22985a226f4a9ad699809badf40ff68c3e35a803926ae0b29183ac4391641302

Analysis

max time kernel
140s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13b3e6bb2c7d190f9d4dd583573b1300_NeikiAnalytics.exe
Size

71KB
MD5

13b3e6bb2c7d190f9d4dd583573b1300
SHA1

62cfe14e814b405869f1ba8ba6ea220066e35463
SHA256

22985a226f4a9ad699809badf40ff68c3e35a803926ae0b29183ac4391641302
SHA512

2eb00aecdbcc1ac9ed75218ee198d1e8c83d02e7f718dc3970c93ba17982da4ee734769329d549db70003a6b59e992f38730818144bd80c728941161a0ab7ff2
SSDEEP

1536:A95eiVNG8j5peFWB38RxOYj2p3ge+rtMXZIcV0QxRQFK1P+ATT:+FVN7j58m8RxOPp3grCWcV0QxesP+A3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ickchq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbpab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfaedkdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imakkfdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe

Executes dropped EXE 64 IoCs

pid	Process
3604	Hopnqdan.exe
5008	Hfifmnij.exe
2092	Hihbijhn.exe
2444	Hmcojh32.exe
2008	Hobkfd32.exe
1976	Hbpgbo32.exe
1204	Hijooifk.exe
2016	Hodgkc32.exe
740	Hbbdholl.exe
2908	Heapdjlp.exe
848	Hkkhqd32.exe
4276	Hcbpab32.exe
4240	Hecmijim.exe
1488	Hmjdjgjo.exe
1784	Hbgmcnhf.exe
952	Iefioj32.exe
1948	Immapg32.exe
4608	Ipknlb32.exe
2104	Ifefimom.exe
3948	Ikbnacmd.exe
1608	Icifbang.exe
3908	Iejcji32.exe
5116	Imakkfdg.exe
4624	Ickchq32.exe
4248	Iemppiab.exe
1096	Imdgqfbd.exe
4352	Icnpmp32.exe
1856	Ieolehop.exe
1696	Imfdff32.exe
3464	Icplcpgo.exe
1380	Jfoiokfb.exe
1888	Jimekgff.exe
3608	Jcbihpel.exe
3308	Jfaedkdp.exe
388	Jioaqfcc.exe
1660	Jcefno32.exe
4112	Jfcbjk32.exe
3612	Jianff32.exe
3960	Jmmjgejj.exe
4668	Jcgbco32.exe
404	Jbjcolha.exe
4600	Jidklf32.exe
4464	Jlbgha32.exe
1352	Jpnchp32.exe
364	Jfhlejnh.exe
2288	Jeklag32.exe
4776	Jlednamo.exe
4468	Jpppnp32.exe
528	Kboljk32.exe
2740	Kfjhkjle.exe
1924	Kiidgeki.exe
3364	Kpbmco32.exe
4632	Kbaipkbi.exe
4672	Kepelfam.exe
3596	Kmfmmcbo.exe
2484	Kpeiioac.exe
4900	Kdqejn32.exe
4804	Kfoafi32.exe
1580	Kimnbd32.exe
5104	Klljnp32.exe
3432	Kdcbom32.exe
4908	Kfankifm.exe
3172	Kipkhdeq.exe
548	Kmkfhc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iefioj32.exe	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Hihbijhn.exe	Hfifmnij.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fkgoikdb.dll	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Hopnqdan.exe	13b3e6bb2c7d190f9d4dd583573b1300_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Jfoiokfb.exe	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hmjdjgjo.exe
File created	C:\Windows\SysWOW64\Gnchkk32.dll	Iemppiab.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bncfnnbj.dll	Ickchq32.exe
File opened for modification	C:\Windows\SysWOW64\Jianff32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Hnmacdaj.dll	Ipknlb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8840	8744	WerFault.exe	364

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmcojh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooajidfn.dll"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jlednamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll"	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll"	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkblkg32.dll"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcbpab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3604	1524	13b3e6bb2c7d190f9d4dd583573b1300_NeikiAnalytics.exe	83
PID 1524 wrote to memory of 3604	1524	13b3e6bb2c7d190f9d4dd583573b1300_NeikiAnalytics.exe	83
PID 1524 wrote to memory of 3604	1524	13b3e6bb2c7d190f9d4dd583573b1300_NeikiAnalytics.exe	83
PID 3604 wrote to memory of 5008	3604	Hopnqdan.exe	84
PID 3604 wrote to memory of 5008	3604	Hopnqdan.exe	84
PID 3604 wrote to memory of 5008	3604	Hopnqdan.exe	84
PID 5008 wrote to memory of 2092	5008	Hfifmnij.exe	85
PID 5008 wrote to memory of 2092	5008	Hfifmnij.exe	85
PID 5008 wrote to memory of 2092	5008	Hfifmnij.exe	85
PID 2092 wrote to memory of 2444	2092	Hihbijhn.exe	86
PID 2092 wrote to memory of 2444	2092	Hihbijhn.exe	86
PID 2092 wrote to memory of 2444	2092	Hihbijhn.exe	86
PID 2444 wrote to memory of 2008	2444	Hmcojh32.exe	87
PID 2444 wrote to memory of 2008	2444	Hmcojh32.exe	87
PID 2444 wrote to memory of 2008	2444	Hmcojh32.exe	87
PID 2008 wrote to memory of 1976	2008	Hobkfd32.exe	88
PID 2008 wrote to memory of 1976	2008	Hobkfd32.exe	88
PID 2008 wrote to memory of 1976	2008	Hobkfd32.exe	88
PID 1976 wrote to memory of 1204	1976	Hbpgbo32.exe	89
PID 1976 wrote to memory of 1204	1976	Hbpgbo32.exe	89
PID 1976 wrote to memory of 1204	1976	Hbpgbo32.exe	89
PID 1204 wrote to memory of 2016	1204	Hijooifk.exe	90
PID 1204 wrote to memory of 2016	1204	Hijooifk.exe	90
PID 1204 wrote to memory of 2016	1204	Hijooifk.exe	90
PID 2016 wrote to memory of 740	2016	Hodgkc32.exe	91
PID 2016 wrote to memory of 740	2016	Hodgkc32.exe	91
PID 2016 wrote to memory of 740	2016	Hodgkc32.exe	91
PID 740 wrote to memory of 2908	740	Hbbdholl.exe	92
PID 740 wrote to memory of 2908	740	Hbbdholl.exe	92
PID 740 wrote to memory of 2908	740	Hbbdholl.exe	92
PID 2908 wrote to memory of 848	2908	Heapdjlp.exe	93
PID 2908 wrote to memory of 848	2908	Heapdjlp.exe	93
PID 2908 wrote to memory of 848	2908	Heapdjlp.exe	93
PID 848 wrote to memory of 4276	848	Hkkhqd32.exe	94
PID 848 wrote to memory of 4276	848	Hkkhqd32.exe	94
PID 848 wrote to memory of 4276	848	Hkkhqd32.exe	94
PID 4276 wrote to memory of 4240	4276	Hcbpab32.exe	95
PID 4276 wrote to memory of 4240	4276	Hcbpab32.exe	95
PID 4276 wrote to memory of 4240	4276	Hcbpab32.exe	95
PID 4240 wrote to memory of 1488	4240	Hecmijim.exe	96
PID 4240 wrote to memory of 1488	4240	Hecmijim.exe	96
PID 4240 wrote to memory of 1488	4240	Hecmijim.exe	96
PID 1488 wrote to memory of 1784	1488	Hmjdjgjo.exe	98
PID 1488 wrote to memory of 1784	1488	Hmjdjgjo.exe	98
PID 1488 wrote to memory of 1784	1488	Hmjdjgjo.exe	98
PID 1784 wrote to memory of 952	1784	Hbgmcnhf.exe	99
PID 1784 wrote to memory of 952	1784	Hbgmcnhf.exe	99
PID 1784 wrote to memory of 952	1784	Hbgmcnhf.exe	99
PID 952 wrote to memory of 1948	952	Iefioj32.exe	100
PID 952 wrote to memory of 1948	952	Iefioj32.exe	100
PID 952 wrote to memory of 1948	952	Iefioj32.exe	100
PID 1948 wrote to memory of 4608	1948	Immapg32.exe	101
PID 1948 wrote to memory of 4608	1948	Immapg32.exe	101
PID 1948 wrote to memory of 4608	1948	Immapg32.exe	101
PID 4608 wrote to memory of 2104	4608	Ipknlb32.exe	102
PID 4608 wrote to memory of 2104	4608	Ipknlb32.exe	102
PID 4608 wrote to memory of 2104	4608	Ipknlb32.exe	102
PID 2104 wrote to memory of 3948	2104	Ifefimom.exe	103
PID 2104 wrote to memory of 3948	2104	Ifefimom.exe	103
PID 2104 wrote to memory of 3948	2104	Ifefimom.exe	103
PID 3948 wrote to memory of 1608	3948	Ikbnacmd.exe	105
PID 3948 wrote to memory of 1608	3948	Ikbnacmd.exe	105
PID 3948 wrote to memory of 1608	3948	Ikbnacmd.exe	105
PID 1608 wrote to memory of 3908	1608	Icifbang.exe	106

C:\Users\Admin\AppData\Local\Temp\13b3e6bb2c7d190f9d4dd583573b1300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13b3e6bb2c7d190f9d4dd583573b1300_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\Hopnqdan.exe
  C:\Windows\system32\Hopnqdan.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\Hfifmnij.exe
    C:\Windows\system32\Hfifmnij.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\SysWOW64\Hihbijhn.exe
      C:\Windows\system32\Hihbijhn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        23⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        29⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        33⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        34⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        36⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        40⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        41⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        42⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        43⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        46⤵
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        47⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        50⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        51⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        54⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        56⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        58⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        60⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        63⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        64⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        65⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        67⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1152
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        69⤵
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        70⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        71⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        72⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2052
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        74⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4604
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        77⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        78⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        82⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        83⤵
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3472
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        85⤵
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        87⤵
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3032
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        89⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        90⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        91⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        92⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        93⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        94⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        96⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        98⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        101⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        103⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        104⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        105⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        108⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        110⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        111⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        112⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        114⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        117⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        118⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        119⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        120⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        121⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        122⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        123⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        125⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        126⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        127⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        128⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        129⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        131⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        132⤵
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        137⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        140⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        141⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        143⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        144⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        146⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        148⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        149⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        151⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        153⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        155⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        156⤵
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        157⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        158⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        160⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        161⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        162⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        163⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        164⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        165⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        167⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        169⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        170⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        171⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        172⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        173⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        174⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        176⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        177⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        178⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        179⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        180⤵
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        182⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        183⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        184⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        186⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        187⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        188⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        190⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        191⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        192⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        193⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        194⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        195⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        196⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        197⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        198⤵
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        199⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        200⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        202⤵
        Drops file in System32 directory
        
        PID:7408
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        203⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        204⤵
        Drops file in System32 directory
        
        PID:7500
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        205⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7588
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        207⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        209⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        210⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        211⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7844
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7892
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7932
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        215⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        216⤵
        Drops file in System32 directory
        
        PID:8020
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        217⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        218⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        219⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        220⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        221⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        222⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        223⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7452
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        225⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7596
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7660
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        228⤵
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7800
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        230⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        231⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        232⤵
        Modifies registry class
        
        PID:8016
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        233⤵
        Modifies registry class
        
        PID:8092
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        234⤵
        Modifies registry class
        
        PID:8168
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7208
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7356
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        237⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        238⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        239⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        240⤵
        Drops file in System32 directory
        
        PID:7784
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        241⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        242⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        243⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        244⤵
        Modifies registry class
        
        PID:7372
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        245⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        246⤵
        Modifies registry class
        
        PID:7656
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        247⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        248⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        249⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        250⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        251⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        252⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7908
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        253⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        254⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        255⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        256⤵
        Drops file in System32 directory
        
        PID:8028
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        257⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        258⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        259⤵
        Drops file in System32 directory
        
        PID:7448
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        260⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        261⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8244
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        262⤵
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        263⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        264⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        265⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        266⤵
        Drops file in System32 directory
        
        PID:8456
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        267⤵
        Drops file in System32 directory
        
        PID:8496
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        268⤵
        Drops file in System32 directory
        
        PID:8536
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        269⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8580
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        270⤵
        Drops file in System32 directory
        
        PID:8624
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        271⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        272⤵
        Modifies registry class
        
        PID:8700
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        273⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8744 -s 408
        274⤵
        Program crash
        
        PID:8840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8744 -ip 8744
1⤵
PID:8816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:7792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
71KB

MD5
e0359fefed0b7c4fcfda1a3d7ce0fbf5

SHA1
a2fab9deeba30e8f519ddbca4f698bb7004db688

SHA256
7a4d3bd1a98e3a44df3689d252f70a0d41e1055978d8b065b197d08d8e7a94b0

SHA512
7817281a737ed3d08d1ce86fdbb45329a369431494e032f3cbe74c124ad89b7eb5d3bdee43192487acd9077134fdb20ca52a51d0cccccb5ab7bf930621d503ae

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
71KB

MD5
54a3df687f03201e39dd4ee18a150be3

SHA1
1676adfc06cc34480fccefa4604ae79b1f8a7295

SHA256
f91fef42b04194b84186f377c69218e50bfe824b1af7415597ec5cd359227b9d

SHA512
d46991d9c99adf0f81c6cd895e8ad7282143764007a533c768c428ae13e9d84d8aa4980dd9c06079a05a6f908e5db0e61489f32a1605c9ec750594ccc23dc777

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
71KB

MD5
e6cefd3be4c0e9326c08d3901d642cc8

SHA1
df39087e2976587c17ea03a52d4d4070d020bcc5

SHA256
ba1a93db0d5998931aaac015a1674a9d7ecd8db202473328221df052c6a3660a

SHA512
5dcf7ef3c8d5ae26b6a7b92f886d1e1adcc88675b09447a2f484d502b5e489c623a1f4ef7a583cd4a1eda4356322c5f89baadb65cc34854addacad0a924d3a95

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
71KB

MD5
c175c1ee07e8deb963fb5a7bac2f9793

SHA1
83dec3cad5501ecd0f019433b6138155a9950dae

SHA256
73da2309828497cd2480cb5e42ba6d707a734738c7639ca8d48fb5be7dc51d4f

SHA512
0f187bc8f521122c569bd243080fd3318432d2894e0c6cb20d8fe7724e7629a34e4cda54fb5ab1f691816772a2080e7c84de7d4bec4fbef89cec82262af7037b

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
71KB

MD5
3d4516d6fbb1837aec2c3b033c764328

SHA1
bdb5a2de0d44795be85cb34fd17f4e6b14d050a1

SHA256
5d0b30cbf08b7bb7f4b2d9753f3c033e7cdbc60fa0b775287b305b2412ef3d46

SHA512
006a36ef7e9a1e9036fcc95b11d9e33a420301e0169963184330ed8c21d10be83558fcb449a6715e9702cb0a9978eda5824f4885ac0792e9bc89d14434f80108

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
71KB

MD5
69a4251027094a7a1877cf487d2cc0e3

SHA1
6f19765e9a8c8f831ec553381d08891b13d87a69

SHA256
fb3b672cd1a001a6b297e8eb80257c802c2ecb24a3c8a55b22f5355f42917e54

SHA512
2ac77c7cfbc27cd1e82ce09030cf2541e066891ec7f9a5ea5a64699c415847713a0e853c888eb3930676f5acf5eebc8b74df745afe815c13b26182ce5facfdcf

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
71KB

MD5
22d918775e4f7939620573581d22cb20

SHA1
4bf07a024b06d46319386ee4d95210c8d8cf8b24

SHA256
01055dd5fe66133aef8a228f2107162facb4105ed9b6a4903958d6e59e63cd81

SHA512
d79eb10cf0314db47e6b484f295732d154000e8f1a3f0121cf3a6c3e4704f099a787c660e5bfa7709973e85a8874ae4badb2a4e89fa1d365aa57c3db798417e9

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
71KB

MD5
1a14456022dfddccbe278c6febf57099

SHA1
b862986bb3d1c71196326eb7c21c7d38b1446080

SHA256
9b2c2cc364c0626d3a9746e0a4315593956946e07c8d0df7268617cd07a1781c

SHA512
63dd80e985a8ae0b9f588d74239dcce3e716728fba3abfc599ddb48794d1bed45b7730784d971a18941c387a85dfd1c850205ca5ffd3225ddbfe18a2b5d7cfcc

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
71KB

MD5
9bfead7086e68a2b65ed7e19fd6699f3

SHA1
5d57124c8e0563d56719fe80a5a59f6d1d27b512

SHA256
a0d2b6280f56eac59eb54700d52c00ea84f726e4cb05968850d9edac4a280150

SHA512
44de4e83d02511e0d1e09e27280d4d87ae912af72a13574e5ba58e3b941f03fd263d6e910ee699f929ccbe871ba23383e07b4d8f57ea9af6879bef154cd925c5

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
71KB

MD5
fc614e585f8899101526e7d069e9cea5

SHA1
14078dc558aaf4f33c77453810c4f45589000587

SHA256
3a50c25f3b68afc2310c8d5528c40006482fb39d8779af79687b2e3c5ed8f828

SHA512
0ba4d7e0a503901edf0507eac479d049b5e241e8d5ddb237c19de5d7e8141275a1397f1ff081b4df572ab054d102070a25f2afae537b7d475d3c9a9495d28c8f

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
71KB

MD5
26b40daaea08ad9f6eaf79947bfe05ea

SHA1
088383602374f6bcf55c395fb50c116b9eaa0966

SHA256
419e1569d45b9fadeb7c71f32b2f1bd904b94c54ad17956816c1ed4b9ba3daa3

SHA512
53e061fc0160ed24b8be4ec7dc97d9406ea049ea04ef308cf3bbbb50194da546f7f7a480e2ad74663f69c9cd645972e2ca5462dac735a864bb0e11f26373d75a

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
71KB

MD5
5dc04c4a85f9a974baeea17bcb066ddd

SHA1
c3d2e36c3b5eabb627d11069940f5eb030dba63a

SHA256
478b275bcaf653ebb76369790cdb6f899778a69b88dc749983ab0d37caef9dfe

SHA512
e0b994addb78d6ec599d87d59fbf70dc77081c2e306763e39a6f719753a34a99bfbd307d7b96e366ff8cce2c6c60d63917de9215837b6c166c769906feb7832e

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
71KB

MD5
bd0b53e5eca409e2bb415267aa35fc38

SHA1
66034f7ea2b311f6a965894ef2df454b8457fffe

SHA256
e078dc32e57f78646e1023a7a7a4f0029b3932dfda64a8907c8c09f5fa0ae699

SHA512
a13aba4990d6494fedce6ec8a5854c35c27ac92e5d3e812ea10af012b02ad83391f1823186ef6313e49a5a09122800d116bd112be1d7417e84f1cf68d36b25ad

Download Submit
C:\Windows\SysWOW64\Heapdjlp.exe

Filesize
71KB

MD5
1817c1e5b0d06ebc3a3f941d1796040e

SHA1
3c9fbb7bd99de342b77b260d49b677448863db0d

SHA256
88e9cdb9f72420f1c06a0ec8ec18375838802f5a2535cf80d9d0bef304d08de2

SHA512
893fc9537e7da8d160ce711320cc46f2e727429464d1e731a2ec0fb0bd5fafcd400b070e8af84456003cb84348a80a070657581baa867166ed10da9f4b3e589e

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
71KB

MD5
bb761d480e32871ba1fc48ded3c45e62

SHA1
6045edce21be2cc7db468ad6c4069cbbc6b1600f

SHA256
a2d499f14b4b21c1ff9c30964c712aa657bcc4327e0a7dc7157a9e4d56b8c9fd

SHA512
7e47a1a992d6f90a5c31f0e81201438540a970a5ca54c14df1c0e9e14c18cc71577b7c6f951287e2024895a3c3484737a00e5206b6081d93d29280b8223c573d

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
71KB

MD5
3271e3526d111402554f9cd954b7bb6f

SHA1
bd1b945374bb547eab2d1b675363772b4e9ee8bc

SHA256
26da4107156a0cfbe5a578ba64f4d26a96c4d568caa5ec186576c1261c37cb89

SHA512
dc04616b515b6c10bb4e64356c01db58ed89444d5b405dadf6aa282a45c38979cb42aa8df999d92bbe47a790a2647108f93745f8ff7955c1fc3cfb15cf36be05

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
71KB

MD5
594ef21981759dbd9395c694cafdffb0

SHA1
edb90951693e9c7e4a7186df353b8178eddd2680

SHA256
577d50c9b2dcdab0afb740ca9e444187185c390190e9201242b0cb0cd586f2ff

SHA512
20c24ae4e791124069e1b52a0d1ace8d6f3f33f77564a9f8787959a13e264322a4b9585735a0ca806a7d13c8f0b537eab3437e4fdd1313453877197658fd3b80

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
71KB

MD5
46cf1e8404f3065ed40376ca6e8c23d2

SHA1
fc5cb9561e0e7969797529ae3a4dd0cf123ff4e1

SHA256
a90c4328f9d4c1e50b8d348c73a96b07b4920feb834f0a1e415376e6a5d2baa0

SHA512
49e4505c19a1f9dd51ee7fbb3ed92b68e1926522aea166d93d644f3d36289a0f38ddbb541849ee0018953b6f6f4655bffdcb36c4ff7ea28bf711df8f9e50c289

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
71KB

MD5
425a994d4e70da8150b41c6406004bbc

SHA1
d3e25dd2ccef7193a64bba8966845b812248e612

SHA256
571b0bae8d5c78780ec873afdd7593f79145e42bc8db67f877dcfa2bbd2e1a48

SHA512
81ac6f7bfb95f6abe409408f92dce9b02b2a91c0c6578156ac1322cc335ae8ca2adeb7b07754e143234de509b2f27d8addf7fcbf0bc4713a06839c27486e5fef

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
71KB

MD5
7e1f255ad66bd0db8803c2d35d88ba91

SHA1
0651b0d18022b1ee7788079526ab7c551bcbee8c

SHA256
8f2ea5a8f84431efe44d2e9907780ebce457f8c65e5384b222f579193f520970

SHA512
6be12c093dae4e8aa3197fd84f91c9926336d30c7f95bfc12e63e1bfbb5a5429bbfd7f6231c37f498710faa25a1e87820bff3825da254a3d2bf3e39faf409f1d

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
71KB

MD5
538dfbd413a8f402dec453ff373f23c7

SHA1
e5d876e8e5a1ce6342e90f7628d73bc4e93f1428

SHA256
ef232542e533bbddd9d71155ce7cff067d931fa43234246d5ab410db1d229d39

SHA512
d7126f83c310408ce2ac7e0105ba3f667ac749d6701e5c88ec3c203e1d279ab9e40d64962b6c072874229002bd580811eeaa73660da23854f8ecf1d031c0f35b

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
71KB

MD5
d1cefeb16a1bd12497c524681c0f9ff4

SHA1
a8bd67fb93ed1e3b77e7d7042733eb1c2d04f612

SHA256
ae2f8eb45aee8239297ef10566f28594de8062c96762fcbba18857fa0b5366e7

SHA512
c7f9b4a2f98fd434becf61bc8c12f3869ca5635becd28e1ff9a0e1449cf5c87a1371812b3c85be1393724743fec903d669adc20bd29ff37106f8ea38ba75a7d4

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
71KB

MD5
a4bc92570675c3b2afab87b46003cf8e

SHA1
e2672862f1346de00b6b3594faa7b7ea88cf32dd

SHA256
13296065a928f069abe05fec7de42f2f34061fc0922ba7c1f4e490b1ed1c27a0

SHA512
2d8e538036cae2e6c51128f45ae526e4a3ddb9116a82302ccf38cd48553ac25d2726191a31483e5de52484f3e2867c0d38d57cbc04484fcb74fef07702e21603

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
71KB

MD5
75de1c4f73ff6effa65ad8a7e82e87cc

SHA1
c848fcd5f8fd31da71d86f0b34dd91a908118b31

SHA256
f3d38393eb1845ba9fc70ce46e24b54cf8b7f6eb0c0444447a2b7b94330b20d6

SHA512
8a88601300ac97216912652fa4bc0677ad3819793af8ac0fde6ec28dc498c58e49c2ccae7c510400ee63fc2525ca5f5d461dcf9a2d55c6cac967b3af0de9686a

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
71KB

MD5
dc1214475698e8b5fa607ebc5df4ee0d

SHA1
b4288ad6d84ccd476e2e6caf4d608639c78be6a3

SHA256
f2413d4848d72f79b85ea0111f6806e425fdfd13a76770a85b9dce0cdb34b101

SHA512
b192d24bc90ba9582551e3bd49cc4bbcd632c340d6871ea95139040494286f6f26f8f770205972c015da9982f2c5de93bbae6926b0a70ad4de6ffbb5506a5633

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
71KB

MD5
f22f91c9f4419bce60ca37a29f881774

SHA1
ffa7bf0baa88b456fcce90282a6b4e4b5272ab35

SHA256
235662a52bb8adc152224575f1f07dc56480d19f634d0bead50953b95f730ccb

SHA512
7a1baf17f758a3aec73a537f10aad4cac85e8eefadd65d23c48fa1c27eb2b1a3bea1e0af315fe8600ea8db49fb2e14c45e22a2c1e501593c58030e86f5fa1daf

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
71KB

MD5
2680be90bdf8cfdb7dde54aeb4fb3c3c

SHA1
f89d080bab2993f08d7f8a85ebbf3f47a2ff1b57

SHA256
20b080de3db78c9a31c154f9d153f469501d82c62284f3d26b3d020934bab475

SHA512
8e4352438a118ab99779078cc87da3dddef61cd00f61a8f214b17bc9205dd4685ae44dc6e7db7e00c968978818c36739ac8eba23ad5a7493ddb91cf5fef7d021

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
71KB

MD5
3b1624fc0cf84c35f03047e5978835a6

SHA1
7097af21ab058af865430e1ef8adfa2ca7490860

SHA256
978521c722db9e1658de37fabbfed89db121cfb3c2e76abfad5eb11fcdfec9da

SHA512
25473d5d480ad81e13818bb1b732990ccbcce61d27dae4cf27c33f1da7c3d1abfa75b823d9b3f247fcb6298f6884dfea6e538423449a5716e2af10e49bd29dba

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
71KB

MD5
dcd2e1e57b5306238e22438fe95424bd

SHA1
381636891a910a12b87a28e855a72cbf2dc1d49b

SHA256
2be1b41ddc036b45f1bc492acc6b4a080efb6af3effc99eefe101c5e89a49297

SHA512
3a99bd08c742272caf7cf39d2fd092b22cca69895007ccac49978658b63a18d59e5af3424e10b336bdef46d8169e4aea6a06524b821f09470d1096f69c2bcef5

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
71KB

MD5
f5375b3db327ca7c76b62af21d3c3b5e

SHA1
8cdc5d8248f763903690cca79e0cb0fec8e28bc9

SHA256
0a500ce5f9f65247efc20aa17f3b14e5786c373e6d6ea38a4b3d8590145e151f

SHA512
0c3495ec3be8ecdc3872c0a0e5e1c47c209bfaa1ea1de3924862d4f4e034bf5ddf814c0fbcfbd2b7b0511a2bc211c60d4de230b4a59656c8f2f784c402426ba5

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
71KB

MD5
7635992eb19ce8e466f038958e6b4c8f

SHA1
05945cbb3de430bee34fab469e4caec0d09d23d0

SHA256
020a59fcf8ba1b34050b8b3068c3e6ca1439787c1594d7590c7ac4e8ccdad075

SHA512
bc71ad97010331a590ddeca03633bef40f91dc09d9a329bfd50dcd8140a77f8df24184a1c237895c8b08738e2132387a8dbecca9bc7df520408172970d98864e

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
71KB

MD5
06eed089e47f45ca02eb13eadfc181f2

SHA1
04b12520eff1b6abef8c8696162f0cc5a05c95ad

SHA256
d1233a9f51fb1619185b42b33332480e95eed7a5af7898d6b147fa84913038a4

SHA512
b69cd5d0ecc36c03f43e89b369d8876ba210e62632df00d3db46ac2556d46680b5d608efa45325edd740b82914e1cabd9336bd7eb68c5a595b78d941d479243c

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
71KB

MD5
ea24c63784a6250c4d519ab954104150

SHA1
fffc9e49610b0d23c761ccc275847d3f0c352ad6

SHA256
eeaf74a513469337d7a1147031970bcb58fb0126df32220ca7b551b5308e3f7e

SHA512
b0c4510198aff6ed5b06e4c27cdf36f5bfdeb3ec8d1848418dd58cb987eaa6b4951fe06c1e7a53c635a2ccd8fb0b023110b27ed6f4bc3351680142bff89c92b8

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
71KB

MD5
2245a3f6e3122199f4b8355a7f14ef62

SHA1
0915e829889e00a43ff4466c9cd4859c6b305cd8

SHA256
3fa39a7765d3f61362e6d1b11b5f7c0dd8af1d28f7dc2d8baa51d9a6d88cfad9

SHA512
ee0444ba921e20347463a2c31c2a1955522394817eb5e85141cc4c705b22d2039c952711e6d24e7236dda0541bdd082ee4d65c64590148bc969c9f3066bcae05

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
71KB

MD5
0dbd21fe869adb50b85af725e82d5b12

SHA1
2360db3db0925d54ac823e4aef5cf43d88fb1110

SHA256
c9b1d8ba84e7a648522b0453046168d45bb951ff8d0ca824d584d85acf094345

SHA512
cfe6d69e6a2dac6226b8dbaca2e6cb695b0d8a2a778943b80885d05b72332f4c99e91d7d691d6c0b29f08dae0167032cdfbb8543e49fe7e9b582398be07cc460

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
71KB

MD5
e9fa42936cc4974f46cd9be49e5a6b74

SHA1
56036159419c9695a8a6284832f8d9501a161b6f

SHA256
ca202674af76ab0d2053ad844e90d5d358c8063f672b174be685ff36dc6769ab

SHA512
7915d998c24acac5e99367554b81d815f78a9f9212fb53f23d507b153323c817ab0037eb077d5c7f8175f2b58abf209c281da6a65022d1f1918c7b27c955effe

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
71KB

MD5
5c99afb9506c8405d492c163badfcb2c

SHA1
fc77fbd3bfb13155305a2b95665cd0d1e40261cf

SHA256
4a7797f62837880a941cd525ec5974d5dddd623fad76d10464269116d6393e3d

SHA512
899a260d07ee55e6516ab72dc918fd3d7e863d6366d6477cfd972975ccbaf1f47af95b207b717329c60d6e397147cfe7bc3b74c045335a4a02c381135a9aa365

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
71KB

MD5
1b9ee675e7f513aee9f6962b1e0c6d11

SHA1
4667e766f06ce8042b01081f7f94121609e99c94

SHA256
8b3b85baddc9255d67b203cca8d5b8b541cb4fdca03ef63b72b3065abf26b74e

SHA512
73a3923e40f05f6784af9ba463207f455b980ece209c683675f747a065e6350174624660eb43d92853129f40bf17a3c8940102d2e4a78f7820c952781240f134

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
71KB

MD5
e4207e2bd6389e1e6551312e3cacb189

SHA1
30063221921323dd9c0640bb63ad9084a3bd7ac8

SHA256
0fffe60636bc2c81fbb22a65c4745360581fa250ad9237f7e27328bf95fca90e

SHA512
0bf7b93386fda017889c4099ab00568bca24a51001c7426b4cffe7a16a0041474c94c7af9e48ac8749a0252661048397550e88eda61922e16eb46873363c3529

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
71KB

MD5
9ab6895c01fc80301c8699f475890ddd

SHA1
4edad8193d9c333f61732c69fa5356c476061fb1

SHA256
81c288e065778b8376145952f0a8efc0f79b64c4793c8c24f39d4f28950d286e

SHA512
cd96930e5c4ec441a6d309719288795ca77b8df25d4bd65556ec38cc6fed8d03232c7afd6b064c7c817d9e8ea61698c159ba9db1d3da565732b1999813d66d29

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
71KB

MD5
0f7a0533f7d1235bebc2d5388ac7e8d1

SHA1
c923ceff864eee86d79a4d4181d8bfb9e6edfbc5

SHA256
49def79ebcfb2ee27c3955eb3443f35cd870f23840c9725b11a4cc03358652a1

SHA512
2ad7b3db39e2173159e1d9841c3f7882f0fbde9e7de99dd28e2813b2f33f04a4052db619ccda2116d07d67fc500c1715fa19584c4669fff0097b1860c00d5885

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
71KB

MD5
951733da93a18ce27cf3eb778ad02eeb

SHA1
5508aeaeb871a023d90a25374e0fd6e0b616cac4

SHA256
b19bcbc61bc429c29d587a5e00b7f2f7231571f918d6e67f3826efd8d4a81825

SHA512
b8a38a1ade0acd86e9169b87eaaefc311cbb73447f13842cacb36be77048024c1e021ba124fad9098643d9fdb3b73993d00c6080c2a00da0b021a6b92d6bd060

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
71KB

MD5
b41d6a4aad4e2aa2ddd36c8f9a1b679e

SHA1
c9fcfec0813301c0d14b183ecfc7e3e64ef72c47

SHA256
7adef0d9d4a6bfb7fa89146fc2c533ba261aad8363b1a0cef918fc62327f311a

SHA512
aa4f348d0951d00ede30ea6580c9a479710724f1245885b784fbdb6e0712691a2c52dd78aa44a2600333163a613c27ca916131fc5409d6c9e42fc18ff033c26b

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
71KB

MD5
60ca6bce57915977117001b5ba1d1c20

SHA1
af4e0bcc6c17950ddf908d46fba88ae85ffff36c

SHA256
1d46cb98d2b8175b129aa40696ae9fc931dae7802296fb0b7a9a4bc03e9bd426

SHA512
da23312dc6d7a8fbcfebe96c34b4ba185976bab6acfc378c6117c4b82d167f2671953cfa2cd3f803e18a4fd1e9ed41d30cad97174712b660c9d6bd1b6f9b2eb5

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
71KB

MD5
df15d6e3df3ee08b18d1fd44fd07beda

SHA1
8ba631cf832376314440614765626b03480faf5b

SHA256
94a0e8140f8ac988574f223caf840d2fedd718cefae252da225433106b2078d1

SHA512
8d1fba92cdb1e085868de7a4f5deda7d62d2c3821adea9ae6932897eac9ae84a2ef9bdf1df71b8e0933a4f89cb800335e93a2b040560cb4531e589de2a2a4c39

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
71KB

MD5
4d8ea7633c81a4b156ac6d81cafae4b6

SHA1
6e0ce2d8ad682d519853025557a0151ca75b9b79

SHA256
e8ba748e1d7a8ce6e32ce2fcbc6b8eb267345466a7e8a615dc410221c0ce242c

SHA512
194f605eb4e71a60512fc58587f4e3fc8607fd28aa30a061aa63204c1064199e0cfd59cb6b8d1bbccebc0d2b0e655ff0317bfece9d8d89b69b97396c823830b5

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
71KB

MD5
1b8183699ec5e7f42c269c3d6718a288

SHA1
c1b3db9fcc6681c859d81a193b20d7f2fc0816f2

SHA256
d0d1a165ed551a5d73efefffd22171e181376ffe2d06a62b0d881118521f2ef4

SHA512
82155db20e2c3bdf7bd98247605ed9cf438677043f199f835f560f7ec96c0e4ce9332262b11bfa756e1de18236aa99dd3417d155204e7a07f06c37f578bd5795

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
71KB

MD5
2fb2c67266d63918af000426724d8c59

SHA1
af7b4df7d4779ac217307a69a520d144a5db9daa

SHA256
2a68cbd3f9b9d2c6afeb7e4b087684e9af7e3ced8f916606cb6f1470be59e50f

SHA512
538cb116fc80e0822aa4fde158e421829735ae3c7119e2d22926e81511e9727c465232a62b8df1f8935a1757739d6ae43d109fb8cc2d0e5ef272e30cf874d32a

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
71KB

MD5
0c5e4eecf720670261c3d68390eb7f97

SHA1
c7a77a3ee71999930df9412d1404d131d4c257ff

SHA256
075841dd935b54659d45a4bdb4da7a4aead05d22340bd99385ebdb7f3f5723a1

SHA512
455042ba7cd9721965bf63594ffa605d35f187561fcac24eb9cc32e77ed65bf2b16a6ce2071e88e9ecedf3e2b493862424d8700b616b66274db2a3b98375bf20

Download Submit
C:\Windows\SysWOW64\Odqjbebh.dll

Filesize
7KB

MD5
ceda6eaad70cf48b037d2e58e08e3183

SHA1
d3ce73e83a4d9051d6c09ed3b10a31c9718b83e2

SHA256
5519c1aa1aa84165aa206098a73de3435a5a62b8b91accbbbb2091d4c70a732d

SHA512
404e3f59dbc837cd841f4f8cedf7e558d40dd4e819785a6980279ca479ef7844e98a1e64f38b9acd975aaef5dda549d2e051d643c4c26dea6ffd2ef0f5cb56af

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
71KB

MD5
9cfbbac118fea7223444de4cbfd10916

SHA1
2da150f9da4fd6dca854bb0d9628c0cbde3d4a85

SHA256
bba83a670ec064d5989678c4e20e9dbbb82d5254e77ecc71402a9ff00a254eb1

SHA512
97ffdf5b28fe57b6741007458014d21ba4d289a1c324474280ba549354330674f60a76491f0c1c849ba3bb9b559daf3d5002a5c0c9729495a07f1813f1ffda50

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
71KB

MD5
0bdbedbe59f0ff322b23179f67b93028

SHA1
70b47ffec22e5faefa207509058d9f2e10629b9d

SHA256
b00f3015b5665c1571077b9cc1e8ce7e761096fdabe4be8119890fcdb9e8c02d

SHA512
f18d23215fad5ef3d6408a4aac6ba765c5c7593ab84c50f2ff24aa6b126fc3d01294c56c459883bd3ff94a1b3407fdc8b092d7327631ba72adc2a49a0565bd6e

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
71KB

MD5
297a7f788e67a8705f161f83362157dd

SHA1
8947fb988068dbef2ec3267b28dfbad11b0b6791

SHA256
a3f4882a4460f09a11af6293381a893d216858dd9afab06e8d479c254cad2f4d

SHA512
d5bd7634d679af0c4d41529623cdd74556f0795089b187db6417fa76ac7060b8efd6d6a255b2e2d7b52cf51c6885165790b65a6cbb28f9a6eda3914725934e7c

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
71KB

MD5
94d7554df0ae474750ba290cba881343

SHA1
ceb880d6f850d75c0f9a6f216657e57d3fd4f36f

SHA256
c51f679c4da4ec96d603c2633a72f7c639b6a47705c88b990c5db090e64f282e

SHA512
fd6e856405de5671bd7086b6331c0cbb55fb6373c4c940b08cc2db06efe1ae1b86ed471685c94989f0c97d3ccb58051733603082fda89626c13407f23265188c

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
71KB

MD5
05a453a130b84f5c438d0901216f9b3c

SHA1
b2e27a4da7eb083d85cd1d31aa187ab86b5422b3

SHA256
71463f544a0370224e57002c4770bfc75e38a30ccbab1982317ac0d30d241248

SHA512
e3efa8af7a140526e41d633aa3c7f54f5e983b092c72936e9faa8aac966999c4de8a8c9af5a47670f2c9e42fe6434e1599707a62765cdef4bf5df5204ef4c49e

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
71KB

MD5
b590785b00308a9915a3b012132276ee

SHA1
3dd1fd7cd1d46eea27d49b61948cecf5ea821f62

SHA256
6215295b1f1cfc71999220038e64102822f1dd687b793b12be8c44e1c2b9496d

SHA512
b50452a6db2db6d83fec95771fee43e8d0b863a8db8567723c9a079ba48b7419e756408f2b87c528eacaa0dbd455f61a17ddec0e6680b0a54448d11d7e87080f

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
71KB

MD5
5df6b411688a5fffd9e3b72409d8b5cf

SHA1
845b61bbb2235eaac8a959cd231a4f5e0962ce9c

SHA256
254dad133410a0c323c1bece5ad85dce508b081d835fd1164e63547ad22927ef

SHA512
4aa3f72f54fa1b21add2507706339f2e3a10fa30396be37e90c3fdd4fe3620d465a9a461fde25d377ca3f8dcbfeda8eed8ca372e27b11db280cfbd0d7a3931be

Download Submit
memory/364-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8580-1829-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads