc60e8

SHA1
76234c6fac6c4157c381f2b5b4bec657fe51f916

SHA256
aa0d6e1b49dd76f10567102e4a74a8f86c6f045baa00a6da0b4055a59dc042bc

SHA512
221cc943e51f6f73b8a9001bbd87009d123d1759d6e0691739f520658d4503a6fb7b54d8defc56b9a39804465cdbdeb3dba3dfc1df0332109d0917da6fc29457

Download Submit
C:\Windows\SysWOW64\Ekcpbj32.exe

Filesize
245KB

MD5
68a0106c232326f4aec8a2e5f469ebc4

SHA1
e6da0551b40768c5d944a26bef6b9a32e64d704b

SHA256
5874f6ddb36d5d06638469e8c157d2ccbaffb882820d80dbbb7970feefb0c639

SHA512
30c7917e41361783ccc4199338f3ce084b348be92e7e76f7adddc0cb9f8b9b3cea2c7cb072712430c93bf55fd4b737293db4fd9589c202114ef9b8d32c59073c

Download Submit
C:\Windows\SysWOW64\Elppfmoo.exe

Filesize
245KB

MD5
97dc884d763525572e3dfacdfe21d98e

SHA1
5fa8e3640625c7a10588214c419461b1f99990bb

SHA256
6923dc10427fbe73de2ce44474b8bdf5db952db51db702e85a3ef4b52ba3bd3a

SHA512
c859a2ef73caaca79677a7664adf3a2baff50f7e724f1b6f991820ff3e5c9b8300bb15535cfbd2b3e44cb955a824b8b87dd431beac737cab80db30458874cbe7

Download Submit
C:\Windows\SysWOW64\Eolpmi32.exe

Filesize
245KB

MD5
d135cbd90a2034c1c712f676b425a925

SHA1
d2ab2f3bf4b5a2a988d4c5ec3583efa9a30fb29b

SHA256
c48bd89012a2e432ec513ca3d8c80ecfa3a9670dd5212026f741651ef1c90607

SHA512
f2427070581fadf125b374d02e396ea607aa72dcffdee26421df1620ac49222c7785a5e3eeee069d63b64277aa7772909a77bd8e5bf05e6699ffc2bb28d36e93

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
245KB

MD5
3bc8110bda2fdc016a602d4ce9a9dcd2

SHA1
e883c27c4e96c4bede397eff33d0717889a59906

SHA256
ce0ccce299a5c7726bbe65d4312c2ae8930edea314d0c134337a9d464f93a6e9

SHA512
9c7720ac06ca6127859918801032bfc93c26b5b4be37a4a802ce8e31c4ed11963da4fc0d0c471453aaf301fc0fc7b2bf4b4cb39eb7509b2f3d842aea88909738

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
245KB

MD5
01f6a111c6ef38ca9c10f496fd4a465d

SHA1
68d48823bce7df28d906b7b832d92029ccedbd15

SHA256
4b0459020ff5df090bde457ee4b6f6c22583d1b81e38a76b6e36c7bb33cea545

SHA512
181fe057ea20bcf3ea3a1f30562ed0bab212dcd8eb690ef52cd2e68a8d7ded30240736533fc9261b5d83bbf8478029cf9b6f55f934d3ad454ef16293364c3d63

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
245KB

MD5
4582f2efa535a89c10891bdf5159961a

SHA1
d8d1552d8f738fde3a856a8f1bff16e02d464c06

SHA256
d6d439f4f8444864c497720a0866e5ef53d7db21ac0f0d5082559fbc063eabb1

SHA512
3118bb257529702157c91a04387794d9c1efd2aa8329f2f562f150b809b2cbc3efe65436bf83ec477bdab6a3413a522c6cd4a0d78ae80edd8d494c803884161b

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
245KB

MD5
d0bb54fc3b2bf9b42b551fcaa0facf82

SHA1
ddb33e4f797a33b49905fd6cffaf13617d857a98

SHA256
c0bfb92c71cd75737c393b475b51f7755a824ee02690e61ee82993f3819425bf

SHA512
5b951786a5e516dabb52664016a6eac15e84aba796b051ca266dbc9f0e05d8e857d89a5e796a6c1639a9b1400af3b0da400b8faecaae4337b3c46aa55e547f26

Download Submit
memory/212-418-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/212-915-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/532-919-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/532-422-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/664-482-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/720-876-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/720-33-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/748-551-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/848-2479-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/848-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/848-859-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/916-914-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/916-417-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1104-424-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1140-476-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1352-573-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1400-426-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1464-527-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1512-498-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1512-2322-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1560-515-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1852-717-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2192-911-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2192-415-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2220-2418-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2236-448-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2364-912-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2364-416-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2468-550-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2636-2325-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2832-428-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2856-18-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2856-862-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3240-579-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3240-2292-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3372-427-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3400-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3400-868-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3512-891-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3512-53-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3528-499-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3536-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3536-844-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3536-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3624-885-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3624-45-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3640-460-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3912-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3912-898-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4028-571-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4084-543-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4092-900-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4212-909-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4212-414-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4272-2384-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4340-425-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4460-516-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4612-918-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4612-421-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4692-528-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4716-423-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4844-2356-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4940-917-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4940-420-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4948-899-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4948-65-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4976-419-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4976-916-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5168-801-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5184-594-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5224-596-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5264-729-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5300-602-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5320-735-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5348-2214-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5348-804-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5384-617-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5412-861-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5420-741-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5424-619-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5468-625-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5520-631-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5544-752-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5548-819-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5568-637-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5608-647-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5616-763-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5660-649-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5680-830-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5692-874-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5704-655-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5748-666-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5776-773-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5784-667-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5828-677-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5848-775-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5864-2257-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5880-832-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5908-684-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5936-781-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5948-695-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5980-696-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6040-838-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6044-702-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6108-792-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6232-2182-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6380-2133-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6604-2110-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6692-2163-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/7172-2083-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/7424-1986-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/7684-2059-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/8328-1918-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/8368-1970-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/8672-1961-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/8684-1929-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/8708-1916-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/8820-1928-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/9012-1952-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads