79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b

Analysis

max time kernel
129s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b_NeikiAnalytics.exe
Size

59KB
MD5

aec7a67939f2d9e39a9aea1190375ee0
SHA1

1ac9844f1afd4818d877d9ff46e3df5c34b07e6d
SHA256

79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b
SHA512

9004df825534ca2856d870a127c7199a74ac20877db0fa62c614d9949edcf6b19339475fa907f4d91b84b71dc7806eae1b2614e3f4fba19881c8e8017ba49ff2
SSDEEP

1536:1UZX6DVecH+DJVZhUi7E6TIiemRptLNCyVso:1UZX6M/hTAittceso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpbflg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impliekg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgloefco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibjli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blqllqqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chlflabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijkdmhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddligq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgbchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbbffdlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejopl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidnkkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eokqkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffceip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedafk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipgbdbqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iohejo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmimai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igajal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koodbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgihaji.exe

Executes dropped EXE 64 IoCs

pid	Process
2992	Bebjdgmj.exe
1196	Bllbaa32.exe
2772	Bkobmnka.exe
716	Bhbcfbjk.exe
4592	Bomkcm32.exe
4860	Bnoknihb.exe
1516	Blqllqqa.exe
1416	Camddhoi.exe
2300	Clchbqoo.exe
212	Coadnlnb.exe
912	Cfkmkf32.exe
4636	Cleegp32.exe
3624	Cocacl32.exe
4988	Cfnjpfcl.exe
1596	Chlflabp.exe
5052	Cnindhpg.exe
4432	Cfpffeaj.exe
2452	Cljobphg.exe
2520	Cohkokgj.exe
2144	Cdecgbfa.exe
3344	Dkokcl32.exe
1404	Dfdpad32.exe
5048	Dhclmp32.exe
4028	Dnpdegjp.exe
2376	Ddjmba32.exe
808	Dooaoj32.exe
2928	Ddligq32.exe
2236	Dkfadkgf.exe
2936	Doaneiop.exe
640	Dflfac32.exe
3276	Dmennnni.exe
3988	Dbbffdlq.exe
1616	Deqcbpld.exe
5028	Emhkdmlg.exe
436	Eofgpikj.exe
1844	Enigke32.exe
3944	Ebdcld32.exe
216	Eiokinbk.exe
1860	Ekmhejao.exe
5116	Enkdaepb.exe
2832	Ebgpad32.exe
4228	Eokqkh32.exe
3748	Ebimgcfi.exe
1088	Efeihb32.exe
3844	Emoadlfo.exe
4216	Epmmqheb.exe
4368	Enpmld32.exe
1432	Efgemb32.exe
3800	Eifaim32.exe
4060	Ekdnei32.exe
4952	Ebnfbcbc.exe
760	Felbnn32.exe
2004	Fmcjpl32.exe
2252	Fpbflg32.exe
1136	Fneggdhg.exe
1512	Fflohaij.exe
1756	Fijkdmhn.exe
2872	Fligqhga.exe
4020	Fngcmcfe.exe
636	Ffnknafg.exe
668	Fmhdkknd.exe
4324	Fpgpgfmh.exe
4604	Fbelcblk.exe
536	Fechomko.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Epmmqheb.exe	Emoadlfo.exe
File created	C:\Windows\SysWOW64\Pmhkafda.dll	Iebngial.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Bllbaa32.exe	Bebjdgmj.exe
File created	C:\Windows\SysWOW64\Aknhkd32.dll	Gehbjm32.exe
File created	C:\Windows\SysWOW64\Coadnlnb.exe	Clchbqoo.exe
File opened for modification	C:\Windows\SysWOW64\Efgemb32.exe	Enpmld32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgpgfmh.exe	Fmhdkknd.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Ibaeen32.exe	Hlglidlo.exe
File opened for modification	C:\Windows\SysWOW64\Nqpcjj32.exe	Nnafno32.exe
File opened for modification	C:\Windows\SysWOW64\Dbbffdlq.exe	Dmennnni.exe
File created	C:\Windows\SysWOW64\Cboeco32.dll	Gidnkkpc.exe
File created	C:\Windows\SysWOW64\Bfnikd32.dll	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Mgbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Pfdjinjo.exe
File opened for modification	C:\Windows\SysWOW64\Lqmmmmph.exe	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Jiiicf32.exe	Jgkmgk32.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Jcmdaljn.exe	Ipoheakj.exe
File created	C:\Windows\SysWOW64\Koaagkcb.exe	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Mbibld32.dll	Chlflabp.exe
File created	C:\Windows\SysWOW64\Ghjnkpdc.dll	Gnepna32.exe
File created	C:\Windows\SysWOW64\Cjgjmg32.dll	Hibjli32.exe
File created	C:\Windows\SysWOW64\Iohejo32.exe	Iliinc32.exe
File created	C:\Windows\SysWOW64\Iidphgcn.exe	Igfclkdj.exe
File opened for modification	C:\Windows\SysWOW64\Qhhpop32.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Bhbcfbjk.exe	Bkobmnka.exe
File created	C:\Windows\SysWOW64\Gnepna32.exe	Gmdcfidg.exe
File created	C:\Windows\SysWOW64\Ipoheakj.exe	Impliekg.exe
File created	C:\Windows\SysWOW64\Npgmpf32.exe	Nadleilm.exe
File opened for modification	C:\Windows\SysWOW64\Npiiffqe.exe	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Oakbehfe.exe	Onmfimga.exe
File opened for modification	C:\Windows\SysWOW64\Cocacl32.exe	Cleegp32.exe
File created	C:\Windows\SysWOW64\Lcgpni32.exe	Lqhdbm32.exe
File opened for modification	C:\Windows\SysWOW64\Lnangaoa.exe	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Nqmfdj32.exe
File created	C:\Windows\SysWOW64\Fhhfif32.dll	Jepjhg32.exe
File created	C:\Windows\SysWOW64\Fmplqd32.dll	Lfeljd32.exe
File created	C:\Windows\SysWOW64\Fboqkn32.dll	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Fijkdmhn.exe	Fflohaij.exe
File created	C:\Windows\SysWOW64\Fhjnfdhk.dll	Hedafk32.exe
File created	C:\Windows\SysWOW64\Iipfmggc.exe	Igajal32.exe
File opened for modification	C:\Windows\SysWOW64\Ioolkncg.exe	Iplkpa32.exe
File created	C:\Windows\SysWOW64\Onmfimga.exe	Offnhpfo.exe
File created	C:\Windows\SysWOW64\Peaggfjj.dll	Modgdicm.exe
File created	C:\Windows\SysWOW64\Pmiikh32.exe	Pjkmomfn.exe
File opened for modification	C:\Windows\SysWOW64\Hfhgkmpj.exe	Hoaojp32.exe
File created	C:\Windows\SysWOW64\Hhjhdagb.dll	Hfhgkmpj.exe
File created	C:\Windows\SysWOW64\Eihcbonm.dll	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Lqmmmmph.exe	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Bkobmnka.exe	Bllbaa32.exe
File created	C:\Windows\SysWOW64\Obgbikfp.dll	Bkobmnka.exe
File created	C:\Windows\SysWOW64\Ebimgcfi.exe	Eokqkh32.exe
File opened for modification	C:\Windows\SysWOW64\Kjgeedch.exe	Kgiiiidd.exe
File opened for modification	C:\Windows\SysWOW64\Cfkmkf32.exe	Coadnlnb.exe
File opened for modification	C:\Windows\SysWOW64\Cnindhpg.exe	Chlflabp.exe
File created	C:\Windows\SysWOW64\Ggqecq32.dll	Eofgpikj.exe
File opened for modification	C:\Windows\SysWOW64\Onmfimga.exe	Offnhpfo.exe
File created	C:\Windows\SysWOW64\Ppcbba32.dll	Pffgom32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8784	8492	WerFault.exe	381

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hekgfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidphgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdecgbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll"	Ebnfbcbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Felbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhdjbno.dll"	Bebjdgmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdae32.dll"	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npefkf32.dll"	Blqllqqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bomkcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Panhbfep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglhld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll"	Kpanan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgloefco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdgna32.dll"	Iojbpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igfclkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmpmdpj.dll"	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbcih32.dll"	Ibaeen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpcoefj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffceip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnoaaaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnindhpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdlmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebimgcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onkidm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blqllqqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hehkajig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impliekg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkfadkgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flpmagqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdlf32.dll"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amlogfel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2992	1604	79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b_NeikiAnalytics.exe	90
PID 1604 wrote to memory of 2992	1604	79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b_NeikiAnalytics.exe	90
PID 1604 wrote to memory of 2992	1604	79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b_NeikiAnalytics.exe	90
PID 2992 wrote to memory of 1196	2992	Bebjdgmj.exe	91
PID 2992 wrote to memory of 1196	2992	Bebjdgmj.exe	91
PID 2992 wrote to memory of 1196	2992	Bebjdgmj.exe	91
PID 1196 wrote to memory of 2772	1196	Bllbaa32.exe	92
PID 1196 wrote to memory of 2772	1196	Bllbaa32.exe	92
PID 1196 wrote to memory of 2772	1196	Bllbaa32.exe	92
PID 2772 wrote to memory of 716	2772	Bkobmnka.exe	93
PID 2772 wrote to memory of 716	2772	Bkobmnka.exe	93
PID 2772 wrote to memory of 716	2772	Bkobmnka.exe	93
PID 716 wrote to memory of 4592	716	Bhbcfbjk.exe	94
PID 716 wrote to memory of 4592	716	Bhbcfbjk.exe	94
PID 716 wrote to memory of 4592	716	Bhbcfbjk.exe	94
PID 4592 wrote to memory of 4860	4592	Bomkcm32.exe	95
PID 4592 wrote to memory of 4860	4592	Bomkcm32.exe	95
PID 4592 wrote to memory of 4860	4592	Bomkcm32.exe	95
PID 4860 wrote to memory of 1516	4860	Bnoknihb.exe	96
PID 4860 wrote to memory of 1516	4860	Bnoknihb.exe	96
PID 4860 wrote to memory of 1516	4860	Bnoknihb.exe	96
PID 1516 wrote to memory of 1416	1516	Blqllqqa.exe	97
PID 1516 wrote to memory of 1416	1516	Blqllqqa.exe	97
PID 1516 wrote to memory of 1416	1516	Blqllqqa.exe	97
PID 1416 wrote to memory of 2300	1416	Camddhoi.exe	98
PID 1416 wrote to memory of 2300	1416	Camddhoi.exe	98
PID 1416 wrote to memory of 2300	1416	Camddhoi.exe	98
PID 2300 wrote to memory of 212	2300	Clchbqoo.exe	99
PID 2300 wrote to memory of 212	2300	Clchbqoo.exe	99
PID 2300 wrote to memory of 212	2300	Clchbqoo.exe	99
PID 212 wrote to memory of 912	212	Coadnlnb.exe	101
PID 212 wrote to memory of 912	212	Coadnlnb.exe	101
PID 212 wrote to memory of 912	212	Coadnlnb.exe	101
PID 912 wrote to memory of 4636	912	Cfkmkf32.exe	102
PID 912 wrote to memory of 4636	912	Cfkmkf32.exe	102
PID 912 wrote to memory of 4636	912	Cfkmkf32.exe	102
PID 4636 wrote to memory of 3624	4636	Cleegp32.exe	103
PID 4636 wrote to memory of 3624	4636	Cleegp32.exe	103
PID 4636 wrote to memory of 3624	4636	Cleegp32.exe	103
PID 3624 wrote to memory of 4988	3624	Cocacl32.exe	104
PID 3624 wrote to memory of 4988	3624	Cocacl32.exe	104
PID 3624 wrote to memory of 4988	3624	Cocacl32.exe	104
PID 4988 wrote to memory of 1596	4988	Cfnjpfcl.exe	105
PID 4988 wrote to memory of 1596	4988	Cfnjpfcl.exe	105
PID 4988 wrote to memory of 1596	4988	Cfnjpfcl.exe	105
PID 1596 wrote to memory of 5052	1596	Chlflabp.exe	107
PID 1596 wrote to memory of 5052	1596	Chlflabp.exe	107
PID 1596 wrote to memory of 5052	1596	Chlflabp.exe	107
PID 5052 wrote to memory of 4432	5052	Cnindhpg.exe	108
PID 5052 wrote to memory of 4432	5052	Cnindhpg.exe	108
PID 5052 wrote to memory of 4432	5052	Cnindhpg.exe	108
PID 4432 wrote to memory of 2452	4432	Cfpffeaj.exe	109
PID 4432 wrote to memory of 2452	4432	Cfpffeaj.exe	109
PID 4432 wrote to memory of 2452	4432	Cfpffeaj.exe	109
PID 2452 wrote to memory of 2520	2452	Cljobphg.exe	110
PID 2452 wrote to memory of 2520	2452	Cljobphg.exe	110
PID 2452 wrote to memory of 2520	2452	Cljobphg.exe	110
PID 2520 wrote to memory of 2144	2520	Cohkokgj.exe	111
PID 2520 wrote to memory of 2144	2520	Cohkokgj.exe	111
PID 2520 wrote to memory of 2144	2520	Cohkokgj.exe	111
PID 2144 wrote to memory of 3344	2144	Cdecgbfa.exe	112
PID 2144 wrote to memory of 3344	2144	Cdecgbfa.exe	112
PID 2144 wrote to memory of 3344	2144	Cdecgbfa.exe	112
PID 3344 wrote to memory of 1404	3344	Dkokcl32.exe	114

C:\Users\Admin\AppData\Local\Temp\79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79ddfc2c1bd843c80cc6cae2870f75542c43fef0db198fb91f8ecaaa474e0f9b_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\Bebjdgmj.exe
  C:\Windows\system32\Bebjdgmj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\Bllbaa32.exe
    C:\Windows\system32\Bllbaa32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\SysWOW64\Bkobmnka.exe
      C:\Windows\system32\Bkobmnka.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:716
      - C:\Windows\SysWOW64\Bomkcm32.exe
        
        C:\Windows\system32\Bomkcm32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Clchbqoo.exe
        
        C:\Windows\system32\Clchbqoo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Coadnlnb.exe
        
        C:\Windows\system32\Coadnlnb.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Cocacl32.exe
        
        C:\Windows\system32\Cocacl32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Cfnjpfcl.exe
        
        C:\Windows\system32\Cfnjpfcl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Chlflabp.exe
        
        C:\Windows\system32\Chlflabp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cohkokgj.exe
        
        C:\Windows\system32\Cohkokgj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        23⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        25⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        26⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Dooaoj32.exe
        
        C:\Windows\system32\Dooaoj32.exe
        27⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        30⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        31⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        34⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        35⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        37⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        38⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        39⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        40⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        41⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        42⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        43⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ebimgcfi.exe
        
        C:\Windows\system32\Ebimgcfi.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        46⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        48⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        51⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        52⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        55⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        57⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        60⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        61⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        64⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        65⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        66⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        67⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3692
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        71⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        72⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        75⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        77⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        78⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        81⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        83⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        84⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        85⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        87⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        89⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        90⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        92⤵
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        93⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        94⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        96⤵
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        98⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        99⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        100⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        101⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        102⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        103⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        106⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        108⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        110⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        112⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        113⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        116⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        118⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        120⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        121⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        122⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        124⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        127⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        128⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        129⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        130⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        132⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        133⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        135⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        136⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        138⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        139⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        140⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        141⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        143⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        144⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        146⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        147⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        148⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        150⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        152⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        153⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        154⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        155⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        157⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        158⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        159⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        160⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        161⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        162⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        163⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        164⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        168⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        169⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        170⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        172⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        173⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        174⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        175⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        176⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        177⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7248
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        179⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        180⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        181⤵
        Drops file in System32 directory
        
        PID:7372
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7416
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        183⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        184⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7536
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        186⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        187⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        188⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        189⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        191⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        192⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        193⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        194⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        195⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        197⤵
        Modifies registry class
        
        PID:8000
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        198⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8076
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        200⤵
        Modifies registry class
        
        PID:8116
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8156
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        202⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        203⤵
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        204⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        205⤵
        Drops file in System32 directory
        
        PID:7368
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7388
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        207⤵
        Drops file in System32 directory
        
        PID:7480
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7544
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        209⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        210⤵
        Modifies registry class
        
        PID:7672
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        211⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        212⤵
        Drops file in System32 directory
        
        PID:7804
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        213⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7868
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        214⤵
        Drops file in System32 directory
        
        PID:7940
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        215⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        216⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8148
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        218⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        219⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        220⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        221⤵
        Modifies registry class
        
        PID:7524
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        222⤵
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        223⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        224⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        225⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        226⤵
        Drops file in System32 directory
        
        PID:8068
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        228⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        229⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        230⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8024
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        232⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7720
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7916
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        236⤵
        Drops file in System32 directory
        
        PID:8176
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        237⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8204
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8244
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8284
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        241⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8324
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8364
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        243⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        244⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8484
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        246⤵
        Modifies registry class
        
        PID:8524
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        247⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        248⤵
        Drops file in System32 directory
        
        PID:8600
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        249⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        250⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        251⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        252⤵
        Modifies registry class
        
        PID:8768
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        253⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8808
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        254⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        255⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        256⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        257⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8972
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        258⤵
        Modifies registry class
        
        PID:9016
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9052
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        260⤵
        Modifies registry class
        
        PID:9092
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        261⤵
        Modifies registry class
        
        PID:9132
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        262⤵
        Modifies registry class
        
        PID:9172
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        263⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        264⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        265⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        266⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        267⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        268⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        269⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        270⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        271⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        272⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        273⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8668
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        274⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        275⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        276⤵
        Modifies registry class
        
        PID:8844
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        277⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        278⤵
        Drops file in System32 directory
        
        PID:8984
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        279⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        280⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        281⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:9196
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        282⤵
        Modifies registry class
        
        PID:8280
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        283⤵
        Drops file in System32 directory
        
        PID:8396
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        284⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8492 -s 400
        285⤵
        Program crash
        
        PID:8784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3932,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=1052 /prefetch:8
1⤵
PID:6428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8492 -ip 8492
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
59KB

MD5
7331d9923faced3a92f62d3e23f91008

SHA1
fe767593cfbd2a76f6aeed9347436b29019a55d7

SHA256
2d17c7df2ebc5f24ee104034bcfb638187492e75b102c9297eb9276b0c60c8de

SHA512
e89bbaebbc4bb19eae2bc9d7373005a64d205f65fbbb363aee27b4d3b2af8a7ab17d8d6f7156ef04f7a42cb33389c2d8e4e1d9b48ddb406587e1692cf98b8cc2

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
59KB

MD5
1dceaf0575535facfa707623c889e98d

SHA1
b4d303b435684d0bdee2053d1548af247b857817

SHA256
5c1682616a828c0f70327ca89bc07b605dc60686bf8ae16605f47e1447476628

SHA512
95428fa7182bf15de292c927cb4d4527b64280c0a142f00b13261f8dd880263df1d6dfea283cfeca176a077666d795a38950b0ef538fb01d9c73e96386adeadc

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
59KB

MD5
095ca4724dac9ab4ca983affe388408f

SHA1
0715a975d24f8563ead21d19dc11217af2eb63b3

SHA256
c462af81f7eb9b03c6be734e87394f21831d53feb248d9be88a7231966ad5ee7

SHA512
f3a27a888e450ea7a82ab78ccfbe2b978cef7c38d5510f745802bb5615bcfdcaadc258f28442de9319a66b39a3109fd22c501424223c485d92d703c92c8cad2b

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
59KB

MD5
e949ab913346eafc1740bd368b737c71

SHA1
e8987fd8d46a8cd28a7961e6e6146f4cfbc38a2e

SHA256
657f5f0a4ceb98e0712c4e89a8a6550586bb0b5dc6efbab77fc200d84b3b5d2a

SHA512
50ecb62db7eb5509d9f1a5e22c05af3ed5637c33b2d1aea0cb4e1d26a4a2bfe9a224ed2e6c3e8e44253171b14d3ca066acd23c503f402352a18558cf645958fb

Download Submit
C:\Windows\SysWOW64\Bebjdgmj.exe

Filesize
59KB

MD5
daec7c40305381adeec38de879e5009d

SHA1
0985f98cbb5124ed433139ee179a09ca575fb3df

SHA256
04652a0feff44b876a9f1fbba7b559c0e11670f02aeb149ab3b87db68aaf9b3f

SHA512
88557d44aca5665dddb80f4fc60f1a0ae13ffcfdf0f08275209ebec6dd2e9d56c574c627ee65d4bcadb77e5c465458c6c7dc56c468cd7c7dafc97fd175a87d2f

Download Submit
C:\Windows\SysWOW64\Bhbcfbjk.exe

Filesize
59KB

MD5
73ef7dcfe816acfa87d3f388157818a8

SHA1
20d761b96f1d8e4e7ac4833efa8866e107a93c53

SHA256
2a5343c28b32709bca4e08885d66db326a335ec07fa7c490d1e2691230fc466b

SHA512
d3ab3146761e8f53b76b373342832789547b1458540fd445ba5456047c48fd6e62abde075e4e3b33e746e3ea65a0160a2c5a147d361b9cf40df0156f8cde0f90

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
59KB

MD5
6a66e7ad6a3dcf375b55067ef1810847

SHA1
08a5f52c54fcacb5ae40d548cae7d1880809e49a

SHA256
d23b2eb743f25367899d551f8fef04f4c18d4268545bca7961a4b25e0106b502

SHA512
8008195e95458840b27bc1b8159d8e5baf6fdd197eab9eccc13581ab06e04f36a63ab90931fe38471aacf086cececdd0150687a5b137fd3267e649df1ea467da

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
59KB

MD5
606214280e57a21dc4bcd5b12a884ee6

SHA1
ad36fbc235a2d4c542d6978fc939e7b0a92c9b71

SHA256
4574264d05934b970ce807d7818e7c87c35c215db57f76c6adeb4642ab343bcd

SHA512
193b591aa1073b0fff429abdc4be708ed1852e7e5493a23209585f32911fe84eb9688895430a25725644be5cdf0f870f5264ea9b95085f9e2f0c2ef3a245ce8e

Download Submit
C:\Windows\SysWOW64\Bkobmnka.exe

Filesize
59KB

MD5
aeddd8665a1eec39c593c7313593fea5

SHA1
5d7ccbacdd74fdc7da359ec14e69a08dbcbf4c8c

SHA256
185b9a9b22abd187bf65b868542dc009d7818a821e1e432a64c4b9ac7f32d2a6

SHA512
9b15199cfe2c946e89e051bf229acf4845ae7fc861b349522ebef03789fb0fad3e2c3191218be0e27457bd4caea0c3b6ab0e812b3023eb7f4b06b900e1efa4f7

Download Submit
C:\Windows\SysWOW64\Bllbaa32.exe

Filesize
59KB

MD5
76cef7cdc5e0d1426c7af0d6150f40a6

SHA1
ce0add8caf946b5ff52d34594380ff9aba750a43

SHA256
439a77190650666e8b55294a972e770365f4bf636869b20f8a33024de59cd414

SHA512
2a895df409e1772338b9c8293a1bd86b5b3046c23d952d6443dd48aa3ce9e03eadf7bace9449a347f7b7c83deda8ddc1ad9f911b6d2c4a462438bc6320a7de71

Download Submit
C:\Windows\SysWOW64\Blqllqqa.exe

Filesize
59KB

MD5
900eee6b5a70df65219c3bef1682f4ba

SHA1
bf4a644823312a883b88d39fe5a86e523bef0918

SHA256
e3227e2c8e71de5d216dd087d88d6b4f0ffc0758098c7c0d7dc70f066285ceac

SHA512
ab0d1491cfb93c23ce7f269a6bf473501b65f81faecb2f9d806a253fe8f64153f3e3647a400647c5fa1af240a673d9a5e9e37326bae60f556b082ffac86f5dfc

Download Submit
C:\Windows\SysWOW64\Bnoknihb.exe

Filesize
59KB

MD5
21f9e5b8d14cb8769f08d935f4187fa3

SHA1
537e8a5b90ea5fccfa37233bcb1888acb30ea3fa

SHA256
30b9f349024d74981c888443d7f993e4ee19d71dccf2ff2e4f4e3c53262470f1

SHA512
3a52c6e27fa07a36a96c6b15fd35b8a44e51c09f73b5336e5711bf491d665e56e321bc55cbc73ee907f8d879499aa3556693047a109d96995fa54fbb2098c709

Download Submit
C:\Windows\SysWOW64\Bomkcm32.exe

Filesize
59KB

MD5
e8c46137971d8b3621af04a3258378dd

SHA1
41ff2a54806a10bc84b5e21ff747a8de9d8be19c

SHA256
3d2caf6088de0c9373dbd783246da48143bf73cc15da8fb9e5576bce0c2b858a

SHA512
a77bd8a566cbdc11dff0c1a44f44d615c9783c38e734aab8359407771847dead8f074436f6032d0daf3ad088fb07a5795f5910faf703389649525237b8113c48

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
59KB

MD5
d992787f2a6fad4632382234ee843cec

SHA1
fc087bc8226ee949070166f46f036b9e785c4c4c

SHA256
b816d0b86b3c89c392106cdc48d800515f0dc63f90bd3201cf17168a9c0f223b

SHA512
843ece0bcc65ebe5694e0a11b28e128e5826c71e60c5e901f91185a87127c059a122397e7c7130a04df1250ef4eb2209a0ff81ac60223f2632d5d62b0b45e500

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
59KB

MD5
5d6463e49bbd8dd9d2405f4c456323d9

SHA1
f6d779159fadcd084b171d90623b53355a0f6338

SHA256
7403bd09fa62dda0458f4ed96fc8db3b5cb1a84ce02b7554e6fd414f25b3650c

SHA512
055c4c43efe4d9f811a6a179b72a631836fe9d2998c27d9f31dd90d4c33deb4dcfc999aa2d06f3ab550e61241cc2af7a600baccbaf0c76b213aebc794d4e8d64

Download Submit
C:\Windows\SysWOW64\Cdecgbfa.exe

Filesize
59KB

MD5
7e9951090442990e3b4c0821c3d575e4

SHA1
98b64d251faaf3f2c1e2cadf69b2a70f3cb79a16

SHA256
f1efe7f3af2266d36c9e838f070b529c7321e52d87eb2040366f61370bab181d

SHA512
522189dbcaf19d9b30e70f2fa074047dd31dfee40fb3923ba9fec2171ecaf296883e7b21c2812495a6f48a9fd89c7531c47ba95b28e1bb452032e58d38ad3afc

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
59KB

MD5
4fab3618d39e3d555f63214bb78ef679

SHA1
cd00a34701ff33e41b0e06ad30e79ab495320b1d

SHA256
f7837763f50aba8a361ffdba4f6eee07bdaef11e3e5e329b0e1fc5d0168da294

SHA512
571376c550bbc60668faf110459592ec37ad7cd5c3eac4c61211057d6162e9957c53fa10720fbd68bf7c4330f91ceef5834c3e2ec2c80d5b457f215d1cc2a84a

Download Submit
C:\Windows\SysWOW64\Cfnjpfcl.exe

Filesize
59KB

MD5
85cfa9a18911d0638468e7901d48be2d

SHA1
3f8aefb04730f8984470a8a0eb3ed96019179f75

SHA256
8d3f9ad647e725e87fa4faf6afb690b4f31bb67a271e88237a9440a0a403de49

SHA512
18f85ebf95eef4f3e5cadf3db9a95929ddeb29961f30c93117fac84fecbeacecdb36a7c1718f77fd05b0cf599fb6a5da827fb269306778298d10a3c6f7fef3cc

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
59KB

MD5
aac5489af7ad7247e3faaa9e35482cef

SHA1
5759fdd66144a3d07048df0d4ce739f810ad0cc8

SHA256
b859179552ff8d44b2d0d4c1a0c79f4f996ad1a8c51eb3d8c48ef624e1c15c3a

SHA512
e29d8a56cd7ab3aa69a9d98d6763c356ad60b9b882756ba676befbcd9bda484dcc5a06b5fe834da1bb6a8f009202ad4ca871d526d4bd121fffd41292ddec87b2

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
59KB

MD5
f9e5bba6da62d82b76c31853918d2a23

SHA1
2aafbaa00804abc02a3ef03ee9ff6e847e2a3d72

SHA256
4856a55100e662afc5d2ca1af13451c3680fc0ffe00c4df44b2cff2a0b28e6d3

SHA512
1da5ae1a87d99c61e5bc6a33b1212c1da27aa4acc24ab28cb78987fb4cca70394f227c53e5d18d969b5c98e02e1dcd966abe7b4f6397900e6a67233b6f841e9b

Download Submit
C:\Windows\SysWOW64\Chlflabp.exe

Filesize
59KB

MD5
6e970fe5b7b59caf02b1ce81f581dfb0

SHA1
fcd58c6b0b8ab7ff764025956e0b6aec914f4b32

SHA256
d623028cb4f5f609478b88764c9a38d8b55f9dbf352ee7e9282bfd73e4f3f08b

SHA512
e4cd7ec1d53804891976e6016761f32ae816cfd5ca4d7cee98a52504672f6ba17ab5011e5a6ce69ff8061004d94b47db6b3531f6126879a2aac7b0da0fdf0b38

Download Submit
C:\Windows\SysWOW64\Clchbqoo.exe

Filesize
59KB

MD5
43a15446cb734a1abb211dcf8eeac36d

SHA1
6be54ac877a58db4f0b1dccc0296a8144c3724f7

SHA256
d4ca8536e1f32be980ba901d4fd262b87c3aa98f7c4abcd4caa82a45782d8a0f

SHA512
241c819024564b95c0a653a409ed291859ad79173a64b3c9840b22d96f4b637be4ad5109262f4aee2545650bedf01b42228a539f618028dacbd57ade1211ef67

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
59KB

MD5
46fe4c9697d829e32d1f4c8868c2ed74

SHA1
9f9b93e101824f17d8e4a9a74d84f06e7c0be81f

SHA256
53b1bb72e43bd03206ab66f1892df4e5a61684cbb97440bd734be48ae9a4faed

SHA512
2510caf946c281f8ebc7de06125d8e5c334111c59c9c49da80696d0af98a4268bc852fe1d9011f6f70f4de2b9c2c7fed53a33e015f2e135af191ccfdf7b642c1

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
59KB

MD5
8eb359d824ea8691b83da9254de709cf

SHA1
5b57a40f542e46d55a6bec9ef2a13fbf99a13a44

SHA256
4444faa885809f185d20e0595f9a3462f513bf1cae4701ae69d99040c3addbf7

SHA512
db2af5adcdad1a21d5bc54fe7debe5b7d1724e27cfacc2a8f5c89752302780d687f556d4e7d89a764237461d95455fbad1f6214c5397ed50702902ffeaa01aad

Download Submit
C:\Windows\SysWOW64\Cnindhpg.exe

Filesize
59KB

MD5
4a26da15d64703a3bcc1b3f5640b04ae

SHA1
8cac76c9ebfc351980cbc78bf0b67b7c67f16e66

SHA256
df9a854f9e3620f381ba22f16dce5d2863b9cacedb54b5223b3d69e5e715026b

SHA512
d1a473498a8b96448f68f5dcd6226d1b18c5c0d5be6b6037551bbe55ddec6e6667703d1fc8f57c5fc14013c544b116822cd9c22562c51c765216bde7e2c5aff7

Download Submit
C:\Windows\SysWOW64\Coadnlnb.exe

Filesize
59KB

MD5
894eb54a241ce59660e502b5c04862c1

SHA1
43a3c8b475e978f3b1d67cc4a3b5539b48d494db

SHA256
9af0f139b7641d3a9e8a23470c4389ffe61946de27e36836e488508d3cdce71d

SHA512
2884b70d952798aaf96edb0f4e853da9d427e5be921d4bf67bdd006973bd21cd66cb66e4a37721ce9a529bb436e0274396cec55c1c23b248d80aa032a429fe4f

Download Submit
C:\Windows\SysWOW64\Cocacl32.exe

Filesize
59KB

MD5
704f4533b2d44ab9ad80267435ec9bf9

SHA1
35c66257e6fbbe7491a2f33d159f2b6f5cb9cb7c

SHA256
40a655a6273eecc7050905bbbb8b1c67349b641dca47d45b5836b200cb9be156

SHA512
7dec84d6d13509c25444c64f7ac285d7ff8c6d01cd8c5e8f2d84f73b1813c51280f81ea0676c13ffc76ea0b942eb04009a65bfc0e46dbea6b977bc12f5f7c4c9

Download Submit
C:\Windows\SysWOW64\Cohkokgj.exe

Filesize
59KB

MD5
bc8fbfa547505649bcf8fd1588d860b2

SHA1
0e99827f7414433529b9e8a2fe49c1dec5b410e0

SHA256
c6bcf9c3951b2a70a720107133a8e514e65a24f1a149a491f38b68a27a6ece1e

SHA512
38f0dd70ab21651ff43235168be4830ca376c784293a39315c6e06c590e1b0c7361e44b92948272e8213d9368a844a879dc7b736ceade57552ba237f48ed8412

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
59KB

MD5
b65a7b42994030e05bd4ee58581641eb

SHA1
5a99d1e65f1863461c9f23ee731a3b3be37425ed

SHA256
f03861b0dce5a9ba99aedc57fb96a64f3eb32e7bb7c45ee44d515ca5d9b3e28e

SHA512
ec3e893023593d1c6a40ef090537581e281823bd11130affbdbddce8caa5eb09e0ada1cb4e5fa511a8cf5349669f83142eae1cc26f57d318ca1fcfda7ad64440

Download Submit
C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
59KB

MD5
bfbbf12584598313aeea070ea2513779

SHA1
ccb3b1a6e4f8d541635a6fc8939407da27acb5fc

SHA256
7d96b1a3bfa6c50a502a4188663f10e12929f1f0dce471ab38d3a8cd87f406cd

SHA512
947fed991cc54de8b4f1809842bcf278394d0c1f5e2daa3e972090c30f09848eb0cfed1958b36e77092c49f1cd6c10bd08482da5d7a02d64be295159023ddf87

Download Submit
C:\Windows\SysWOW64\Ddjmba32.exe

Filesize
59KB

MD5
df900456d1a8fada488e157765202b2f

SHA1
3b5cf7555799304ce6c3fe39af948f1ca146c647

SHA256
5d31f5daf5966a2291fd909c2f76943f14d155398c10202882a8744099ab4d16

SHA512
11b287e50b1a7ddcfb1917a79f5c034b791970c0208a9a7e9b085deca86ae9561687fd5f74e3e6805982cc42914d1ec18511d4d1a57b32f0fa63f57b40f4be01

Download Submit
C:\Windows\SysWOW64\Ddligq32.exe

Filesize
59KB

MD5
40f9528ebe3004b3ced143097782540d

SHA1
be9cc632639fbc6a39afefc91a21547ae3981a1b

SHA256
68ae9a9bf46b8bf274af71025679caa3c76081141e9a42167e289a6d0faa950d

SHA512
f6615a31388668a956a065c09b32a1254a8b9bb81950cba73f7bd0d43a1717bfda4d9b5af06d50cdebda154b62be83207d5f6467c946898e9d9dfb2b6464fe3b

Download Submit
C:\Windows\SysWOW64\Dfdpad32.exe

Filesize
59KB

MD5
00961d721e25d0bf80999026c4b44550

SHA1
e763be68a6c8e3a9ee4229c30ac5999faa209125

SHA256
9238effeb912f29f168a880ce27c460c76eca4f061d53e0cdd7b800623969089

SHA512
adfbeb01fbeb49564438109c8f2fd1c20db961af63d35f13a247576b570cd924e4ac0a608faa7ccb770179a5498b975dd76eb5804c76e97c8fdcabbc68b58d3f

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
59KB

MD5
20aaf9404f31f512b3eb4a42e027ee70

SHA1
326478ed27c78da4b09a52fbdda99be5a5c2fb4d

SHA256
fa4825e96a4230232ccae33c91b5017b3f31d89058b971e98b884521b64bac5a

SHA512
513d88448dc55fc4f2e284afef6dda652a0b70a75dfedea3af346e076ffa78a237e050dcfc5649b7b3d17bdfba2e8a7224dae968884a6764969fa08da76ba231

Download Submit
C:\Windows\SysWOW64\Dhclmp32.exe

Filesize
59KB

MD5
2b9d319039811f272ca339a861418132

SHA1
c72787d87fcd778ef26b81440fdb12f0b5c80673

SHA256
eb51993e61d679ffa2320a84174b406fa5bee231b81fe3cdc2931c0c402c937e

SHA512
fa109946278310242ca8e4153e0cede09528dca608b2a8ec59983bcada219afa4e9f78b1e80fada682f73af26e77eb1b8b87e4582c036d7e2bf94b259f22431a

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
59KB

MD5
f2903c1d4fb81cbb44a556bf16f27a74

SHA1
1cd03a3d8faca5f38e56474fea838842b212b234

SHA256
a4c0f366981ca2c28e1f3f7f589268fe4895eea279ca23b1152a9e0d59aa18c9

SHA512
33f4d0237948fa07d392388b7c47678cd3432e6504bf555ab1c8d57dfa22637a779fb5301fe01498927e255b7f344e20f91a46fa94091173cf534c521a240074

Download Submit
C:\Windows\SysWOW64\Dkokcl32.exe

Filesize
59KB

MD5
910b670ccfbf2d9d68901c5673728f48

SHA1
227abb2fc9af368359ad155ee4b10f0ac55916b8

SHA256
c324c854babe00db93fbf4cbe22a8ecde79e17493700aa9bfe7d4cb26ba6dd6a

SHA512
4871ce33033b20c6c05c83fd6f3f8948d067d20ad270513dca9a62dba7d641696b25d119a50530f8a159f35dd885c1e9e7502f6e88737516fc636b118b01e075

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
59KB

MD5
74eba2036bafbea5232e5a0360ffe9d9

SHA1
fd63fee5fa5a7cdcd8dce470a328f4553c9e0b05

SHA256
db9ae5606e17328fb00650cff93c409948bfaf495bd6bbbeeaffd3ea774a985d

SHA512
c0556ce8acae7c93429319a32a0d8de3adb464854deb80dff5176b0073f043d0ae71ac5db893eaa35de68fca2509126124fae2796b51a0dc4fa5153861345f1a

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
59KB

MD5
48fe4e5acd24f1bb630c1c0e7c67f0a9

SHA1
36646329a174c7c4e73909412d655b40c881a935

SHA256
643f9a710c64bd5b182b8cf110dc893de109340a934362f7e7081d42c41d60e9

SHA512
0ef20012534c5e707b1ac3166bb2381027bac260ba07afd3c874ff75b181d7a6e7d125a519ed2a3e9400d3cd7a70ba720563ef859588a1eaf25098712e8ff06a

Download Submit
C:\Windows\SysWOW64\Doaneiop.exe

Filesize
59KB

MD5
d70b6106801d124f6599b9c4de899ab3

SHA1
7bb806228fde459babc08657c4c6e35584be4fed

SHA256
65ef9369a47b5faeb93ee36a69f8270cb2f383193c5b3223a71b3cfde6c4582b

SHA512
e07ba8f36f3c62d67be478f5a8a83cc96bae4d9230d8348cbae068dbf7644c51ed865cfcc4c7da40b79a38f5cd973ad54977e54f615e99e5119a6cfd4163d477

Download Submit
C:\Windows\SysWOW64\Dooaoj32.exe

Filesize
59KB

MD5
2c8847e99e4a06110d4ea0dc11596217

SHA1
e3bc489fe6790f9ff348f7f481a6ce8311e9e3ba

SHA256
053fbc28d24eea2605a4444e5d3c8c9de2c34d80c355ad7722a227cb566be70a

SHA512
f25e307fc2d57f10932d80e1eb063deea563ae00d632dd6ff3f73b7937747b1d9c8fd108adffe1d559a057baf31d33656321af3850c4bb34025b71d1dbaec795

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
59KB

MD5
215b81d1117344a18367d6003afc8fe4

SHA1
97d1f6ccfb20c1d9c40faeaebed9d6790dc94c6d

SHA256
0e721daf6b3b7e4f9e763f4ec90b3d71ef6c5ba8bdd22dece02510ac932bea81

SHA512
d0a7da79a6f8f2ce4ba0448851e2df080b4e2fae4794bd74c2a20e77f14fb90ba16b8b582236cb68c9c24c5a34649570fc11f320bd0dfc24f743518fe983739e

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
59KB

MD5
9146dc9171eb1db23c97d95c563ce8df

SHA1
80fa025dcc391a680fef8e693d4b382805db51ab

SHA256
b381de5f2e600c1ffe9000fca72147931bc36928ad3f26dbbe5d4ba06e948ebf

SHA512
9b5d33ccf66100c913b3374681e426921fe4eeef2e3625c3677ff762dd4a9119cf813869cb71be1b71424ea3d4a71f3f0488a78d95ce37ed44e4f8f574b71e14

Download Submit
C:\Windows\SysWOW64\Gmimai32.exe

Filesize
59KB

MD5
945fdbc8983d5a0735695235b22461cf

SHA1
4b342763ce254675694215cf79cc06e1e9ba337d

SHA256
cd743a4867998b68c4e5d0898000baaab0bb0fc6a6f20cdcdb57916d7e45afb1

SHA512
eec5b82200c94c5d1185898bd99a660b8e8efb40b72d9350d84e54b0f55bfe68a056ab425024b90e8c79f73f929faa8307e10127f76b277c48c57c5c8b90458e

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
59KB

MD5
694c54a2ecbe7f7b089e25874ba118c1

SHA1
88b2585b83a1c1c3568551159e01e572e4e5a40b

SHA256
31bf76da6f4da31453f91c4bafddb03abc72eda70b382d3d4fd86f15103904b3

SHA512
6265ffb051a70f205460e5035c922385bcb1575186b82f1b0ac598342df2abbfd3f97825a5afa9b24fe3053e7c15e2ce0f185a3db154a3d22c8df6af0b96e575

Download Submit
C:\Windows\SysWOW64\Jpcapp32.exe

Filesize
59KB

MD5
a0380fa5cdffd32bc572f9960886f6c9

SHA1
4e638fdbb6aa7bcf1be4c328742269bc586e9f32

SHA256
45f9f068f8e4163af166bc99115df1811ce364f9aa32c73c4d84f285391592d2

SHA512
f3a826f8adefcc2a47ab7f7f53dbac94eae2909df7b03cda23bf50ffaac8ae50ee0cdbb122630354b681661e1db371b2c13d90ded688d062fff610cd6990d52b

Download Submit
C:\Windows\SysWOW64\Kfpcoefj.exe

Filesize
59KB

MD5
8b6af5d9ff1dfeb4ba09abc4707dcf30

SHA1
4186fdcfdc6d4dc2ebd89dab08f85106bafa49c8

SHA256
56dd029e620db5272f190f90af797f2a43826303337586c07e3405847f341d9d

SHA512
d1ab892d5d122aaa0e0df289a7ce0617a6cbb795efa4cca60a6a12bbe0ed1a76a6df44650f72d298bce57107b00ea6afad8901a5689c3e6d2640b84150d7ac18

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
59KB

MD5
f9ba5a23b039aaad653744223403beaa

SHA1
4e2535c59d4bc0a4d0f93ffe59585eee13c1ebd1

SHA256
276cb435627b930aaf43dfa4ae6b0f0d2261e6bc4ac3ee54afddbcacfdef3b19

SHA512
e0ab501dcb335d49c6a81e97e1e5e5c735bc2e09b9760edc894258514722bc2ba87188a8ac32557147a6155d6f3a323a6c19bc07bbe201f3ee3f77d6e4c15f67

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
59KB

MD5
cd1924af8c8e9ee6ac1bd18e34eefc49

SHA1
e85cbdbd54f249d561a211f9a7567deb8f6f85c9

SHA256
a8913969895b609da8e65a4733851ca7af8ffd7fe5d56193bcfaf5712dfef18e

SHA512
b7fb290134bb897cf5f6be0f0a3a0094a271123e35bdbaeb77f48fb43d70c91f4f5f35ba3ecbf541914beebf4cccf2c755b6816b7b59217465132a983a196844

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
59KB

MD5
c20f79049f33f52d0163146cccc2c521

SHA1
d847a03ebe7af41f227533fb16090668c5326191

SHA256
0da0e242637ffb2b729c43855b0419a272f26ac4212ebe006617405f87e1cd65

SHA512
dabbb31108f63dd7da0eec9bbd837f46ede9cb57e2f988e0fbc6e2daa30c9d7ed2decbd93116c07a60060d8c952c3126af01ae99e90c86831f7bac6dd15bd0e5

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
59KB

MD5
be3c09d3fa4b47511e80b04fe93ba3d4

SHA1
ce9239817fa07b83d7c6a34a59218f91b7981837

SHA256
dea51758ba7b547a85778eb1b07444678de0d089be18a0a9c999393279c8b62e

SHA512
b015a26e35038695a2223a6f69cddb8c06fe60eefc2d52c2a7b31c9dd35e587d52a578ec0db3d2be9de157abf616061981817792a7844b84e58ca807f8423aa1

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
59KB

MD5
41f49f10d9c4722c6e1c5ab44456edbb

SHA1
7b1a0de4b38fa5003e0dc64184a3c316c18ccda6

SHA256
71702edd2b05eba8e165dbd7c63de54fa6afd6f03f0e0223ab1f5796ba5418cf

SHA512
33bed77716de7fce4ea0242c377cfd3ff60dac1b8f075b06f459356323125770d03006aaccaa34616aadb2261a46d1dac32ec61fc0b00a678a2c8717c7dee091

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
59KB

MD5
62c0b1957f6d5a2ebdd777df9f589339

SHA1
4a3c4908e27b362562804f00c55857d2303d6b3c

SHA256
fa481d9876f2f414778782f83b503696a7630b4f7c768d6fc53c2af53cbde12b

SHA512
a4fca5cf6dd30b7042658f18df62daa88b096e91b64a2e9ddadb733f8157dd713b6256018b7d49899d7a5087efee1fea8ca69b1c15acd9b8074eb5d79dc33166

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
59KB

MD5
3a4c87ade11c3bd0372dfa586f87f5a3

SHA1
2b2055992c11c23328a77028a395af1fd0a7c80f

SHA256
82db2b7ba932f4ee87af292869bc9913cea1b8e0921996f10b87baf6e6e9b845

SHA512
c8d532cf2458923adf793dc9687425fe62cc467b83961023eee68bd4de6e9311e1ba968591892a62f580db9608f8cd444fc57e4e1282e28985b167015794b7ad

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
59KB

MD5
2faad074a3b809acc1c3b6b401ffb78a

SHA1
e68977c1b2191b1a08b417dbbbde4958017cd346

SHA256
e0e06f451a1ebeb5490668cce6c58754cc18a65545a0d8e047ccc6dbba118a78

SHA512
5183d5f5242dd16ee263df79710099c3ef75c028af9bf3a92ea76999ec055e13ff44886dc7af9d214ac00b6a95af58d2a879d814fecdd760e38ef392fff0c6a7

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
59KB

MD5
1a787fd807a7789fc6503f0b6cedb8ca

SHA1
67e23754eed0ead7d00c46932ac1460c11d2b2b6

SHA256
4353ae04fec8fcfceded9d08bdf9844a888c01df337e71923e0cbbb59e2b1054

SHA512
b047dcb731cd45d1e40c1fe2179c2493d8b86908abcaade75a873f84e30139f9859b1cfb0f33816112304dad7ff0ea75096c8c09dfc28b0ffe6c803931a595a0

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
59KB

MD5
26464346246daf51803e52ac852b0fd7

SHA1
5a76712d2743950fb757ac0464ee352e105f6b3c

SHA256
8a1b2b0180c0afcf776ccee12607e26023f0a53bbcefe39e99f6ccd8afbb173e

SHA512
be2e11700f023365a16095490e5336c2c53675d43853965b1a1b5dee98996ad8b2f2a6dbad0b0ae1d424756ae4540eaffda6366ce62105dac29c3a4200bf8e94

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
59KB

MD5
69027923a321c7a4959e2c69439a6395

SHA1
252ce34a3271cdce01c1bdd45f38daa813584eb6

SHA256
7c242a43643323b2125e207a6185f7e9cbf5545b06defee24d46f727bb56f1e4

SHA512
2337747f3b8ce35a9f08e054b712ab38ac53290422f3f5bb3439590aaa99b9cca31495ed22bcd193fe6c9e736ff2ca49a1f7a24ca277e811fbc33a1ddf6fca78

Download Submit
memory/212-591-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/212-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/216-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/436-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/536-438-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/636-415-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/668-425-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/716-36-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/716-552-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/760-373-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/808-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/912-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/912-598-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1088-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-391-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1196-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1196-539-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1404-179-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1416-578-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1416-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-572-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1516-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1596-624-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1596-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-526-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1616-260-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-403-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1844-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2144-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2236-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2252-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2300-585-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-636-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2520-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2520-648-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2772-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2772-545-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2832-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-235-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2992-532-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3276-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3344-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3624-611-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3624-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3692-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3748-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3800-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3844-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3988-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4020-409-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4028-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4060-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4324-427-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4432-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4432-635-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4592-559-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4592-44-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4636-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4636-608-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4828-444-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4856-306-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4860-571-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4860-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4952-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-111-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-621-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5048-182-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-633-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5116-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5128-456-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5188-609-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5232-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5276-478-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5316-479-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5364-485-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5404-491-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5496-502-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5536-513-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5572-637-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5576-514-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5620-520-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5700-533-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5728-649-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5792-546-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5836-553-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5884-560-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6012-579-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/6096-592-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads