05da2d16d6a23c45daf86194ea3340ac1a880696dc0d664e6fd76cc99fb7a3d2

Analysis

max time kernel
139s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 23:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a0ec5f52ce12aa0735d439c4768c4f0_NeikiAnalytics.exe
Size

90KB
MD5

5a0ec5f52ce12aa0735d439c4768c4f0
SHA1

aab37843a9c8304e5c7019933ac018816792822e
SHA256

05da2d16d6a23c45daf86194ea3340ac1a880696dc0d664e6fd76cc99fb7a3d2
SHA512

5dab0f5f2852af64cf4711ad1bfc4925abbbfae09270ac56f9cce6f5c8cf3cc04d910c8276a4c7148b39cc635f2561fe5cdb06de590858076fc19a4073b76b9e
SSDEEP

1536:w+N+sCIgdMkWnMwkRLequ7NryM7drEPk1x2LsGE/nHvJX6fOOQ/4BrGTI5Yxj:Qhaki72Xu7NrnrkS/HvJWU/4kT0Yxj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiipmhmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfodeohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iibccgep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emmdom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imiehfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbjoeojc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cohkokgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digehphc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpanan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fimhjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmkqpkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpqldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efeihb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glipgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ickglm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkceokii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbalopbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkokcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbpjaeoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfgipd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnipbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdpni32.exe

Executes dropped EXE 64 IoCs

pid	Process
3480	Cfpffeaj.exe
3916	Cohkokgj.exe
3876	Cfbcke32.exe
516	Chqogq32.exe
4420	Dkokcl32.exe
5024	Dbicpfdk.exe
860	Dhclmp32.exe
1120	Domdjj32.exe
4636	Ddjmba32.exe
2636	Dkceokii.exe
1272	Dnbakghm.exe
1276	Dfiildio.exe
532	Digehphc.exe
1364	Dkfadkgf.exe
3984	Dbpjaeoc.exe
4412	Dbbffdlq.exe
4464	Eiloco32.exe
3272	Eofgpikj.exe
2080	Ekmhejao.exe
3552	Efblbbqd.exe
4368	Emmdom32.exe
1116	Eokqkh32.exe
2564	Efeihb32.exe
2308	Eicedn32.exe
5052	Enpmld32.exe
1304	Eifaim32.exe
4340	Enbjad32.exe
3728	Felbnn32.exe
3952	Fbpchb32.exe
116	Fmfgek32.exe
1976	Fbbpmb32.exe
3564	Fimhjl32.exe
1596	Fnipbc32.exe
3024	Fechomko.exe
4732	Fmkqpkla.exe
828	Ffceip32.exe
1388	Fpkibf32.exe
1068	Fbjena32.exe
3256	Glbjggof.exe
3600	Gnqfcbnj.exe
4632	Gmafajfi.exe
1672	Gppcmeem.exe
100	Gbnoiqdq.exe
4048	Gihgfk32.exe
4772	Gpbpbecj.exe
32	Gbalopbn.exe
2212	Gflhoo32.exe
2176	Glipgf32.exe
2540	Gfodeohd.exe
3452	Glkmmefl.exe
4504	Gpgind32.exe
1648	Hipmfjee.exe
2920	Hlnjbedi.exe
2684	Holfoqcm.exe
2992	Hplbickp.exe
1000	Hbjoeojc.exe
4372	Hlbcnd32.exe
2832	Hblkjo32.exe
2580	Hekgfj32.exe
4484	Hmbphg32.exe
4008	Hpqldc32.exe
4908	Hfjdqmng.exe
5144	Hiipmhmk.exe
5188	Hmdlmg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Abklmb32.dll	Cfpffeaj.exe
File opened for modification	C:\Windows\SysWOW64\Ipgbdbqb.exe	Imiehfao.exe
File opened for modification	C:\Windows\SysWOW64\Enbjad32.exe	Eifaim32.exe
File opened for modification	C:\Windows\SysWOW64\Kgflcifg.exe	Kpmdfonj.exe
File created	C:\Windows\SysWOW64\Mhjmpfcl.dll	Dbpjaeoc.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Loighj32.exe
File created	C:\Windows\SysWOW64\Felbnn32.exe	Enbjad32.exe
File created	C:\Windows\SysWOW64\Ilqoobdd.exe	Iibccgep.exe
File created	C:\Windows\SysWOW64\Pdhkcb32.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Dkfadkgf.exe	Digehphc.exe
File created	C:\Windows\SysWOW64\Nmdgikhi.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Ehkaqc32.dll	Iebngial.exe
File opened for modification	C:\Windows\SysWOW64\Dnbakghm.exe	Dkceokii.exe
File created	C:\Windows\SysWOW64\Gppcmeem.exe	Gmafajfi.exe
File created	C:\Windows\SysWOW64\Ocgbld32.exe	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Gpbpbecj.exe	Gihgfk32.exe
File created	C:\Windows\SysWOW64\Jpcapp32.exe	Jenmcggo.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Imgicgca.exe	Iepaaico.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Oclkgccf.exe
File created	C:\Windows\SysWOW64\Koaagkcb.exe	Klcekpdo.exe
File opened for modification	C:\Windows\SysWOW64\Kjgeedch.exe	Kgiiiidd.exe
File opened for modification	C:\Windows\SysWOW64\Ljnlecmp.exe	Lgpoihnl.exe
File created	C:\Windows\SysWOW64\Lfeljd32.exe	Lcgpni32.exe
File opened for modification	C:\Windows\SysWOW64\Mfqlfb32.exe	Mgnlkfal.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Koaagkcb.exe	Klcekpdo.exe
File created	C:\Windows\SysWOW64\Pnkbkk32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Bmjkic32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Fmfgek32.exe	Fbpchb32.exe
File created	C:\Windows\SysWOW64\Igdgglfl.exe	Iomoenej.exe
File opened for modification	C:\Windows\SysWOW64\Mcgiefen.exe	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Binlfp32.dll	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Imiehfao.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Kbjodaqj.dll	Ffceip32.exe
File created	C:\Windows\SysWOW64\Lqhdbm32.exe	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Pfabjq32.dll	Gbnoiqdq.exe
File created	C:\Windows\SysWOW64\Fenhjedb.dll	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Jedccfqg.exe	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Glbjggof.exe	Fbjena32.exe
File created	C:\Windows\SysWOW64\Bfnikd32.dll	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Enpmld32.exe	Eicedn32.exe
File opened for modification	C:\Windows\SysWOW64\Fmfgek32.exe	Fbpchb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbcplpe.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Lgibpf32.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Ojhpimhp.exe	Ogjdmbil.exe
File opened for modification	C:\Windows\SysWOW64\Oclkgccf.exe	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dgeenfog.exe
File opened for modification	C:\Windows\SysWOW64\Npiiffqe.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Ckjinf32.dll	Gppcmeem.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Kpanan32.exe	Kncaec32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8704	8476	WerFault.exe	370

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eokqkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljklo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjblje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enpmld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpanan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdopj32.dll"	Ilqoobdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpecj32.dll"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjlopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll"	5a0ec5f52ce12aa0735d439c4768c4f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbicpfdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emmdom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbbpmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbalopbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipgbdbqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eicedn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidphgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klcekpdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cohkokgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iohejo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Joahqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiboaq32.dll"	Dkceokii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkfadkgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hipmfjee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imiehfao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Ljhnlb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3480	2572	5a0ec5f52ce12aa0735d439c4768c4f0_NeikiAnalytics.exe	92
PID 2572 wrote to memory of 3480	2572	5a0ec5f52ce12aa0735d439c4768c4f0_NeikiAnalytics.exe	92
PID 2572 wrote to memory of 3480	2572	5a0ec5f52ce12aa0735d439c4768c4f0_NeikiAnalytics.exe	92
PID 3480 wrote to memory of 3916	3480	Cfpffeaj.exe	93
PID 3480 wrote to memory of 3916	3480	Cfpffeaj.exe	93
PID 3480 wrote to memory of 3916	3480	Cfpffeaj.exe	93
PID 3916 wrote to memory of 3876	3916	Cohkokgj.exe	94
PID 3916 wrote to memory of 3876	3916	Cohkokgj.exe	94
PID 3916 wrote to memory of 3876	3916	Cohkokgj.exe	94
PID 3876 wrote to memory of 516	3876	Cfbcke32.exe	95
PID 3876 wrote to memory of 516	3876	Cfbcke32.exe	95
PID 3876 wrote to memory of 516	3876	Cfbcke32.exe	95
PID 516 wrote to memory of 4420	516	Chqogq32.exe	96
PID 516 wrote to memory of 4420	516	Chqogq32.exe	96
PID 516 wrote to memory of 4420	516	Chqogq32.exe	96
PID 4420 wrote to memory of 5024	4420	Dkokcl32.exe	97
PID 4420 wrote to memory of 5024	4420	Dkokcl32.exe	97
PID 4420 wrote to memory of 5024	4420	Dkokcl32.exe	97
PID 5024 wrote to memory of 860	5024	Dbicpfdk.exe	98
PID 5024 wrote to memory of 860	5024	Dbicpfdk.exe	98
PID 5024 wrote to memory of 860	5024	Dbicpfdk.exe	98
PID 860 wrote to memory of 1120	860	Dhclmp32.exe	99
PID 860 wrote to memory of 1120	860	Dhclmp32.exe	99
PID 860 wrote to memory of 1120	860	Dhclmp32.exe	99
PID 1120 wrote to memory of 4636	1120	Domdjj32.exe	100
PID 1120 wrote to memory of 4636	1120	Domdjj32.exe	100
PID 1120 wrote to memory of 4636	1120	Domdjj32.exe	100
PID 4636 wrote to memory of 2636	4636	Ddjmba32.exe	101
PID 4636 wrote to memory of 2636	4636	Ddjmba32.exe	101
PID 4636 wrote to memory of 2636	4636	Ddjmba32.exe	101
PID 2636 wrote to memory of 1272	2636	Dkceokii.exe	103
PID 2636 wrote to memory of 1272	2636	Dkceokii.exe	103
PID 2636 wrote to memory of 1272	2636	Dkceokii.exe	103
PID 1272 wrote to memory of 1276	1272	Dnbakghm.exe	104
PID 1272 wrote to memory of 1276	1272	Dnbakghm.exe	104
PID 1272 wrote to memory of 1276	1272	Dnbakghm.exe	104
PID 1276 wrote to memory of 532	1276	Dfiildio.exe	105
PID 1276 wrote to memory of 532	1276	Dfiildio.exe	105
PID 1276 wrote to memory of 532	1276	Dfiildio.exe	105
PID 532 wrote to memory of 1364	532	Digehphc.exe	106
PID 532 wrote to memory of 1364	532	Digehphc.exe	106
PID 532 wrote to memory of 1364	532	Digehphc.exe	106
PID 1364 wrote to memory of 3984	1364	Dkfadkgf.exe	107
PID 1364 wrote to memory of 3984	1364	Dkfadkgf.exe	107
PID 1364 wrote to memory of 3984	1364	Dkfadkgf.exe	107
PID 3984 wrote to memory of 4412	3984	Dbpjaeoc.exe	108
PID 3984 wrote to memory of 4412	3984	Dbpjaeoc.exe	108
PID 3984 wrote to memory of 4412	3984	Dbpjaeoc.exe	108
PID 4412 wrote to memory of 4464	4412	Dbbffdlq.exe	109
PID 4412 wrote to memory of 4464	4412	Dbbffdlq.exe	109
PID 4412 wrote to memory of 4464	4412	Dbbffdlq.exe	109
PID 4464 wrote to memory of 3272	4464	Eiloco32.exe	110
PID 4464 wrote to memory of 3272	4464	Eiloco32.exe	110
PID 4464 wrote to memory of 3272	4464	Eiloco32.exe	110
PID 3272 wrote to memory of 2080	3272	Eofgpikj.exe	111
PID 3272 wrote to memory of 2080	3272	Eofgpikj.exe	111
PID 3272 wrote to memory of 2080	3272	Eofgpikj.exe	111
PID 2080 wrote to memory of 3552	2080	Ekmhejao.exe	112
PID 2080 wrote to memory of 3552	2080	Ekmhejao.exe	112
PID 2080 wrote to memory of 3552	2080	Ekmhejao.exe	112
PID 3552 wrote to memory of 4368	3552	Efblbbqd.exe	113
PID 3552 wrote to memory of 4368	3552	Efblbbqd.exe	113
PID 3552 wrote to memory of 4368	3552	Efblbbqd.exe	113
PID 4368 wrote to memory of 1116	4368	Emmdom32.exe	114

C:\Users\Admin\AppData\Local\Temp\5a0ec5f52ce12aa0735d439c4768c4f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a0ec5f52ce12aa0735d439c4768c4f0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\Cfpffeaj.exe
  C:\Windows\system32\Cfpffeaj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\Cohkokgj.exe
    C:\Windows\system32\Cohkokgj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\Cfbcke32.exe
      C:\Windows\system32\Cfbcke32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3876
    - - C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:516
      - C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        29⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Fmfgek32.exe
        
        C:\Windows\system32\Fmfgek32.exe
        31⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        35⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        40⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:100
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        46⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        48⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        52⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        55⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        58⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        60⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        61⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        63⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5144
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        65⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        69⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        70⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        73⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        74⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        75⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        76⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        77⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        78⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        79⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        81⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        83⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        84⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        86⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        88⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        89⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        90⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        91⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        92⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        93⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        94⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        95⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        96⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        97⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        99⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        100⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        101⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        102⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        105⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        107⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        110⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        111⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        112⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        113⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        115⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        116⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        118⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        119⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        120⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        123⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6432
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        126⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        127⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        128⤵
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6764
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        131⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        132⤵
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        133⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        134⤵
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        135⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        137⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        138⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        139⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        140⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        141⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        142⤵
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        143⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        144⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        145⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        147⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        148⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7152
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        150⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        151⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        152⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        153⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        154⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        155⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        156⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        158⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        160⤵
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        162⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        163⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6860
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        166⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        167⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        168⤵
        Drops file in System32 directory
        
        PID:7264
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7308
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        170⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        171⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        172⤵
        Modifies registry class
        
        PID:7444
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7488
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        174⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        175⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        176⤵
        Drops file in System32 directory
        
        PID:7620
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        177⤵
        Drops file in System32 directory
        
        PID:7664
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7712
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        179⤵
        Modifies registry class
        
        PID:7760
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        180⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        181⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        182⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        183⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7940
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        184⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        185⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8068
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        188⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        189⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        190⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        191⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7364
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7432
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7524
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        195⤵
        Drops file in System32 directory
        
        PID:7612
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        196⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        197⤵
        Modifies registry class
        
        PID:7780
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        198⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        199⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        200⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        201⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8040
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8100
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        204⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        205⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        206⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        207⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        208⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7796
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        210⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        211⤵
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8032
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        213⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        214⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        215⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        216⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7480
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        219⤵
        Drops file in System32 directory
        
        PID:8012
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        220⤵
        Drops file in System32 directory
        
        PID:8168
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        221⤵
        Modifies registry class
        
        PID:7436
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        222⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        223⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        224⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        225⤵
        Modifies registry class
        
        PID:7828
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        226⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8052
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        227⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7472
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        228⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7640
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        229⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        230⤵
        Modifies registry class
        
        PID:8208
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        231⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        232⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        233⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8376
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        235⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        236⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        237⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8512
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        238⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        239⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        240⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        241⤵
        Drops file in System32 directory
        
        PID:8684
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        242⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        243⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        244⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        245⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8900
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        247⤵
        Modifies registry class
        
        PID:8940
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        248⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        249⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        250⤵
        Modifies registry class
        
        PID:9072
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        251⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        252⤵
        Drops file in System32 directory
        
        PID:9160
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        253⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        254⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        255⤵
        Drops file in System32 directory
        
        PID:8280
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        256⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        257⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        258⤵
        Drops file in System32 directory
        
        PID:8500
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8576
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        260⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        261⤵
        Modifies registry class
        
        PID:8708
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        262⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8776
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        263⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        264⤵
        Drops file in System32 directory
        
        PID:8916
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        265⤵
        Drops file in System32 directory
        
        PID:8968
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        266⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        267⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        268⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        269⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        270⤵
        Drops file in System32 directory
        
        PID:8372
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        271⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8476 -s 424
        272⤵
        Program crash
        
        PID:8704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:8
1⤵
PID:6332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8476 -ip 8476
1⤵
PID:8652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
90KB

MD5
f7362321b5280a367e789034c3440b67

SHA1
c517c1b1e82756467bc9ade40f139f8aca1abf5e

SHA256
b27585ffd044ce273754a1d44c5125628880f8cb310ec1cf9247f2da0a88af83

SHA512
f949a0910163c4b657d51e65924147540c3df0ad3dfa02fce12a9f31d1db395869162fac0d9062b12760363935ae6fbc1e1c68ad2e249c6ea78fe923d892eeee

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
90KB

MD5
60561dd3606542bae696366554f2c2a5

SHA1
ee61e73057d0062c0f9f8688cfb57c2439dbd621

SHA256
4094bc1d1660a6ffb0cf25146fac14864325be45e8a85ddd894fe5dc6c91da00

SHA512
5c04b6cf8cc8942b2a6e8e15c513dffdd8e9832e1c6acb398b628efdd7a9175b0b72dc4ff243bb1261321cba67319e4636a074193d7f1a6fd1f05a56a49f9293

Download Submit
C:\Windows\SysWOW64\Bknlbhhe.exe

Filesize
90KB

MD5
9f059579196cd1ae5772ea0a17c28e3e

SHA1
4d459b0025fd8c9f7a44355e414e0191a5d29c60

SHA256
103fe971f6b9878d0b8fd827455f85887e63a48d45e6130a06e406b3f49c8a48

SHA512
5c6d41b2c06852ab92d023bb638ba6406a2558376935e15476a7bf7ce4038e367a854577b7ad1b65994cb9c97bcd8d52a90de1f6e30f1666869021d58eb9934e

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
90KB

MD5
545329bce808e4850f6d5f787e25cd10

SHA1
efecb31b0f44912b94cf9a2128fbe74b0d5f3678

SHA256
38c1ce4fea86ce97ee171167a879b893684d84da75b3e3176fcd1e11142d5d5e

SHA512
06390bf63fc5f1ebdd890b6d670c1fa7c621eadfd9ef62d402c7baab67f634f4dd0f912b363c3b943fed6c2d7a12c00b097a6c241a78de354f5541df274ff29e

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
90KB

MD5
050125df800192c51f113d2daf4421a2

SHA1
eba590baaf9fdf06c4e191e031d951254fdee0f3

SHA256
2a5838f79a921d3eea21ca525463a720d4056a94504f6777e0b8e35008d03e81

SHA512
3105f0be78e47a36aea671e6ade226fb4f0648080d49c4d4b4e725c7425e5b60abc5c7f18f808493ac6e37d5648b88a1627e5d8f2f924328c5ef1afd1dbd3d4b

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
90KB

MD5
d104c3f710397e9af02a3c932a70b868

SHA1
03d0980eca7b68cc14a64bb27113d334e9a3beab

SHA256
ccd0bb9269d7147ef473c26b160e8a050dca8d6b9d9d170040dae6a1c6af6fe0

SHA512
23682258897895d7361f0a6742a546e95022c8f0d0aaf15326a7dcf2be5f5200f7114f3d95d137010479561a837d087a8b3d7a47a8f33f5215e692a26ec559cc

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
90KB

MD5
3b7f1766324d2eb4cf2bdb079421919c

SHA1
402b623be571fc27036aee6133f0e29750e21d23

SHA256
2ab45064f015cd0c694cd8f70b13529a7c23254ae38e9530f62d2e528bb55c41

SHA512
d080238064c56c5b4196b8919eb63e7005b9b0249a95f394ce59b9a182f6d87e3daf311c5c5814508c02f178db63ab0f72fc6e2df5cdc4f5c81127126f957e88

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
90KB

MD5
96731c6e834fcf151316f3f0b07b0cb4

SHA1
f8d71e8c3a394865c20d20e306f8877f67434c4e

SHA256
8fc2da348d99a8ed1465ac88b31796f17b66922c66e1fe70fc4d7e6d8dcae4fc

SHA512
447bbfe4b86cbab214d0756f584441951be37bf7900abf178db68eff31f2f743a4fecaa27ee922be43d8856be9382af8329ef8ee932bbda08ccc832563b05a8f

Download Submit
C:\Windows\SysWOW64\Cohkokgj.exe

Filesize
90KB

MD5
8f3a8c98badb9773fdaeaf3c76025977

SHA1
03b9d5c5d0fb68d7dd1618ea7aa22d8eaf64aa03

SHA256
159c56709e293521b8e59ef0736d627534e97ce4c8fee74b11369d749386d2b8

SHA512
42bdc8465f6ded7d3b237210d2b4db08d2a11cfc91f3f6cee5d56addd7adfdafdeb2474214ac06ac5373fcd201637c928be70414780628079c62d53bc2db66ea

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
90KB

MD5
efa00610b7b571631ec60a98f779a496

SHA1
7527f41db3d9d971ba62803cd281781f336a200e

SHA256
fbc198971983059c7e943aaa1ee080a2695f9231d78548053095ad6f22224b81

SHA512
45a9108b197f3de1bdfddc5a3c905c47abd9f239061b18599cd53a6b8404f0e12a31adda5470018220e142eb5a0cda1b9721f187b9a35a12e31cf8d6d86f6ed5

Download Submit
C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
90KB

MD5
7d08d0c209f860e29ef817fb21804aa2

SHA1
c5663ea26b536f70a730a0c7bcadc70a26e5f797

SHA256
bf2676bf2ff01831adf81fc432478ac7f8f5d8a7f5ddda46ba267b10c411821f

SHA512
30a5e403c183a3d78d33981cb16e67539791b216baa744c89c3526b5e94c0329abbc8c4b8dde2548b1679998abaadb2ae72b5739ad6b72bc475ff80cce4f25cb

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
90KB

MD5
9c0904d608e592cdba6db54945a28723

SHA1
4befa89a8f2ab6762d4fc2595c564322168de274

SHA256
c01ce8299c9256aaf6f0d16c59b6a32c261d4cb1354bf02817931ab48b2f160b

SHA512
664becd0ea43ba234bd6436d320ac8b07aeb8f942895a36650882bd598748f44473aecf5e6d54c11ec7fa94d4fb0a0bad8d0fd2f1dff83e437235ca3db57d8cc

Download Submit
C:\Windows\SysWOW64\Dbpjaeoc.exe

Filesize
90KB

MD5
3f3999141bfeadcb65f5edd0913cbfe4

SHA1
8a21c291a1bcf7d11ec26918cc6bb5154bd20ff7

SHA256
dd0c47d7fbf543a32e1f6e3cb132282b67204425bcca79dcc5b44eefea143edb

SHA512
2dad5e57405d032c8134d5f6abdc5074675ab49ea95fd5966eabd06a9a1ba0e87e019d929d4234807783782785df3e8a91b80166c9d155fb1f51fbc110efb83a

Download Submit
C:\Windows\SysWOW64\Ddjmba32.exe

Filesize
90KB

MD5
45e6500f58c75c73284caeb147b9601f

SHA1
3c7e1dc7328e541029bc942b6fd4dc27bbb0a19c

SHA256
9c46c05ea902083af4a904ccf153f0b78b4d26d9c12e136e12bb22d5cacefff9

SHA512
77b58993eb7bff9c78cf8c63eac5d36b07ad6ba1f45725855736f8aac2096190f31358ab3e7c69b37df6d415e3aa15bfc434229c965a7632efb9f8edb512677f

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
90KB

MD5
bd4bbf5555f24f39ef94d8049c884565

SHA1
5900474044c99bbb2ed0c8bc2e76d263e5003209

SHA256
12acf4acd2f9e73d3a22e180714d8b84bc5de279c81b781a63ab3c00e625d01a

SHA512
88cf6f837b32830054ced25be7f1f946cec306e8f54f131394db99fc574adcf5bc1977b3ae893ccfb7bc9897e85fc7586448d23ae60775a31931b4e9134e167f

Download Submit
C:\Windows\SysWOW64\Dhclmp32.exe

Filesize
90KB

MD5
f9c00c95558a6013ea8ef162c139f5cd

SHA1
83041b9327c289972546c1f023fad44dffccd20d

SHA256
9e5d3b12baf02a499e538bfa108b883bf67e5c22a84f8cd5445069ce1e4b9dca

SHA512
4ac13759670b3b5357f43d406c00d083e3ea21353146b83072834be086cd0222c79ec43ab183601c5ceb80c0b310b8c9c8558c671d23cb633384c5cafed6a40f

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
90KB

MD5
02138f015a90056c09d7951c3e5a46b7

SHA1
f6d8a0522fea84b7b5dcaca25b6a0f6ad530f49e

SHA256
db3f865518d29c84b8202ab3443764930bfd6cd41632507c9c2448f14c008678

SHA512
60673429c0030945c97013358db3d12b154e3167dccd1b1ba70cda9573003bd5205e60f2cfa8c7caabf181415f38a87b9e55b2a4736ce16138aa78a878ab5e83

Download Submit
C:\Windows\SysWOW64\Dkceokii.exe

Filesize
90KB

MD5
b15fb26ceab54aad9e6ce450b7b2d97f

SHA1
6e01678ead1f40be9a521682ad8c437860c0fb4a

SHA256
d1329969629bea264dcad80494f1a88eb354392c6d4e86f8fdcec34aee9d134a

SHA512
19175c02a460b8b326c82d54860bb69e61e53d19f5afcd100257a6d27b0700df04bbd10f64d8c95a3a205ca7a1420d89dc41493f352b6c4bed71a6956bceb1ef

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
90KB

MD5
b03df3cea4668b38e8701ec0334a83c8

SHA1
edc2f04a44171171dd7ec74c3522a842d9b099c5

SHA256
7b0ed553d0c04b8cc8c9cdaa234a1c1303983ee0ad41ab6137070bb46b8357f0

SHA512
e2a985591a7c93c665d18ae36a873f90cb2eaa9f4b75fb625db3718173b2a728cd57ccb94e46b4470d54df5c231ea590f5687b0a645d37cfcf3baec398474819

Download Submit
C:\Windows\SysWOW64\Dkokcl32.exe

Filesize
90KB

MD5
9ffa68400822302207f5cd0a853b6679

SHA1
88cd102169b1996c83a5d5b36e77c67ea383da36

SHA256
c61093027dcd2538d120b41c1d781d3d964b568a7b7d3a29e82ade882c405f6a

SHA512
eb8bba51625c7f56f179f76f43fa2d6e49bd866e79f35fede568f95a886470dd12b6802dd4314bc6066c7d71a5a497958be6dfa231386de5e28acc4d2c1acee1

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
90KB

MD5
232c23a024c5d968d532c7eaa62de798

SHA1
538ba67cf9154a4b1028af1c5454ee7635380089

SHA256
8422dbce8dc8d09f51b003612b4527a65029bf491a158ca94c29f22e9a13c3dc

SHA512
1c7261e259c2a6a447eb5606182bd003dd088929b286c2d1f1924d9941f081ca43c9553690a11a524ae487d5834a6ebfccc857e44843e10626a9d0496a12bdb4

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
90KB

MD5
c032a24f74e8275da04cc42e63265725

SHA1
53ae0343a1920ab832324062c3156c8d26ce78ac

SHA256
d5e60b859e929715334a883c139d6475732dd38ae2ffd67b096d9cd432ceee1a

SHA512
6cf7537e5885866564af07cf450d687fa26ca01607995508fd33a82780650ba4e92e95a3013f7d106d61f37b3bc631accb1eb0e5dc0dc586b2bc535ef32ab595

Download Submit
C:\Windows\SysWOW64\Domdjj32.exe

Filesize
90KB

MD5
833c291450c386296289af017284ea96

SHA1
7d150eaa9cdc868d497dc19dcff95dc28aee654e

SHA256
e56ef8b89455ee16b7402a72755fa34ffb127d3b00d3d8c9f66df7fc93fb3e39

SHA512
37ddfb98b34a9f2ac97682457ff90837254d9e3d09d0527d2265ab4239ca43dcbb04f0039f344ddb2316a0edaabb9fd911d299f187c547b2923491b0d005f81b

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
90KB

MD5
17b2f6e54e913fc7c13e9dec74c5f73b

SHA1
5a6ecdba594fc4a73554bb753b224c358b1707e5

SHA256
6f34d0a8a1a501c537bf8fa0681495e0dc81d8e17c626d1979af24a88bf6e518

SHA512
c6ea552662e92b5d05449d35bece453f38e26b6846471e2b4ce23b4ac77e002ae3a46ce74f949d3b9553088d083c8b6ae54026798d3d38512f7fea49525867b2

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
90KB

MD5
7a36aaa0938127c1d264d27a3872e86a

SHA1
a99d61f5ce27f7919d9675cabb0a29e92b853437

SHA256
231f894a274bc78ff1ca68dc66cd3ece5ddd7c45d4c21c65ab49be389caabc36

SHA512
169a3726c42ffc2915cc6a106fadcb30ad001368d71fb941c3769253b146fdcbac23e7a1e5325ae56da5b913b3f8e7aaad5a3d2d792d5c894c995805d270d611

Download Submit
C:\Windows\SysWOW64\Eicedn32.exe

Filesize
90KB

MD5
7952315f534af6f38fb45a4f599ffc29

SHA1
6bfeaae5aed9be09e81094a8a301fae0cd31d550

SHA256
d17c7eb8fa9dc91283ac11b566dcdef7304e68e14b3510bdb03eb59becfac6c6

SHA512
86ba9dd4c27f533646b8497f31130cb03498901b0b0a08d8697c5abaf75190070dbc1fcee5d0b8b9c439fc6b2efc078d9ad6c91bdc849af7aca99b48a87e2f1d

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
90KB

MD5
e83731dd1bd88395c7da34d0c6fbe5ed

SHA1
084551b10b7d5af72f45c8e9084ce4d3d24d9593

SHA256
7d12777e1185268f7380c5d758c75ec111568d316b1ba656ec39ec1c7156bc94

SHA512
867d5bc39334dea493121d7da7d3ce1881308a0530bf7ef71463fe8654474bd6ead84775ab07e8067944b4288198b9170dc0a557590e37a694aec9681e03fb4f

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
90KB

MD5
a60f993ab7053e01d0307c5347daed38

SHA1
5fd6183ffab85cde1eda2194147afed6216d44fb

SHA256
1a1c1185256d68f268bdc36d01324935ec6ef0b1069869d7545547ce05b7713a

SHA512
c987cff50e02232a98c7c4f3582ff7b3794fa1953c595247efc7ee7b6204e61c6dea0d3a9c59a6721d5eec1e6356e48053ecae64196e7fdcc52dc937d2d75a34

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
90KB

MD5
75a07af745b921a56137c83a5c3c5a65

SHA1
d0a97eaa533c036387778a58155663de1ba8210e

SHA256
410f437822f69cfc7e9c3edb0e57b2ab0b4b35e5e45e28c507bdff121abe024a

SHA512
348ab292276e885ed2c9a2113448cb12b5f035c86faaf83914293c260286796d9641fde7e9a252cb4460ca5a397928e0f8393d9ddc7adb3903f303bfc3471b65

Download Submit
C:\Windows\SysWOW64\Emmdom32.exe

Filesize
90KB

MD5
edc326c7d6f8d29d98f8bf111f06a8c5

SHA1
5f9b42fe1b6087d429eb9fbb298b0b00e224064a

SHA256
5248b330d84201084c9fe0b2b7b345c7080c97125ad087404b5f3d5128444fe4

SHA512
d3ef86bc33320c26c400da84805503e59395c66bc4ae6438d57ecc5c42d3f4659793cdc113c238cac2f875d9edaeb00a309cdcbb9b8619ed77c3015e29b61702

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
90KB

MD5
b04bf52be228a944ad5820e53459bebe

SHA1
b1a5afacbd19ff98a9dcbb6961cd170f7dfd6c01

SHA256
e71998bc01b6851720fecdd332ce4c8f3f1145ca23935bc4bfa00e76bc9a5714

SHA512
8211df7c414320d76d80e88b78d338ac2c3bcbf3ec8b7bca78134247085455105968b9ecbf7c07dd0965c204ff5202a89c6f4b4bcdbb2d202035a09828b11ba9

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
90KB

MD5
7612cf01a1ff1e66dfdbe4e9fc6de242

SHA1
e472681b6c0d10fa8335a485f6e3220adb9ea5d8

SHA256
f1c2e0451757e61998f6e29ad29f4d9db1d3ff2342e937157037bb8e4ae4877b

SHA512
586248369b8d738e09666c3475b578d31a37bbf311100e6b1db5ae34ccb117bb2b500b3963721d6795967e3750dc3b8229b23a6f4b8d0e68cb9cde1f081477d2

Download Submit
C:\Windows\SysWOW64\Eofgpikj.exe

Filesize
90KB

MD5
744c1b2f83e717a4971117f0c9c747ff

SHA1
8d051160f3511c3d54c9fa8a553a9cda80b2ccf6

SHA256
0a2bd86fd4c94d71be83f56cc4bc1c7190186b9f716b8ea6045091be8b62a21e

SHA512
0fca33740b75b21aa1ad62eb6ea8dc649a46f8ce04d8483b99655b786d94d54ed6724822e9db423db78915107376d28f20da3fd7297da137b888ca871eac48b8

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
90KB

MD5
70ae4faab51b3d835d6ab92361bf1517

SHA1
50498311110a5dd70df410d1aeafb3ea1c820f52

SHA256
fbc0439bc0384e6f793b4c0211d98b03f2138c124bb854eea7824c599a059588

SHA512
a669fa0ab2e47688204cdc87c1d5b39891e32848e05bb418ecc667ae4b37e441c37d00f5566292b8f2fe657667a2fbe8fc426f402550c8cb63a599c27410b661

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
90KB

MD5
15b2e75d87e706c11c598e6558d0abd2

SHA1
9f37256e5becf9d35b6f5f252fca370678d2cb50

SHA256
e049aa81bc5bcc8d47597aa37766bb5324df00b3787c4235b80d14a4016d069a

SHA512
e79034a25b63ea075d2c3ebac6722e3fb52bab4091ecf4b630084714aedd4cd6d094ed327b2240f0223c54ca83b8049ef2654bb7e11c49553361e32bd4dc6b5b

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
90KB

MD5
6d3bcccaa96bef4567e593501a70afb9

SHA1
d379b358672013f17b729a0284dcba7797ed04c8

SHA256
2d9ed8d8b5aaf12e850b85ee6e366020cd502b1cb5a2e22282c3d28c222e321c

SHA512
58dbdaed4ea522e4176c2dc97a1025958917586fb5c8f899d21e1c4e206f11ba17ca850c98723a53360fe5f6d883f14f09a7a4a9f8c807d4cfe9ca0ddb6d9750

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
90KB

MD5
72b11a26a3a23eedb476312d101ba66f

SHA1
d28088e0e8b628a9099a6e14be5effb407a7bdef

SHA256
720e6b5a000a1ea4cd06e3603e219b162b544aea59d68c606ddb601cc0459e97

SHA512
d4cf690f0790eb659492ad782533a1acc1cda96013fd87dc338d18c3d43660d0253736553a60453eafcd8a1230f55bc37db9446b4f8f2a22880a32cfc756d58a

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
90KB

MD5
0f780dadb7b93cc692848afd64dc42df

SHA1
b8dd60ff1be68c2a146b4f6b94a8095d1f64620f

SHA256
ec4eb28dc0763354cdaf0cf0b7a20079a0e9e03a6920670a74db7d1b467bee89

SHA512
6992b109796baaed7e558e2215d02c9895ad250ad9dc963c37a3e0ccfcc8611d7ad31019a8cea59ec34ebe9aac5ec5b6e5d3c2e2f280e905f8306dd649804ac4

Download Submit
C:\Windows\SysWOW64\Fmfgek32.exe

Filesize
90KB

MD5
b34d505eb59c61672759c7ada1d60331

SHA1
9ebfbdc2e7ed76c85eee7642ccfd5ca96c934840

SHA256
48cbbc86d9c702d6f9e8517e6e98af17fe4c18c4569b30b374518ec28404ee93

SHA512
455e13a6b081d80f4201b0466572d880cbd777f4a7223175be14a49187c84dc9b342570a59f8ff10fc6c7e060e2360def1ac8e8907b0848f6e497e112848f068

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
90KB

MD5
bfce3debeda67a7a02dadd1061039b85

SHA1
cfcd09b08bfc448c2009976b002c9fb4f053ea12

SHA256
a64c7a1fb69d4239080b87c24726ca1a0ce9841ca27502ee0e1c786a38036f56

SHA512
addbfe97485056e292a871442089b76e3f2e4544c3d5d136d854de5b25ce64704e2757c4aa69e7ab84b6ba91df3d13fc4f033422e57de1af4b9325f06b0611a0

Download Submit
C:\Windows\SysWOW64\Hfjdqmng.exe

Filesize
90KB

MD5
96ea894b4348463b0b9073fd2e8cb9a7

SHA1
4f6d435ec785e4456ffc02da061bfd1678323c75

SHA256
60ff22e903276f0376b10db58d95e1733844ea5b927c6dd07b4b3842dc4d3260

SHA512
15d77dd278ef3c54ab7c4c273656b813c02e82874c2a97afd7d794ebdc7986d084d2ee0949824ae20ecabdfdb8c0c064d40525f20604b10ea78da31852bffc42

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
90KB

MD5
8530f99504fc12a4dc8f0732c7c261c1

SHA1
fafac3b3c3c450c0a5858e9508288eb65509c12b

SHA256
3e9ca0cf9a309796ddbed3a6ca3787500d4f4e609877db55c766dc0259168a56

SHA512
2cce29d6e86dbbc1fa2dc7453f27856c39675a95152cf0fafe67ebdf83188336e3d58d8e8235a27ef5909dab542695bcc29b43f6ae3969db4b7bef32c5d70a7b

Download Submit
C:\Windows\SysWOW64\Ickglm32.exe

Filesize
90KB

MD5
740c65f43a8de429b047665031cf24bd

SHA1
e0844aa526a14311817972b6859d89bd20de6267

SHA256
3ac99f0b431e11887cd558dacdcc20ed61631391a034722033239d47a6734485

SHA512
07fa4b9f87205e3f8851385b080f5e8ccde27472344ae0baaed5118e200ee963d939458807dbaf289294cbf92e4b571b24254d0d232b4a488d0991d44a4ebe90

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
90KB

MD5
0e7c4884e13e66682bac2125f0330c69

SHA1
b9691c749bfd660fc36fdbd50e87ece09e78ef68

SHA256
398e0fd183346dbf7a268e3a9988015b15a6ac0bf6f9afb4ca2c1d40fa5c74c0

SHA512
6c5c73fb479b72d425ef3f42f41d332c22aaa987cb467109284f5d3d56a9e3e69e98dc123b45accc90ac7877cc3836bd4a4a5205afbb1291385634d6a6e3c2c5

Download Submit
C:\Windows\SysWOW64\Mfnoqc32.exe

Filesize
90KB

MD5
0f74972376d1d508df40041897cfba0b

SHA1
f9d16c12838c75bde3212d06b30ed458ebf481ca

SHA256
71402f3cd2820165ac0216ed9e530b4dc27dd6c3cecfe8d06ab7138248894b99

SHA512
d85d91132fb89cb2b747fe9e372c68db1f33db3ec64fcbe4f64a42b0f27f9ea1655f974e121187c199b77851c0a41011884353c3b466e4ceaee88f34a89ba60b

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
90KB

MD5
66a37d41d1c511e789d3538e7f566392

SHA1
db35731260b843c02a61791cee723d3dc39b7dae

SHA256
1be682c6584968c4168e49648608957c52992b34a16738c68d72911006f28c1c

SHA512
3e2297ab3e6aee66651d801bfaef502c5b68b31793557a676d841965869f7e8844bb08d9e631fde3a50be3b473e3544cda455e54d9ae0e2b37d6bb06a3e18842

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
90KB

MD5
10d738fec0b60f2441f58136c7c96993

SHA1
38b50fba1964400255089181dc1462b90b1f8342

SHA256
c822d5a2a24241204a5676f0acb15526acace28710899f5926a16955ee039c3a

SHA512
2bc5ced387748a0626f1a8b4444159dd7c8457ac70df825db90ada8b917d005bd1918f6a6bcfe53bcc4c1a689718d905d9ac5f3a13771fc67b59244cfbb04aee

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
90KB

MD5
faa9e1098e07ad41e8e3059da7331809

SHA1
f922aca8b643f4736b647ae15f16b2617a1e1b24

SHA256
f1099b65396054d24bbfdfcd513d5d078f56edb65790597692779aabb0fe198c

SHA512
06b1cfabd0de687f56d896913d535ca1800101b20f75846bde2f0ae605cebc2a0bb56eb192ab284af6b8c409db71a8156d4eb6d732ca110de258dd1b1a072f7f

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
90KB

MD5
5885b307f57158ac0407fddcbe234d37

SHA1
42741633db04830d2d37790c98b9b2edf9ce5099

SHA256
6e83501c37b0107e594d0e6cfe28ece03213f3bbe90f94e28ec0ca6899ece12c

SHA512
388b9937d78ee18ba6622376d4b7a9b5314b21b778bf59013a3ba7f7338f0979b9594273a2aed0ef32ac3fdc62d29c20f34fdfbeb1945635aaa058d654795683

Download Submit
C:\Windows\SysWOW64\Oqadgkdb.dll

Filesize
7KB

MD5
9d62da0c3fd7fab8f58a8eb5de57d846

SHA1
aa7371423911f6c493ec3d7e0ccc3fe32ee4dcd8

SHA256
b521322a52b8de621d7beed4cdbee9a150223ac843a8e69c7e3e8692413999ed

SHA512
e63412afbebd37b8890073a8cde047e2489b326acb855bacc72e4acc55ced11e40c5a74a0065534ba58fff0793aba5cf547b1656817799374d44681fc33068d2

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
90KB

MD5
946499197d21c6f33c5d25851a5244eb

SHA1
4171c35fac321cc9f390147516214e80ca296898

SHA256
75dcbb84090f5da2ba62678f22670f60461e2e07aea7f8152b72917e9095cf9b

SHA512
dcda9e8aa144c84f513971dea54e650c0c9036ddf15dc34feecb1f0db69babd9e44aed74339e87ed2f5d6a6038d1ece75dff4146e5acf042c9932018c7b22644

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
90KB

MD5
94eb7fa85e15f0dd581381d8dbbc7c17

SHA1
c724ec86da36e9cc6609eb94b490304a57b0feca

SHA256
c5bac4d6652433dc80e59827fa950642e1e66c4f665bc97cdbfec1d423cd95a0

SHA512
e9dd395145b0cb564962830c0207896e2560a02c4c590e8ceec478175c80ffd9a7b25cda644c616f25b9fe0d02288f478b81f79442cdb253352b2583bb19f14f

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
90KB

MD5
08e511f62b022449be81978120f237b0

SHA1
476b6a921689abc969948c16e577d2b628027a41

SHA256
2b0f42820283d7376af356cba9470ec9098885eea56f59278a6a465797f823cd

SHA512
94e66c24a5f2f0ce560898119b5ed34e4bf5577b6eb3f5325c65997061517629f0f3ff428672d133ab2424fdc80b31e9336b7a5adf6912d2ca2aa85396daa908

Download Submit
memory/32-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/32-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/100-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/100-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/116-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/116-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/516-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/516-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1120-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1120-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1272-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1304-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1304-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1364-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1672-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2212-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2212-444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-85-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4368-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4636-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4636-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads