668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa_NeikiAnalytics.exe
Size

1.4MB
MD5

cdb2455ceaf896036026b224ca4e1920
SHA1

84a7269cf01c53b1c54a803c4d27687b2b246604
SHA256

668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa
SHA512

9995a0655146569669f9d0fe1b97f5001a234e7f2afc72681a92ca5716122a0b7c20ef7e995f5268cd4f33af07fec23bb0f20c754a67df0689931f179a9bdc3a
SSDEEP

24576:mxJktMq5h3q5htaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARmaH1aUu:mxJktKaSHFaZRBEYyqmS2DiHPKQgmZUu

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadeieea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffgqqaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojjqlpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aejfpjne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eabbjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndobo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcojed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbpjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldgdago.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbklofb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkjlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acocaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoaihhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcicmqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhlejnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffimfqgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imfdff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgoobc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbqlfkmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddecc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbnpqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elppfmoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmpcdfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbbeade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Febgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaqgek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjo32.exe

Executes dropped EXE 64 IoCs

pid	Process
2292	Mpdelajl.exe
2716	Njogjfoj.exe
2648	Nafokcol.exe
3528	Ondeac32.exe
1640	Oqbamo32.exe
2968	Onfbfc32.exe
5064	Ojopad32.exe
8	Pbkamqmd.exe
1984	Pgjfkg32.exe
4848	Pbpjhp32.exe
2032	Pnihcq32.exe
2812	Qjbena32.exe
3636	Qalnjkgo.exe
1072	Anpncp32.exe
3468	Aejfpjne.exe
1292	Ajfoiqll.exe
4648	Abngjnmo.exe
2960	Aaqgek32.exe
2828	Acocaf32.exe
3668	Alfkbc32.exe
3232	Andgoobc.exe
2912	Abpcon32.exe
1408	Aeopki32.exe
2808	Ahmlgd32.exe
4004	Ajkhdp32.exe
4148	Abbpem32.exe
2480	Aealah32.exe
1236	Alkdnboj.exe
3440	Aniajnnn.exe
4576	Bahmfj32.exe
4612	Bdfibe32.exe
1632	Bjpaooda.exe
4036	Bbgipldd.exe
632	Beeflhdh.exe
4388	Bjbndobo.exe
1544	Bbifelba.exe
4896	Behbag32.exe
2940	Bhfonc32.exe
4448	Bjdkjo32.exe
644	Bblckl32.exe
1576	Baocghgi.exe
2452	Bdmpcdfm.exe
2328	Bldgdago.exe
1444	Bobcpmfc.exe
1868	Bbnpqk32.exe
3844	Bemlmgnp.exe
3972	Bhkhibmc.exe
820	Bkidenlg.exe
1296	Cbqlfkmi.exe
1660	Ceoibflm.exe
32	Cdainc32.exe
1276	Cklaknjd.exe
1772	Cogmkl32.exe
660	Cafigg32.exe
4656	Cddecc32.exe
1536	Clkndpag.exe
2980	Cojjqlpk.exe
1744	Cbefaj32.exe
2800	Cecbmf32.exe
2476	Chbnia32.exe
4596	Clnjjpod.exe
1464	Colffknh.exe
4284	Cajcbgml.exe
1692	Cdiooblp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dekhneap.exe	Dbllbibl.exe
File opened for modification	C:\Windows\SysWOW64\Fojlngce.exe	Fllpbldb.exe
File created	C:\Windows\SysWOW64\Ibnccmbo.exe	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaooda.exe	Bdfibe32.exe
File created	C:\Windows\SysWOW64\Glccbn32.dll	Iehfdi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhlejnh.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Bbnpqk32.exe	Bobcpmfc.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kfmepi32.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kbhoqj32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Edihepnm.exe	Eaklidoi.exe
File opened for modification	C:\Windows\SysWOW64\Elgfgl32.exe	Edpnfo32.exe
File created	C:\Windows\SysWOW64\Gofkje32.exe	Glhonj32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Icfpbq32.dll	Fkciihgg.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ppelifin.dll	Pnihcq32.exe
File created	C:\Windows\SysWOW64\Gjdlbifk.dll	Jcgbco32.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjo32.exe	Bhfonc32.exe
File created	C:\Windows\SysWOW64\Dedkdcie.exe	Dceohhja.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jlednamo.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Beeflhdh.exe	Bbgipldd.exe
File opened for modification	C:\Windows\SysWOW64\Fohoigfh.exe	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Ecandfpd.exe	Ekjfcipa.exe
File created	C:\Windows\SysWOW64\Paihpaak.dll	Ffgqqaip.exe
File created	C:\Windows\SysWOW64\Enlqgg32.dll	Hbeqmoji.exe
File opened for modification	C:\Windows\SysWOW64\Jcbihpel.exe	Jmhale32.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Kdqejn32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bbgipldd.exe	Bjpaooda.exe
File created	C:\Windows\SysWOW64\Pllfhkno.dll	Beeflhdh.exe
File created	C:\Windows\SysWOW64\Facagg32.dll	Bblckl32.exe
File created	C:\Windows\SysWOW64\Fmfldb32.dll	Chbnia32.exe
File created	C:\Windows\SysWOW64\Becbkfdh.dll	Colffknh.exe
File opened for modification	C:\Windows\SysWOW64\Dldpkoil.exe	Ddmhja32.exe
File created	C:\Windows\SysWOW64\Eocqqdjh.dll	Demecd32.exe
File created	C:\Windows\SysWOW64\Aklmno32.dll	Aeopki32.exe
File created	C:\Windows\SysWOW64\Aecqac32.dll	Cklaknjd.exe
File created	C:\Windows\SysWOW64\Ekacmjgl.exe	Dhbgqohi.exe
File created	C:\Windows\SysWOW64\Geplnioe.dll	Fkalchij.exe
File opened for modification	C:\Windows\SysWOW64\Bahmfj32.exe	Aniajnnn.exe
File created	C:\Windows\SysWOW64\Opfkao32.dll	Clnjjpod.exe
File created	C:\Windows\SysWOW64\Flioncbc.dll	Doeiljfn.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bjbndobo.exe	Beeflhdh.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Qjbena32.exe	Pnihcq32.exe
File created	C:\Windows\SysWOW64\Cecbmf32.exe	Cbefaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8696	8484	WerFault.exe	400

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbbmhgf.dll"	Behbag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbpnkama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ondeac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anpncp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbifelba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdiooblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clpgpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfpcgpae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajcbgml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmknaell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeidoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekhjmiad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkhbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdamdma.dll"	Cafigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genaegmo.dll"	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlgmpogj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bemlmgnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhqcam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gofkje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmacdaj.dll"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aealah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdainc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fljcmlfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgipldd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qalnjkgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckedalaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpjkojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbpjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnihcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Habmmpbg.dll"	Alkdnboj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll"	Gofkje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkamqmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 2292	4876	668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa_NeikiAnalytics.exe	83
PID 4876 wrote to memory of 2292	4876	668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa_NeikiAnalytics.exe	83
PID 4876 wrote to memory of 2292	4876	668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa_NeikiAnalytics.exe	83
PID 2292 wrote to memory of 2716	2292	Mpdelajl.exe	84
PID 2292 wrote to memory of 2716	2292	Mpdelajl.exe	84
PID 2292 wrote to memory of 2716	2292	Mpdelajl.exe	84
PID 2716 wrote to memory of 2648	2716	Njogjfoj.exe	85
PID 2716 wrote to memory of 2648	2716	Njogjfoj.exe	85
PID 2716 wrote to memory of 2648	2716	Njogjfoj.exe	85
PID 2648 wrote to memory of 3528	2648	Nafokcol.exe	86
PID 2648 wrote to memory of 3528	2648	Nafokcol.exe	86
PID 2648 wrote to memory of 3528	2648	Nafokcol.exe	86
PID 3528 wrote to memory of 1640	3528	Ondeac32.exe	87
PID 3528 wrote to memory of 1640	3528	Ondeac32.exe	87
PID 3528 wrote to memory of 1640	3528	Ondeac32.exe	87
PID 1640 wrote to memory of 2968	1640	Oqbamo32.exe	88
PID 1640 wrote to memory of 2968	1640	Oqbamo32.exe	88
PID 1640 wrote to memory of 2968	1640	Oqbamo32.exe	88
PID 2968 wrote to memory of 5064	2968	Onfbfc32.exe	90
PID 2968 wrote to memory of 5064	2968	Onfbfc32.exe	90
PID 2968 wrote to memory of 5064	2968	Onfbfc32.exe	90
PID 5064 wrote to memory of 8	5064	Ojopad32.exe	92
PID 5064 wrote to memory of 8	5064	Ojopad32.exe	92
PID 5064 wrote to memory of 8	5064	Ojopad32.exe	92
PID 8 wrote to memory of 1984	8	Pbkamqmd.exe	93
PID 8 wrote to memory of 1984	8	Pbkamqmd.exe	93
PID 8 wrote to memory of 1984	8	Pbkamqmd.exe	93
PID 1984 wrote to memory of 4848	1984	Pgjfkg32.exe	95
PID 1984 wrote to memory of 4848	1984	Pgjfkg32.exe	95
PID 1984 wrote to memory of 4848	1984	Pgjfkg32.exe	95
PID 4848 wrote to memory of 2032	4848	Pbpjhp32.exe	96
PID 4848 wrote to memory of 2032	4848	Pbpjhp32.exe	96
PID 4848 wrote to memory of 2032	4848	Pbpjhp32.exe	96
PID 2032 wrote to memory of 2812	2032	Pnihcq32.exe	97
PID 2032 wrote to memory of 2812	2032	Pnihcq32.exe	97
PID 2032 wrote to memory of 2812	2032	Pnihcq32.exe	97
PID 2812 wrote to memory of 3636	2812	Qjbena32.exe	98
PID 2812 wrote to memory of 3636	2812	Qjbena32.exe	98
PID 2812 wrote to memory of 3636	2812	Qjbena32.exe	98
PID 3636 wrote to memory of 1072	3636	Qalnjkgo.exe	99
PID 3636 wrote to memory of 1072	3636	Qalnjkgo.exe	99
PID 3636 wrote to memory of 1072	3636	Qalnjkgo.exe	99
PID 1072 wrote to memory of 3468	1072	Anpncp32.exe	100
PID 1072 wrote to memory of 3468	1072	Anpncp32.exe	100
PID 1072 wrote to memory of 3468	1072	Anpncp32.exe	100
PID 3468 wrote to memory of 1292	3468	Aejfpjne.exe	101
PID 3468 wrote to memory of 1292	3468	Aejfpjne.exe	101
PID 3468 wrote to memory of 1292	3468	Aejfpjne.exe	101
PID 1292 wrote to memory of 4648	1292	Ajfoiqll.exe	102
PID 1292 wrote to memory of 4648	1292	Ajfoiqll.exe	102
PID 1292 wrote to memory of 4648	1292	Ajfoiqll.exe	102
PID 4648 wrote to memory of 2960	4648	Abngjnmo.exe	103
PID 4648 wrote to memory of 2960	4648	Abngjnmo.exe	103
PID 4648 wrote to memory of 2960	4648	Abngjnmo.exe	103
PID 2960 wrote to memory of 2828	2960	Aaqgek32.exe	104
PID 2960 wrote to memory of 2828	2960	Aaqgek32.exe	104
PID 2960 wrote to memory of 2828	2960	Aaqgek32.exe	104
PID 2828 wrote to memory of 3668	2828	Acocaf32.exe	105
PID 2828 wrote to memory of 3668	2828	Acocaf32.exe	105
PID 2828 wrote to memory of 3668	2828	Acocaf32.exe	105
PID 3668 wrote to memory of 3232	3668	Alfkbc32.exe	106
PID 3668 wrote to memory of 3232	3668	Alfkbc32.exe	106
PID 3668 wrote to memory of 3232	3668	Alfkbc32.exe	106
PID 3232 wrote to memory of 2912	3232	Andgoobc.exe	107

C:\Users\Admin\AppData\Local\Temp\668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\668e65d0813cfaf1abfb2952bc988d26dbbd0becef213eec2afead87ad5c97aa_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\Mpdelajl.exe
  C:\Windows\system32\Mpdelajl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\Njogjfoj.exe
    C:\Windows\system32\Njogjfoj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Nafokcol.exe
      C:\Windows\system32\Nafokcol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\SysWOW64\Ondeac32.exe
        
        C:\Windows\system32\Ondeac32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
      - C:\Windows\SysWOW64\Oqbamo32.exe
        
        C:\Windows\system32\Oqbamo32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Onfbfc32.exe
        
        C:\Windows\system32\Onfbfc32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ojopad32.exe
        
        C:\Windows\system32\Ojopad32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Pbkamqmd.exe
        
        C:\Windows\system32\Pbkamqmd.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Pgjfkg32.exe
        
        C:\Windows\system32\Pgjfkg32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Pbpjhp32.exe
        
        C:\Windows\system32\Pbpjhp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Pnihcq32.exe
        
        C:\Windows\system32\Pnihcq32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Qjbena32.exe
        
        C:\Windows\system32\Qjbena32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Qalnjkgo.exe
        
        C:\Windows\system32\Qalnjkgo.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Anpncp32.exe
        
        C:\Windows\system32\Anpncp32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Aejfpjne.exe
        
        C:\Windows\system32\Aejfpjne.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Ajfoiqll.exe
        
        C:\Windows\system32\Ajfoiqll.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Abngjnmo.exe
        
        C:\Windows\system32\Abngjnmo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Aaqgek32.exe
        
        C:\Windows\system32\Aaqgek32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Acocaf32.exe
        
        C:\Windows\system32\Acocaf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Alfkbc32.exe
        
        C:\Windows\system32\Alfkbc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Andgoobc.exe
        
        C:\Windows\system32\Andgoobc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Abpcon32.exe
        
        C:\Windows\system32\Abpcon32.exe
        23⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\Aeopki32.exe
        
        C:\Windows\system32\Aeopki32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ahmlgd32.exe
        
        C:\Windows\system32\Ahmlgd32.exe
        25⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Ajkhdp32.exe
        
        C:\Windows\system32\Ajkhdp32.exe
        26⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Abbpem32.exe
        
        C:\Windows\system32\Abbpem32.exe
        27⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Aealah32.exe
        
        C:\Windows\system32\Aealah32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Alkdnboj.exe
        
        C:\Windows\system32\Alkdnboj.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Aniajnnn.exe
        
        C:\Windows\system32\Aniajnnn.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Bahmfj32.exe
        
        C:\Windows\system32\Bahmfj32.exe
        31⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Bdfibe32.exe
        
        C:\Windows\system32\Bdfibe32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Bjpaooda.exe
        
        C:\Windows\system32\Bjpaooda.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Bbgipldd.exe
        
        C:\Windows\system32\Bbgipldd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Beeflhdh.exe
        
        C:\Windows\system32\Beeflhdh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Bjbndobo.exe
        
        C:\Windows\system32\Bjbndobo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Bbifelba.exe
        
        C:\Windows\system32\Bbifelba.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Behbag32.exe
        
        C:\Windows\system32\Behbag32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Bhfonc32.exe
        
        C:\Windows\system32\Bhfonc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bjdkjo32.exe
        
        C:\Windows\system32\Bjdkjo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Bblckl32.exe
        
        C:\Windows\system32\Bblckl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\Baocghgi.exe
        
        C:\Windows\system32\Baocghgi.exe
        42⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Bdmpcdfm.exe
        
        C:\Windows\system32\Bdmpcdfm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Bldgdago.exe
        
        C:\Windows\system32\Bldgdago.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Bobcpmfc.exe
        
        C:\Windows\system32\Bobcpmfc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Bbnpqk32.exe
        
        C:\Windows\system32\Bbnpqk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Bemlmgnp.exe
        
        C:\Windows\system32\Bemlmgnp.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Bhkhibmc.exe
        
        C:\Windows\system32\Bhkhibmc.exe
        48⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Bkidenlg.exe
        
        C:\Windows\system32\Bkidenlg.exe
        49⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Cbqlfkmi.exe
        
        C:\Windows\system32\Cbqlfkmi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\Ceoibflm.exe
        
        C:\Windows\system32\Ceoibflm.exe
        51⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Cdainc32.exe
        
        C:\Windows\system32\Cdainc32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Cklaknjd.exe
        
        C:\Windows\system32\Cklaknjd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Cogmkl32.exe
        
        C:\Windows\system32\Cogmkl32.exe
        54⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Cafigg32.exe
        
        C:\Windows\system32\Cafigg32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Cddecc32.exe
        
        C:\Windows\system32\Cddecc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Clkndpag.exe
        
        C:\Windows\system32\Clkndpag.exe
        57⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Cojjqlpk.exe
        
        C:\Windows\system32\Cojjqlpk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Cbefaj32.exe
        
        C:\Windows\system32\Cbefaj32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Cecbmf32.exe
        
        C:\Windows\system32\Cecbmf32.exe
        60⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Chbnia32.exe
        
        C:\Windows\system32\Chbnia32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Clnjjpod.exe
        
        C:\Windows\system32\Clnjjpod.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Cdiooblp.exe
        
        C:\Windows\system32\Cdiooblp.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Clpgpp32.exe
        
        C:\Windows\system32\Clpgpp32.exe
        66⤵
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Conclk32.exe
        
        C:\Windows\system32\Conclk32.exe
        67⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Camphf32.exe
        
        C:\Windows\system32\Camphf32.exe
        68⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Cdkldb32.exe
        
        C:\Windows\system32\Cdkldb32.exe
        69⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Clbceo32.exe
        
        C:\Windows\system32\Clbceo32.exe
        70⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Ckedalaj.exe
        
        C:\Windows\system32\Ckedalaj.exe
        71⤵
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Dbllbibl.exe
        
        C:\Windows\system32\Dbllbibl.exe
        72⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        73⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Ddmhja32.exe
        
        C:\Windows\system32\Ddmhja32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Dldpkoil.exe
        
        C:\Windows\system32\Dldpkoil.exe
        75⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Docmgjhp.exe
        
        C:\Windows\system32\Docmgjhp.exe
        76⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Dboigi32.exe
        
        C:\Windows\system32\Dboigi32.exe
        77⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Demecd32.exe
        
        C:\Windows\system32\Demecd32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        79⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Dlgmpogj.exe
        
        C:\Windows\system32\Dlgmpogj.exe
        80⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Doeiljfn.exe
        
        C:\Windows\system32\Doeiljfn.exe
        81⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Dadeieea.exe
        
        C:\Windows\system32\Dadeieea.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Ddbbeade.exe
        
        C:\Windows\system32\Ddbbeade.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Dlijfneg.exe
        
        C:\Windows\system32\Dlijfneg.exe
        84⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        85⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Dafbne32.exe
        
        C:\Windows\system32\Dafbne32.exe
        86⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        87⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        88⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        89⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Dceohhja.exe
        
        C:\Windows\system32\Dceohhja.exe
        90⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        91⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Dhbgqohi.exe
        
        C:\Windows\system32\Dhbgqohi.exe
        92⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        93⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Eolpmi32.exe
        
        C:\Windows\system32\Eolpmi32.exe
        94⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        95⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        96⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        98⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Ecjhcg32.exe
        
        C:\Windows\system32\Ecjhcg32.exe
        99⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Eeidoc32.exe
        
        C:\Windows\system32\Eeidoc32.exe
        100⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Ehgqln32.exe
        
        C:\Windows\system32\Ehgqln32.exe
        101⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Ekemhj32.exe
        
        C:\Windows\system32\Ekemhj32.exe
        102⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Eoaihhlp.exe
        
        C:\Windows\system32\Eoaihhlp.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Eapedd32.exe
        
        C:\Windows\system32\Eapedd32.exe
        104⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Eekaebcm.exe
        
        C:\Windows\system32\Eekaebcm.exe
        105⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        106⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ekhjmiad.exe
        
        C:\Windows\system32\Ekhjmiad.exe
        107⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Eocenh32.exe
        
        C:\Windows\system32\Eocenh32.exe
        108⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Eabbjc32.exe
        
        C:\Windows\system32\Eabbjc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3284
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        110⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        111⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        112⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        113⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        114⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Fohoigfh.exe
        
        C:\Windows\system32\Fohoigfh.exe
        117⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        118⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        120⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        121⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        122⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Faihkbci.exe
        
        C:\Windows\system32\Faihkbci.exe
        123⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        124⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        125⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        126⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        127⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Ffgqqaip.exe
        
        C:\Windows\system32\Ffgqqaip.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        129⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        130⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Fckajehi.exe
        
        C:\Windows\system32\Fckajehi.exe
        131⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4316
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        133⤵
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Flceckoj.exe
        
        C:\Windows\system32\Flceckoj.exe
        134⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        135⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        136⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        138⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        139⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        141⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        142⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        144⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        145⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        146⤵
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1848
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        148⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        149⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        150⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        151⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6516
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        153⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        154⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        155⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        156⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        158⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        159⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        160⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        161⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        162⤵
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        163⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        164⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        165⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        166⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7140
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        168⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        169⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        171⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        172⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        173⤵
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        174⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4844
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        177⤵
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        178⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        179⤵
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2484
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        181⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        182⤵
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        185⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        186⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        187⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        188⤵
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        189⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        190⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        191⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6220
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        193⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        196⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2520
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        199⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        201⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        202⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        203⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        205⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        206⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        207⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        208⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        211⤵
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        212⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3760
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        214⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        215⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        218⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        219⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        220⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        221⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        222⤵
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        223⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        224⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7428
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        226⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        227⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7612
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        230⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        231⤵
        Drops file in System32 directory
        
        PID:7744
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        232⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        233⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        234⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8004
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8048
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        237⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        238⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8132
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        239⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8180
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        240⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        241⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        242⤵
        Drops file in System32 directory
        
        PID:7344
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7416
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        244⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        245⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        246⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        247⤵
        Modifies registry class
        
        PID:7816
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        248⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        249⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        250⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        251⤵
        Drops file in System32 directory
        
        PID:8164
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        252⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        253⤵
        Modifies registry class
        
        PID:7336
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        254⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        255⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7680
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        256⤵
        Modifies registry class
        
        PID:7804
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        257⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        258⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        259⤵
        Modifies registry class
        
        PID:7668
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        260⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        261⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        262⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        263⤵
        Drops file in System32 directory
        
        PID:8068
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        264⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        265⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        266⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        267⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8144
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        268⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        269⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        270⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        271⤵
        Drops file in System32 directory
        
        PID:8116
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        272⤵
        Drops file in System32 directory
        
        PID:8204
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        273⤵
        Drops file in System32 directory
        
        PID:8256
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        274⤵
        Drops file in System32 directory
        
        PID:8296
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        275⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8352
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        276⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        277⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8440
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        278⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        279⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        280⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        281⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        282⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        283⤵
        Modifies registry class
        
        PID:8728
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        284⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8780
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        285⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        286⤵
        Drops file in System32 directory
        
        PID:8868
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        287⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        288⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8952
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        289⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8996
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        290⤵
        Modifies registry class
        
        PID:9068
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        291⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        292⤵
        Drops file in System32 directory
        
        PID:9172
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        293⤵
        Drops file in System32 directory
        
        PID:8196
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        294⤵
        Modifies registry class
        
        PID:8248
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        295⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        296⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        297⤵
        Modifies registry class
        
        PID:8460
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        298⤵
        Modifies registry class
        
        PID:8512
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        299⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8576
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        300⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8636
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        301⤵
        Modifies registry class
        
        PID:8692
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        302⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8768
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        303⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8812
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        304⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8888
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        305⤵
        Modifies registry class
        
        PID:8992
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        306⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        307⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        308⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        309⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        310⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        311⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8484 -s 396
        312⤵
        Program crash
        
        PID:8696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8484 -ip 8484
1⤵
PID:8680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaqgek32.exe

Filesize
1.4MB

MD5
1134696580e83098b5044adfd8ac0112

SHA1
766928c249739821c8415f805a27c6bb9f0bf750

SHA256
db0860230f617db536beb74c4888b2cb9c5099933d63d17dc1b800aef4b38bda

SHA512
329a558e04bcae7d73de0e1ac67893fb44ab48436f3311d6bd5affa7c3e0fbe4dfb46129ef4caa9992eaf393ef3429e22ad8f794a7736f671c6516de94d21df2

Download Submit
C:\Windows\SysWOW64\Abbpem32.exe

Filesize
1.4MB

MD5
ed8834647c13cf6c225fc5917dac5084

SHA1
7454625e703d30d0bf841b6fcdd37dd50d79ddec

SHA256
ad19c4c6f1ff8f32548edb0c04b9ce789a7590c34419a36b8c6723141d992f2d

SHA512
f2a1ed6d4a068a41671dc8dc5618ed2433188690e021c336a09c851aa641572ae7020f2a0224ee93841fe4741998cc847ea4cb72643ad9c16806ee364fb1e14e

Download Submit
C:\Windows\SysWOW64\Abngjnmo.exe

Filesize
1.4MB

MD5
e0094d0e0a14beb8237d07e08379bdc9

SHA1
04604a76bde1708528fc6e35f3f401caa90a5444

SHA256
dd59fbbb93cbfd852cc4e069bf5185f4daaf961fbcccf89191f54ed921905bfc

SHA512
7a3e9db90105375220f4637aaa66a2ee1c136358ecfe955a7210d901f3b1ed1533c2af7ef84b68446990d89173fe142255661413666e7cbc54e55c64034a6343

Download Submit
C:\Windows\SysWOW64\Abpcon32.exe

Filesize
1.4MB

MD5
8e91a78ef3573f16eb8f76fac44ce0ce

SHA1
30427a2630869d6633c0493000417caf0f6672ba

SHA256
fa8c70cfbbb84f35c29ba00772f7338d9473677b7dcd71ef33b62512415de415

SHA512
45e8b08adb2028c387bf1b1a2cefc2694687f579d666d9492ab9b4bd92b278dff0760a2a85f3002ae99dd4eb90e94665b533cfe5fc12cdf6f20c086730d62e8e

Download Submit
C:\Windows\SysWOW64\Acocaf32.exe

Filesize
1.4MB

MD5
bf936afe89d790dc8bedff92b5c98345

SHA1
1ee7a42037a95d7ad27112a0b0d1af63585d049b

SHA256
4527da10c8025ee0ec6ce94d09841bafcf760060ccc4fdb00bb36594327c8d9a

SHA512
70f0f502ba1994aeb793b3dc8405fca38ec2ae7875f8b4bfb8fb3f9dff3168629e35523f1be598778998e36cd9a223b9c9c886ce46662f3cac6dcb45adecfd71

Download Submit
C:\Windows\SysWOW64\Aealah32.exe

Filesize
1.4MB

MD5
aa677681d744786b4aa115d9aa1c890b

SHA1
746ec23ab4ba2759059fb544cca187d26714bc1c

SHA256
7c0f026dab6aad4ad2a4c600ab0af497e537075e1f0ae6fa24afb5c425e35724

SHA512
ef57069abb0997ab774d7ec7aec242bacd95f87698fadb729f26aa6b4ba72977cae916ada160967b3a82ca993e7818b99ca9ae3ef18591d29b0276f9a7a5ecbf

Download Submit
C:\Windows\SysWOW64\Aejfpjne.exe

Filesize
1.4MB

MD5
3ba5eaa1a5899ca309690eb623aa8879

SHA1
e7e940c2372f5addac5d9fef4b446acc4210f72f

SHA256
5ce496661ab43866e6b0fa35a38c0e9f95401d5938d0fd5b23f90b803e8fd32b

SHA512
f6cfe0761d58fff8ba2af03b51a792eddf284ca8d6374f1d75315c69c6d85d522474246eae29eb501b6e54d76474c60d92653eb4099ff21293dc96c5737632cf

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
1.4MB

MD5
aa2d496bca6e77292911f5cd19d98db7

SHA1
cfdc1e580d3645882797449561a744efd5c07ac9

SHA256
4fd3bb0ce26563806775ca1e8df699cf40709d6e27cd68aacff61a13d674bafe

SHA512
685d13f4c9aebfc5189900396ac9bfb1bfcc9bea69d045d3121912cf0f66147d2a8b324893dd91d01fdde0b0ad64b2d3fd35a23b9bdc2a06a2ad837e491f188e

Download Submit
C:\Windows\SysWOW64\Aeopki32.exe

Filesize
1.4MB

MD5
c8c69ef7f8e20fda228a2e3b68e04c2b

SHA1
c34153fb7f0c86936f9e04f4a65c5dd218ab4928

SHA256
609d5a5065ae04d4b48813206785739a2837ab314aa5ecc525af43c3720fd092

SHA512
95810a82ed4680f6d152f3b2ec28087bf8916517b2470b198d3e3670252d67919712db250a5ba547deb8683446150668bf2d706b2b08dc94053732e14f2fb853

Download Submit
C:\Windows\SysWOW64\Ahmlgd32.exe

Filesize
1.4MB

MD5
42499c5357467b699a5875c72c80e877

SHA1
ca9ff360cc006537ee9e19aa00590f81d5f9f220

SHA256
af4127bff933d8ada5c9319ee3e5c542031ca99fbcb52dc266fcb414d5e2c8de

SHA512
21ee47385cd45e91adce6d0f84deafc8d4bab33a3b833b30c561c9c00254af9c95ded38a22cf633b67f096f5beffb42cd79b7f0394749e4c6886e4fac74f406d

Download Submit
C:\Windows\SysWOW64\Ajfoiqll.exe

Filesize
1.4MB

MD5
e79491d92bdc7ea18ace6012858bd573

SHA1
77f3e960b7655b40cbca0a6aa1ef73973cf13a44

SHA256
f4465752b407cc78c4aaa881592ef294c83e9ccab57e57e6fa14a353d89b978f

SHA512
3423a978cb69db919c87bc8ad0f1acbfaa33b409a19422fd1f0c32e725099ca85683beca35f46c29d5a8bec66efa56d96e3897035596ec9ecd7580e836cef1a6

Download Submit
C:\Windows\SysWOW64\Ajkhdp32.exe

Filesize
1.4MB

MD5
4ba6766a441f389513cefbed9263892b

SHA1
1b0e84686fd4383a052e8b67526360466cc9a4a9

SHA256
447cb4c62f31ac0d05a77e878cfb310f79df848dc26efdb91bd4a2cd8e0a5db8

SHA512
0b6581fabf4132919718112020efc2093a98f45b4d5a71c50cb0669fca8bd85fd21da4ba097f365333e15c32d6982f93350d137cef912d4831c50f652f84dec6

Download Submit
C:\Windows\SysWOW64\Alfkbc32.exe

Filesize
1.4MB

MD5
ce7bf3afcf656a6ca9fc63918503ab28

SHA1
159f39e60ae22af378e61f7ef4af1282a84f217f

SHA256
b40e8f4acdfa81353351ddca3640c0333d22f3894844dded096602a7522d2454

SHA512
87c1a6cd589eecbc8680472ed933d8cbfa0311427fb83e625de2370f0c40e45f77de173fbc8b136d9189661bfe5061dea6d4e81348b2007a2a9be095f9e3ac68

Download Submit
C:\Windows\SysWOW64\Alkdnboj.exe

Filesize
1.4MB

MD5
1703cc1d831c947f803a0dd2fff698e9

SHA1
990bd2eb7e0d10059eb157c24290dd72e46bad84

SHA256
0c84fd611f49bd82a9249d56c8de105763df2e9079bcea429f0d6444e5159ea7

SHA512
c7f66281bcf43440f6971025411610ab27fc673b5be3b08a16fb480217ad0132414b4c212558645cd17f643c3e48fe0a1e32c27993a7528b9d5171ed550edb12

Download Submit
C:\Windows\SysWOW64\Andgoobc.exe

Filesize
1.4MB

MD5
434db014c78e34a8b896034b00e5c2c5

SHA1
779d918bfa05ac4df49be57db063b7b6ae5afa87

SHA256
7fa68bbba9146dde1385a1fbc8645bcf199a8c7f4e87c38c3921800f53444aeb

SHA512
de08957f82800ce69e5155839c307bd6b73f6f283673e2587f1fafeae7c829059bc91692d4c2a4c57d37c983718f9a5234b9da076b12728022746e4c4a868e16

Download Submit
C:\Windows\SysWOW64\Aniajnnn.exe

Filesize
1.4MB

MD5
f972df3489e31b2636212d52c91e9383

SHA1
bd75e1b9a55e4af38804f713c1b38b19de4eccad

SHA256
9e63ef76b3f87fa3ad30de10c3bb134565d75566763f2f844bfdb4e57ea10c1d

SHA512
45fc5bba7e2317d8e66ee04f6ee06304edfbcd0e510ce16e69921f0ee75b8ce175362fffdf89a265e8eb8591526c9babb3d062894a36311bc3d954530a13dbc2

Download Submit
C:\Windows\SysWOW64\Anpncp32.exe

Filesize
1.4MB

MD5
fefae39aed242c0ae58a78d2296ec916

SHA1
5022427eb4ae7211e977abf203cd053b3029f671

SHA256
a63df6ce2a5fbb7e6022359d20d515e4202820cc5b4feec462c96be432b1e7b2

SHA512
0838a9f0987006b457261e33678699179f2299b0c4f21d98cad914cbdb37461d87b637346f206e88d2b34b4b35afcd2a80be3b6400e53a882b24fe64c3f6f4a1

Download Submit
C:\Windows\SysWOW64\Bahmfj32.exe

Filesize
1.4MB

MD5
f433207bb0443c3a0acb622bf3771a6e

SHA1
6c233a50a44aa7a565753f19428a299e1e3b4fec

SHA256
fc27745e1e9e2b47ba386df6720bf8492509180026a4c96411b6278f3667a9f0

SHA512
bc19e17c18124c52e4a412274305e65c948b47aad270a29180423a17f81952be29d7b84ef74a95f5593035e8be34f11982dcd98cdf9c33c3925b27773c25732d

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
1.4MB

MD5
585d1a8d5e423b5ce32fad8432e78369

SHA1
bdcaa518a7afb971e1634f190d069898dc289382

SHA256
4dbf7add4f9e78ff6e0a61bb4dca158fac7b608dd553aaed9c0142e0bc2b8f05

SHA512
9333c1a6b4584474e880fd1ea389905c46c7c3c27e4e7ff2683c14b3de3bbcc2234056056fb167db69dd358df73347e44bf765840846bb4366c831ff03b59817

Download Submit
C:\Windows\SysWOW64\Bdfibe32.exe

Filesize
1.4MB

MD5
413dcd92cac66e83df34a209a6cda3a9

SHA1
f327578e2eaf173929cd4bbe8c3a2b927ca92695

SHA256
cb9e5007bb9cc5fc376246786971a02cadd47a1eab08047143e775f6b039e543

SHA512
37eebc2cdc6d0530252b9a78009d9ded0655f1fa6a83720bf21a2a98a7918b78d4bf0fa977c06c659c5db94682083ae13b56e6ba8b65909798088ead30dcadd2

Download Submit
C:\Windows\SysWOW64\Bjpaooda.exe

Filesize
1.4MB

MD5
b4f10d1a3e295cfbfabfe907958d5767

SHA1
2c62d1e23973b04a8eb23e1416b12d3ebd5cd3a8

SHA256
d2f16d28bec2253af7558ff5a9447c194980d2ddd061cc5feb3981a6d3d035f0

SHA512
bdf36be748b49df3031b777eed83c45212f3fbf2c71f5a84a9f0945cb5504af72d4281d77483d43dc1af20d9d5919727a45f0ef4196ad2a207e9eca2c7fdd23a

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
1.4MB

MD5
e58650f96b81827ed1fae9af57691c86

SHA1
55aab2fc85bc12e060676dfd957a1fc053302216

SHA256
53880e92e77e17ae9dc04c4d780c573fa08c1dfad199414ecb505c83e1dbf1fe

SHA512
412086c4a1417bcae42f543d805957910bccce2da0d9d52e7cd91a93088cd516f40ccd94fda6a3e3bfd630a96dbbbcb6e31358216b983a1553012d526837ea21

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
1.4MB

MD5
2a2b1f9fbc4d6f14e1dcc9aff0d474c5

SHA1
56ed998caf935ca4b1bd2f132f3bef4d5bef28ba

SHA256
075d9d498e4f74d1e9e17562ac3d6121d021fdf16ab90581faa3ac52cae318e1

SHA512
9848fb257135e83b1b890db791d51d08d688990263431284a8cdf8b077f734ff91e6a57f74dd65ca357497f107ac2f6a67cbc45444d7743489997df6c57ad9ce

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
1.4MB

MD5
9ff3d32b2abefccf84b928c5c23f1861

SHA1
d0bcef0a7d5ab19a83e4a07effcf194a858a21b7

SHA256
7fa13ebeccbf5073555ec46cf2962fd616f381544b7d8aae9ef4fdb0dd663da8

SHA512
331f6dd9266415f9be8e36b2e8309e1d4193121c54f1dd90fdefab1cbdcb805001556370a161948e926ab52e38d53a89adf7c759b4471fd183c267e221af9783

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
1.4MB

MD5
37cd0ecb93ccb8e2e25ae22fd332ce16

SHA1
2941dc3452b3ce89f701fa09fa744ac90aa1a680

SHA256
ef8c5e4bb27a837f6c8f6e8a6754419ee66a5d1af01fc37e64492249773020b2

SHA512
cf8a27abe54229788ed7b13bfe19e8b7f0f3028448053327f62dd5b427edf32cb19e8ff93c54d02dd64a850f3c4a521bcf54f5dfa8cd052ec9644323047f1015

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
1.4MB

MD5
c4848fbd2463b5234e1938aa7e57a1a6

SHA1
4e2a34d9d37cdaa335d01a5f0bf1e9ae46dd0850

SHA256
57a957cffd33e6ba69140cd917a82df530eb1a4316966d2b291c8d126aaf47e8

SHA512
47ca21d152abdbbd9a626baf995b336769df412d0c35c971f05332f303706445c541b9f9b42785e103d6dff7e232c085bdf5f5c8f153079095abea7c251a1306

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
1.4MB

MD5
3a7b42e533e9a0aece88d99c4cf8a931

SHA1
253d3cdb3e623be9b72d0c5d2d1769730b4d5a6e

SHA256
a97136c057160cae1d88c2b6b9b337f7a55cdd8288e6d197e59324d8d4c2f06d

SHA512
e415b93f36097129826ec3f0f7ff708e5fe7a8b827b31eb19530a679a21e6c4cdfa368310c653d2ded440a54d173f50ac967c8d338956cbdf0838abb783883e7

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
1.4MB

MD5
a8e4409c1f94cf3bb981ee17f1bbb248

SHA1
f01912974500195c272b929b0101e8c83043735b

SHA256
0df1bf4bf9b702fc252d8410b5c9a35b4c3fe5200ebbc2f2566035538bb19b2b

SHA512
507e3c44af20660a82047bb83a6d2f0ef7d8f9523b765d877d4dea3d862fa3cfe5bff054adf5b97f691015687514a1c9a5c23ee747a46e081a425deb5b477082

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
1.4MB

MD5
69426769e37a9f4f18963d068314f182

SHA1
5af61f5167d281e17eb08a1e4ff3845f535393fc

SHA256
0c65e78f6b5f76bc9f2cc7c31510518a27bbfce0303099f2e4291cd31fd18f16

SHA512
371414c91f1ec1fdf96a60ac267ff1bc930ab6af7f27481baa3aa1b2b341fdef1c5a3c5e27409a6838dc2ca6b7e56ce7740dd7aea289171384e3caea5404995d

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
1.4MB

MD5
2063ed7cb8fa1f9ec39fc7bce9e409d7

SHA1
7b9d55a9daa4ca97044f8b2abd55828f2bc2c686

SHA256
ad89bdec14c22896fab92b586b18eb6bd953a350394d2a147f07bd93602e2cec

SHA512
21aff363d332ef63b827014ff5c6dbad70ec7e6592081b37dae2a1b200fd44c8e6637c77233ae12ae65884eafb946edc3f349170d4d24fa9b437a48726bb8e0a

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
1.4MB

MD5
9ffc7013816369b1b542a8ceb9625681

SHA1
fb564b2b98bf223c84b694167ab9f4d148a9deac

SHA256
8fe29109447ba45e4b6950f53681921b43cfc6bb1114e58474e87cf04b5153f6

SHA512
5abfc924b46fc237e341c24cb1065f9a06881c8cb27ca121b93863903e360703afbf69303aa55015b0e096b3aaa5f9f0002c6cb383b9c8a30ee47b01be8c5014

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
1.4MB

MD5
b56b4492f9fefe1c5704071a36444d83

SHA1
e2418d1a843ea1f9b026708eacad8c5836e923a9

SHA256
81d0631ff0d465878b799cbe340af00decf457244c41b25e6185d6d500acbd18

SHA512
d51e2428391bce436d4fcd24e57a3fe4da905ad7578fe62e165547f0fceb7fc03585e4f7dadeb5a6b024afdf68157c30ae1e2ebe781c92b53ed11a53e402b596

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
1.4MB

MD5
7a17a7eb1c4121a6fedd6ed086ff5a07

SHA1
d5bc58a8d388ee6f2e967e2adecf3ed86dd7ba85

SHA256
6a067f050fda6bda657e74642ffd04f6c41fd9f8495f6e2b2fc1f5f773c30f8f

SHA512
b3044056d982e24b8234fff6543c765c51bb3ccda1a392dabf7867a1af2cdd7a55d720b0dbc72e1e9955b5d2f4f38fcfdf5ca8acac79f7dc0b5281b6721651ee

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
1.4MB

MD5
1dad803e171ad5a95fc60f35efccc016

SHA1
558fe69d6e35cc883240ace42382b9a972b7d21d

SHA256
860ef8c3a734376c60562e84c686f4a6c18f24d48f133a00ab7b1d9e9dfb96f3

SHA512
54f68ccb0c1ae869c68c0e41c4c0c41eed4bdbf14da41426836164315e54b54966b8afcd34e972ef47bc7eb298ce892d21af8a9622af4a1ad61b0862f3b7e867

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
1.4MB

MD5
244a90e9fd05d8a2ea7b1d9fb9275808

SHA1
0aa79b28b30fddcbcbecf7720b3bea7dd062af4f

SHA256
e0d7a79cc1878dcc851e0bed030511d591a983f6739e3b0aa3f987d355b08b3e

SHA512
2762e181dbf664462242cedb79a50042a17281a65e60792b28212ac04eb392c209edde30304c220e4c4c2959c2ed7f2ab2ad5f2d6017314d9cb45bb20913ddd3

Download Submit
C:\Windows\SysWOW64\Ojopad32.exe

Filesize
1.4MB

MD5
d198083b11cb86f2dcb3cae775975334

SHA1
e0671c8847d8efd35828b22777a1639fef8b100d

SHA256
0ff2de0c3f9c1996191f2db19149bc68384a7257e07468a20744067ef0c7bef1

SHA512
d4e0d997428607985c8c71ebe1a4b5d338af5ce1f23bcbff87bf79be0a50e87396138e55f984594346a08af67b71a3b3f157677c7fe848442cd5ff7ac9e693f2

Download Submit
C:\Windows\SysWOW64\Ondeac32.exe

Filesize
1.4MB

MD5
bfd85a36a0471bf32fba31832ccf0cfc

SHA1
ac32b5242cd93a494636314d7dca4dfa2ddd51a9

SHA256
19e46e359ac7d09f227e8eafc17fa6f36e1abf06d60ba0fac6915b7c81dc8f00

SHA512
ad9f9c1b50960a1612e7fcb7e74968bf25efb8ebe767aca9115cdd2a8994c8eeeff3ddc3ddc4c32cbbbc4c53edfd3fed21aec60f7980e2a94737d61dbfc91bc8

Download Submit
C:\Windows\SysWOW64\Onfbfc32.exe

Filesize
1.4MB

MD5
34cabaebd132d4b050f6dff3205c6c74

SHA1
9d07b7f5ce94ca45f4f37860f9cd84cf88aac732

SHA256
8ac5aa9830b77dd64e8518db71b21a8b8020f3a22667abe88a2b5045836e69cd

SHA512
2bd6bf6337ae08c1e54069412a8b4fcb49ea9c91144eecc659780cb0a04da7c530a453e521a0c7181352ab7de859dc259e35d41ed30decbfffbd57bf7e4c383a

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
1.4MB

MD5
44d892a031a23d2c80b35d757c006f8b

SHA1
d45b825aa3d4fbb70fc2a88fad47306bf2a6f649

SHA256
8c787b7cfca9cd175fed519cd1ea9095aac3d5b30b5c572b6e593e1d07518123

SHA512
691c0d71d2a60552ecee4041646fac76fcf1ab8732ddfc9d24bc42cd85b22263fc522d25920e87637557d8167e36cbe811500859c1074ae551a3133a50cda162

Download Submit
C:\Windows\SysWOW64\Oqbamo32.exe

Filesize
1.4MB

MD5
05000c6aa8e818b3dd85c93f0c95e06f

SHA1
670a568418ba190efc8d90f5a52dec2849f3c513

SHA256
aa9b25f5b5aa1998dcff847a59d9c12747ace3f8da7d0c55df9478e023f2d1c0

SHA512
388ea2f3c90276aef4038076912aa2d9049c870421d34296f1c9ce4bc1d70eaefa86a13fedf0840505ba0e6be4bc2b58ca13a068d8ad6b1e094a0cc7d754f2ce

Download Submit
C:\Windows\SysWOW64\Pbkamqmd.exe

Filesize
1.4MB

MD5
d77c2817c23d2beb221427ed4985e431

SHA1
4cc653b43be4ebebf49effa1c0ac7b4d2c68cec1

SHA256
8953c2c189823944141e1d8c77284653ad3de6a932c660b3fa931c78891601f8

SHA512
78987e500168df1a1dd5e52191620e902d8dff100300a7568145d59ebe43a674a39e4b4ddc73103f5bab9664240740eaf169eb7a0dada4eb29b632f9470daa98

Download Submit
C:\Windows\SysWOW64\Pbpjhp32.exe

Filesize
1.4MB

MD5
56bf570aa161eb6bd4426dbae9048d1f

SHA1
27222130ae956baa6b6deda8d8848ff5fb7b42f5

SHA256
c65f509183cf1234a92561e8939b0b6fa3b4be8475d71f29be1a1220fc282cb9

SHA512
e56961afa950242663d10d184dd6eb3008dc0a72340ef051de8bef424e599e1bd04fc28f005d411eece25084c095472824b81a92fe4434c1e00c745e65ead6b3

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
1.4MB

MD5
1ac208aae28d501b3652afea3f63f4d1

SHA1
404780cda11d6470b0e2f4d9f6611a4433f5b7a5

SHA256
39a9d5dc503ff1cf11f1b95b09c37212c3f77812a1e146cea256d4a373bdcd34

SHA512
de59f397eeb2ac0fef489e4d2aef33f925296e5f26c49ee867a0e71a67692689cce8fc33853d4c1613834fa57944637bbad56185b94df7ecaf90b593c93d5877

Download Submit
C:\Windows\SysWOW64\Pgjfkg32.exe

Filesize
1.4MB

MD5
73f232cc999f8da509a4be5b32c3a647

SHA1
a88d4c8e00d7edc7285c5ede58942551272146a5

SHA256
783d4f6c8045236806c86373c30e827a603f8bbb28dc3f9f0549bde19ab5b30f

SHA512
17ae46bcfda95dae39ef3bad7cbc9faadfb231b242f8bb5877c72287f75ece6cba16fc80598a5c2619c7091ad0dcc5233a4df388d9273f33e31ead31ca7488f6

Download Submit
C:\Windows\SysWOW64\Pnihcq32.exe

Filesize
1.4MB

MD5
4d3a4d56fbf4270e8099c68537cf7006

SHA1
f33266b163ff9516a05c18f9dbb11b517071d251

SHA256
edf47cfc9eee24412c9fd175ac0e5083ee4eaeee9efa4e1b3b210fe58df9d861

SHA512
2cdefab4050965eaae5805141f86ae098d0bc4064c8a076d315320ace3cda30e609756d66c1012bb6ff4a1a99bd6d26b1c644c88c10c366f4f29528f84f2bb46

Download Submit
C:\Windows\SysWOW64\Qalnjkgo.exe

Filesize
1.4MB

MD5
f8cf30a3bbd0a5a44db758b9678046c1

SHA1
97621b61a076bb0dc9056bfbb199628ecd2edfd5

SHA256
08f493601d0c3173d32c2879a54e3c973dfb08054933b7b0abbd539423bf2380

SHA512
0961c1c4a889e41283a29aff0c32591de53fa53fe75771e189b4766136d2e4fd94f88794df4545c1dd2e1e8355ad2e4d2c3fc2dfa49b3db636509bb97e49af3c

Download Submit
C:\Windows\SysWOW64\Qjbena32.exe

Filesize
1.4MB

MD5
2b02135a4cbab25bdf12cf58b33345c5

SHA1
a872dc5c38a6f51288d2fe4c55cdf8043b4ab021

SHA256
10a0bcf3dcc7341f1ba516c9b6171120d7704a3666cd3d22db6463151fd9dc1d

SHA512
d3e576af740b54413476e9fb2613ea718ade2f916bd9095a9c6510280f714cdda2273891b3fbd5062011b6929af89155369f75e30b013a327d18a2dc89f29eaf

Download Submit
memory/8-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/32-851-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-834-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-840-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-854-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-848-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-814-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-828-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-852-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-816-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-849-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-867-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-823-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-844-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-862-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-856-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-836-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-841-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-832-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-850-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-864-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-858-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-853-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-876-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-845-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-871-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-869-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-1386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-843-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-866-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-842-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-860-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-827-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-1417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-873-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-859-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-824-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-819-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-874-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-822-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-838-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-818-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-872-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-857-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-821-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-829-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-815-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-820-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-865-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-846-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-868-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-847-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-825-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-833-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-826-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-863-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-835-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-839-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-877-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-830-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-861-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-831-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-817-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-855-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-1367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4876-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-837-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-870-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-875-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-878-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-879-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-880-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5244-881-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-882-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-883-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5352-884-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5388-885-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5424-886-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5460-887-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5496-888-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5536-889-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-890-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5604-891-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5640-892-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5676-893-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5712-894-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8620-2063-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/9172-2043-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads