0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c

Analysis

max time kernel
130s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe
Size

94KB
MD5

d70fdb3c2cc85afe82aba9412ed77fb0
SHA1

093de3c1353160cd77e6c6587d907b47af59a627
SHA256

0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c
SHA512

ddbf8e5506ff69e2390aae709e7cde239c7c3b42d7e6317bf80d641f79b41c616dcd36f544291553667b5c6dc78d9dabb90d7e9d16d3342f754046524efcb2ac
SSDEEP

1536:HjzRGv2ebA5LXvylstxX/KvIyR+mH7IK6QV5pFaf2LXoaIZTJ+7LhkiB0MPiKeEJ:Dz8v2i7YK6QhF54aMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cakjmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpgqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhqjchp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbacqape.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capchmmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhlocipo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhgehi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blpechop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boanecla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhgehi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjofcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coagla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafpanem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpemacql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe

Executes dropped EXE 64 IoCs

pid	Process
1764	Bpidngil.exe
676	Bbhqjchp.exe
1952	Bibigmpl.exe
412	Blpechop.exe
4868	Booaodnd.exe
4800	Behiln32.exe
3112	Bhgehi32.exe
4928	Boanecla.exe
2868	Baojaoke.exe
1020	Bifbbllg.exe
3840	Blennh32.exe
1488	Bpqjofcd.exe
4696	Bhlocipo.exe
2272	Blgkdg32.exe
4944	Boegpc32.exe
1416	Bbacqape.exe
4064	Chnlihnl.exe
2696	Cohdebfi.exe
3928	Cafpanem.exe
4404	Cpgqpe32.exe
3528	Ccfmla32.exe
3672	Cedihl32.exe
2348	Chbedh32.exe
368	Commqb32.exe
916	Cakjmm32.exe
3388	Chebighd.exe
3456	Coojfa32.exe
1284	Camfbm32.exe
3884	Chgoogfa.exe
4708	Cpofpdgd.exe
4080	Coagla32.exe
3952	Capchmmb.exe
4816	Digkijmd.exe
3484	Dcopbp32.exe
4108	Dpcpkc32.exe
812	Dofpgqji.exe
1136	Dephckaf.exe
704	Dhnepfpj.exe
724	Dpemacql.exe
4512	Dcdimopp.exe
4792	Djnaji32.exe
2928	Dhqaefng.exe
3680	Dokjbp32.exe
4528	Dcfebonm.exe
3892	Daifnk32.exe
2668	Dhcnke32.exe
4116	Dlojkddn.exe
2536	Domfgpca.exe
1308	Efgodj32.exe
2864	Elagacbk.exe
760	Eoocmoao.exe
1356	Ebnoikqb.exe
2296	Ejegjh32.exe
5008	Elccfc32.exe
4740	Ecmlcmhe.exe
1472	Eflhoigi.exe
3964	Ejgdpg32.exe
2760	Eqalmafo.exe
4232	Ecphimfb.exe
2968	Ebbidj32.exe
4556	Ejjqeg32.exe
1096	Ehlaaddj.exe
2372	Elhmablc.exe
636	Eqciba32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Chbedh32.exe	Cedihl32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Cedihl32.exe	Ccfmla32.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Dcfebonm.exe	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Opjeff32.dll	Blgkdg32.exe
File opened for modification	C:\Windows\SysWOW64\Coagla32.exe	Cpofpdgd.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Dcdimopp.exe	Dpemacql.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Dhqaefng.exe	Djnaji32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Dbppbgjd.dll	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Blennh32.exe	Bifbbllg.exe
File created	C:\Windows\SysWOW64\Kbbfkb32.dll	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Bbacqape.exe	Boegpc32.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Commqb32.exe	Chbedh32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Dacdmi32.dll	Dokjbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3796	7924	WerFault.exe	349

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boegpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopfdhej.dll"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfifijhb.dll"	Coagla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll"	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehocmdp.dll"	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpqjofcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmafgei.dll"	Bpidngil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoodnhmi.dll"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 1764	4136	0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe	83
PID 4136 wrote to memory of 1764	4136	0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe	83
PID 4136 wrote to memory of 1764	4136	0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe	83
PID 1764 wrote to memory of 676	1764	Bpidngil.exe	84
PID 1764 wrote to memory of 676	1764	Bpidngil.exe	84
PID 1764 wrote to memory of 676	1764	Bpidngil.exe	84
PID 676 wrote to memory of 1952	676	Bbhqjchp.exe	85
PID 676 wrote to memory of 1952	676	Bbhqjchp.exe	85
PID 676 wrote to memory of 1952	676	Bbhqjchp.exe	85
PID 1952 wrote to memory of 412	1952	Bibigmpl.exe	86
PID 1952 wrote to memory of 412	1952	Bibigmpl.exe	86
PID 1952 wrote to memory of 412	1952	Bibigmpl.exe	86
PID 412 wrote to memory of 4868	412	Blpechop.exe	87
PID 412 wrote to memory of 4868	412	Blpechop.exe	87
PID 412 wrote to memory of 4868	412	Blpechop.exe	87
PID 4868 wrote to memory of 4800	4868	Booaodnd.exe	88
PID 4868 wrote to memory of 4800	4868	Booaodnd.exe	88
PID 4868 wrote to memory of 4800	4868	Booaodnd.exe	88
PID 4800 wrote to memory of 3112	4800	Behiln32.exe	89
PID 4800 wrote to memory of 3112	4800	Behiln32.exe	89
PID 4800 wrote to memory of 3112	4800	Behiln32.exe	89
PID 3112 wrote to memory of 4928	3112	Bhgehi32.exe	90
PID 3112 wrote to memory of 4928	3112	Bhgehi32.exe	90
PID 3112 wrote to memory of 4928	3112	Bhgehi32.exe	90
PID 4928 wrote to memory of 2868	4928	Boanecla.exe	91
PID 4928 wrote to memory of 2868	4928	Boanecla.exe	91
PID 4928 wrote to memory of 2868	4928	Boanecla.exe	91
PID 2868 wrote to memory of 1020	2868	Baojaoke.exe	92
PID 2868 wrote to memory of 1020	2868	Baojaoke.exe	92
PID 2868 wrote to memory of 1020	2868	Baojaoke.exe	92
PID 1020 wrote to memory of 3840	1020	Bifbbllg.exe	93
PID 1020 wrote to memory of 3840	1020	Bifbbllg.exe	93
PID 1020 wrote to memory of 3840	1020	Bifbbllg.exe	93
PID 3840 wrote to memory of 1488	3840	Blennh32.exe	94
PID 3840 wrote to memory of 1488	3840	Blennh32.exe	94
PID 3840 wrote to memory of 1488	3840	Blennh32.exe	94
PID 1488 wrote to memory of 4696	1488	Bpqjofcd.exe	96
PID 1488 wrote to memory of 4696	1488	Bpqjofcd.exe	96
PID 1488 wrote to memory of 4696	1488	Bpqjofcd.exe	96
PID 4696 wrote to memory of 2272	4696	Bhlocipo.exe	97
PID 4696 wrote to memory of 2272	4696	Bhlocipo.exe	97
PID 4696 wrote to memory of 2272	4696	Bhlocipo.exe	97
PID 2272 wrote to memory of 4944	2272	Blgkdg32.exe	98
PID 2272 wrote to memory of 4944	2272	Blgkdg32.exe	98
PID 2272 wrote to memory of 4944	2272	Blgkdg32.exe	98
PID 4944 wrote to memory of 1416	4944	Boegpc32.exe	99
PID 4944 wrote to memory of 1416	4944	Boegpc32.exe	99
PID 4944 wrote to memory of 1416	4944	Boegpc32.exe	99
PID 1416 wrote to memory of 4064	1416	Bbacqape.exe	100
PID 1416 wrote to memory of 4064	1416	Bbacqape.exe	100
PID 1416 wrote to memory of 4064	1416	Bbacqape.exe	100
PID 4064 wrote to memory of 2696	4064	Chnlihnl.exe	101
PID 4064 wrote to memory of 2696	4064	Chnlihnl.exe	101
PID 4064 wrote to memory of 2696	4064	Chnlihnl.exe	101
PID 2696 wrote to memory of 3928	2696	Cohdebfi.exe	103
PID 2696 wrote to memory of 3928	2696	Cohdebfi.exe	103
PID 2696 wrote to memory of 3928	2696	Cohdebfi.exe	103
PID 3928 wrote to memory of 4404	3928	Cafpanem.exe	104
PID 3928 wrote to memory of 4404	3928	Cafpanem.exe	104
PID 3928 wrote to memory of 4404	3928	Cafpanem.exe	104
PID 4404 wrote to memory of 3528	4404	Cpgqpe32.exe	105
PID 4404 wrote to memory of 3528	4404	Cpgqpe32.exe	105
PID 4404 wrote to memory of 3528	4404	Cpgqpe32.exe	105
PID 3528 wrote to memory of 3672	3528	Ccfmla32.exe	106

C:\Users\Admin\AppData\Local\Temp\0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ee50e2b865f5f9ec038ed080deb381ecd72579ed4aa2aa3b041d30d0f191f3c_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\Bpidngil.exe
  C:\Windows\system32\Bpidngil.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\Bbhqjchp.exe
    C:\Windows\system32\Bbhqjchp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\Bibigmpl.exe
      C:\Windows\system32\Bibigmpl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\Blpechop.exe
        
        C:\Windows\system32\Blpechop.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:412
      - C:\Windows\SysWOW64\Booaodnd.exe
        
        C:\Windows\system32\Booaodnd.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Behiln32.exe
        
        C:\Windows\system32\Behiln32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Bhgehi32.exe
        
        C:\Windows\system32\Bhgehi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Boanecla.exe
        
        C:\Windows\system32\Boanecla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Blennh32.exe
        
        C:\Windows\system32\Blennh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Blgkdg32.exe
        
        C:\Windows\system32\Blgkdg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Cohdebfi.exe
        
        C:\Windows\system32\Cohdebfi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        27⤵
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        28⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        29⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        34⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        36⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        37⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        38⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        39⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        41⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        43⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        45⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        46⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        47⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        49⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        50⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        52⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        53⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        54⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        59⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        60⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        61⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        63⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        64⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        65⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        66⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        67⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        68⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3784
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        70⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4908
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        73⤵
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        74⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        76⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2116
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        79⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        82⤵
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        85⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        88⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        89⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        90⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        91⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        92⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        94⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        95⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        98⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        101⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        104⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        105⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        106⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        107⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        110⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        112⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        113⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        114⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        117⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        119⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        120⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        121⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        122⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        123⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        124⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        125⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        126⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        127⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        128⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        129⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        130⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        132⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        133⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        135⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        136⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        137⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        138⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        139⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        140⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        141⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        142⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        146⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        147⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        148⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        151⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        155⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        156⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        159⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        161⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        162⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        163⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        166⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        168⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        169⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        170⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        171⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        172⤵
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        173⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        174⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        176⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        177⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        178⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        179⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        181⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        182⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        183⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        184⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        185⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        187⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        188⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        190⤵
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        192⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        193⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        194⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        196⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        197⤵
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        198⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        199⤵
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        200⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        201⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7444
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        204⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        205⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        206⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        207⤵
        Drops file in System32 directory
        
        PID:7668
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        208⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7756
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        210⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        211⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        212⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        213⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7972
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        215⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        216⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8100
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        218⤵
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        219⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        220⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        221⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        222⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        223⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        224⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7660
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        228⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        229⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        230⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        231⤵
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8076
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        233⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        234⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        235⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        236⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        237⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        238⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        239⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        240⤵
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        241⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        242⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        243⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        244⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7496
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        246⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        247⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        248⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        249⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        250⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8152
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        252⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7376
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        253⤵
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        254⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3288
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        255⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        256⤵
        Modifies registry class
        
        PID:8048
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        257⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4268
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        259⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 400
        260⤵
        Program crash
        
        PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7924 -ip 7924
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baojaoke.exe

Filesize
94KB

MD5
f69ee69d73a2d686d87d003c3b7a6bca

SHA1
1127ef2f7991edaef019d6c60c6982f173fc062a

SHA256
c683b8a91c4774d6112f7d1b206dfd75de751088c7acabcb486bff91299ed3de

SHA512
c615f56f23d1b7e1d84a09e607067ba8731a64cdaf1d6b25b19fc3ac7cbb13dbf4b9d70bb56b82c1afcf9c2217b107d8b2bd0577e6ce44b298dd1427418d3262

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
94KB

MD5
e4ddb9440e059a5714261b5286ed922f

SHA1
6896ea14ba9373b674435bdecdf26e52d8ef71ca

SHA256
782c01f719bea53b3f870c2d8a57318d3609973292af836ff8f41459b31b3043

SHA512
d1df4cbdeef2ba88da323c67007a55de86cddb967162a345c78d0bb095a3acc0227153ee8aeb453d75633f3787f5a6ecb182ebe6f4673d3d1005aefcdd176b35

Download Submit
C:\Windows\SysWOW64\Bbhqjchp.exe

Filesize
94KB

MD5
ac068dd13ebcb5df6339d3172da51e72

SHA1
9e99501d7c14400de6a115f453764a52c1211807

SHA256
1598357fc04298e1b6fafdf80c0c04923b02f2f3deceeb62b83d109760d7480b

SHA512
91de2603609d49e1d12e0999214dc1bacba772c1b7d92a9892268de0ae2fc38022fd1df7c1b54159dee53a5d9d24c7effd02b0c7177a3ce5b26725b21a6f4ea4

Download Submit
C:\Windows\SysWOW64\Behiln32.exe

Filesize
94KB

MD5
2346f11aa299e128d3ce7e8d599524b6

SHA1
fecfa0fd4bfef884d9fc845468ca82c2dd43c496

SHA256
fec69999cd2a1459c2b677d02dd519bec99d63e964ffbfe64d07531efa0c7928

SHA512
37af5b0d261e086d4d72e7dd948e0dd40d38c3f75fec611a4e0a2843f7b3dbad4c1aa62efb3ac03bd3be4419671c37f11522d3cc77ec3df038b96922e19f3536

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
94KB

MD5
c476e4813dc397f778a9f0b9fee8b2e5

SHA1
f351691604bd3fd40be3258823d3d2c731d02c43

SHA256
bbbb9ac8ac1ae56ef2e8ed2a87ce8b7c929a1a09a8d1b1fc42e7d911154f6512

SHA512
74e4dec1c948c6d7bc030855f6fcbaab740bf61333d46abb36f11dac8db2d03dd861202d1144d30e7ad020230b1dbfdde8bae45c6496dbf4011433b4ceba6a36

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
94KB

MD5
9fbf548f880cffc41cc293c7f432c0ad

SHA1
86f0039f87c4d790b948779683d2b0f9bdd508aa

SHA256
50ec75fba88cc0e2f1589a80b5f94929767e10afc7f55fb3a99feb4caf9a7564

SHA512
28a5ffe96915c3bfbf6faa12a8e927def50b702113450c488b805563ebe2a9eee21aa579da0224838c76ff0bd1d2b875e65a07c46fb26c65a562347e5a619e90

Download Submit
C:\Windows\SysWOW64\Bibigmpl.exe

Filesize
94KB

MD5
ba631073fbc28068043e62ef60ab879c

SHA1
617e9b61b1888f3492a7962968c68bfb7bf473b9

SHA256
fd9c5c5c8da4db3c3261319a1035e38681178b3079fa1e29346af3f0d2a01d80

SHA512
a3c57df4233792fe12961f690e21e07fe439298bc13256abd872bce0054d5feb199a0f70d20516b5a10b4738988380565ac0a9ec7d48411f7373cc718bad09ea

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
94KB

MD5
912ab8db421b44eaaf5d58e96465bb97

SHA1
bc879b37e3800ef040e267ced5e6cbe8a50e2551

SHA256
15a23377080451f769ececd39d10e0520db6ac9ce6311ba8635c7b9e2e59a3ba

SHA512
95b5f70fc5396a101191df1cb418db00ca95b1e3a0262befda06f3f343d0c78f502f59117661032da325c8e209d5b79504b07137b874a202725cb6359c986aca

Download Submit
C:\Windows\SysWOW64\Blennh32.exe

Filesize
94KB

MD5
9cd7972d0131c2d446b1b468b0a8be30

SHA1
abf546130061679ada63a5606c3e7ccf536c78f6

SHA256
ff80101d4772a4cca24ab13c0750910282fcc9059db7da604ac3f2bace6f39d8

SHA512
09b7554dafab4b10ba82bffd06aed20d66706ab9c75dd30d434d8a189f507ae627aad217d3cfab6778abec89951d0550e52845a19907a07a545c0721ef43f3b1

Download Submit
C:\Windows\SysWOW64\Blgkdg32.exe

Filesize
94KB

MD5
9703e58da2f69f14c602b6b869fbe55c

SHA1
de3177bc7eedb1aa869facfc400ec082c0db9925

SHA256
74c7ff2377c8278168d2366845102d233c812d7f79c9dec6dc00c586d2895529

SHA512
1b01b214fab321a725e7fb33be5001c51dc29a3709177d03fc34553e35b53a53b3f8234a63aaab1d0ad15f7f581235f155ef5772b8fb1d9be559f9928ce7f593

Download Submit
C:\Windows\SysWOW64\Blpechop.exe

Filesize
94KB

MD5
07797eb15a9d95afaf8fef91073dff96

SHA1
10fd58cd00f3e5c7e2d0aa270c24d5e319469dee

SHA256
6652d4963361378abe5d6dc0f07eb2988703a7ccee93ead0f725c3ff96ff61c7

SHA512
0d1c47ff33e1c92a8cb91d7775dbd4a0c6cda4355d8c749e388e5d866c0f7d1ff41240472abaa1a533a29668763b90141d105f59265d42a6da5fff6b5fc965ef

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
94KB

MD5
8fee82ecdd0be672df29f8d916c515e1

SHA1
a6c3cd199e68e84f468af69fa1bc44bc195685e1

SHA256
45e9fba4bd079205104c4eb87dd0abdca730aac4ed7b4320cc1e9ce8f082f906

SHA512
cc458a6fb36d5bab6d16ed3d4a16b15e80144504843ec4f794a5436168b9b764f101fb88e776d20a8238bf38d33085508f728cf30a727f35b0c7fa1cb42bd610

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
94KB

MD5
037b5dcff57e942bcead0c4171a34bcb

SHA1
aff06fd0d28bf86f900b0bf1b09410042ec7725d

SHA256
6f52dabd41b499b8d7823a7a310412d175ac2c29bfe5439d25ab311420eaaec3

SHA512
4348e0ba29df2baceb969ce61969e845ed43195aef273fbdda1eee64c1c6e5d3c05f388f1d6fce67c527b677bd8388ba9e232a1aa3b7b3c7d13cc2060c817ae4

Download Submit
C:\Windows\SysWOW64\Booaodnd.exe

Filesize
94KB

MD5
90264f767e7ed4948269c44853068d20

SHA1
9536ad47bae62f30428d481693a4de85cdcbbcd7

SHA256
569416c36e913695c84aa6b2a4e7dc8803c8827457aea2489deb5e674f295e69

SHA512
519f19347ea039f57867f21fa6e772e952649023f1799dcfea42b3a0302095019efc0935c7a72eeffa495fd03e9a0f00b9762876132a669a2122e07c84ccb60b

Download Submit
C:\Windows\SysWOW64\Bpidngil.exe

Filesize
94KB

MD5
d512d95234d85801c1b6390439057b71

SHA1
987bcebbb471f280fed3a849a63a3f70680a211a

SHA256
b8eead79e249e66b101cd67af07115cf06f72e10dd0dbf6d7081ea48ddcdd873

SHA512
45e7978cba87f094201a16697412b5e736680c41b9324c89d8c1b8eae3427a387db5e326532e72a088cda9c60309436e48eaf365f0bdb293be8b25faf42889b4

Download Submit
C:\Windows\SysWOW64\Bpqjofcd.exe

Filesize
94KB

MD5
7e3ddbb1e6c5d4fb241b69ede598bd45

SHA1
c9e097e613694c68e680440285dac996b39283ba

SHA256
bcc06bf99ec7f55e8c25ac97053dd2ac1dc454eebeeba17ae3d731a1e69c81f0

SHA512
8f67af303e36c635f9a9031ac9b472b2e1e2fbd91e8047345d18906cab1ed73c120ab9ba6a8de30d6558e3a606c199bdccd90ab75ce5be2ff746e7e0119f62a0

Download Submit
C:\Windows\SysWOW64\Cafpanem.exe

Filesize
94KB

MD5
59ed0101e8d73a1934904a03665f4bdc

SHA1
94870b0bf11042890f9bab3e55e9e9cb1a558474

SHA256
c82e2dc8c7c6b8728a139f4e656c2d5df777d3546b7be1b50caff6f1aa4ec16d

SHA512
d7db5345e696960172548dcf6107204eaa2df4a1dfa3018b3be181c2d9d7d83fa900de29da35058bf8a9644f331d1ea9e8efd6a12fd2c24bc8ed2e69f7ecfab3

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
94KB

MD5
d39d62de347be7064cc7716dd26be91f

SHA1
0afeb2fa00c460dd192c79faf60511cd93f31412

SHA256
a4d5031e43930f0dadaa4444d2d037e5316e440f7f01f5842b97d5fc4f2f2eb1

SHA512
ba1356499487452468c7b8ebeb4c7b55f975e7d2651f0ae6a91dc02aaa3899e270bff0c0ab0dbfc9efc2b2130c3b14d7145503849dadbb8ba7f51e5d7f316df7

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
94KB

MD5
3abbd0525433fbcd2dafade8f7d35311

SHA1
af2dc5d386664144c5a97d34903026bfaf7f1438

SHA256
e5bed3fef7741c9a3001cae691c5ee5eaf1586ff6abcacf5ee503db0d664e73f

SHA512
18d9c2c0229c84916da7aa3ae6bcf6cf28b5667b41623af47e5e75c07517f56a525bb069045a6383e58c922f82bac49b076c021f8e8f9ce9eccf59e2ae947cab

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
94KB

MD5
819bbbec2a5efc55dc66341cffdf15c7

SHA1
2a3258e8e5238f9adaabfae4a2fdf0ec0d116770

SHA256
f3ca1d203f0c0f3b7cfc44202dcda93a5f71bc52e45429164ab8aec6fb0accf8

SHA512
f0b11d2b7aed76530f5caa7c38eec7b9fdfd3bd5337422d9f9de407d449812fefa85a85fe5c5ee10c0aaaf13bd5d782883e37d26d0df7f89577dd738901d2f0c

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
94KB

MD5
b8e26d95176e98c3249170656244d631

SHA1
883d0fb8feac6fd8231901b662b4ee25296e2048

SHA256
0af122406f5e914c439ba6ca45e31acbe873bc49c459e64ffdc073b52f946f8b

SHA512
6bd1c2a8469d9c4dc153f6b7e90f54a341f25a737f793056f650bce1afa03b03e47140efeda044627d22218728d34a0453f058c78117bc52869adc15ffa3ec9f

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
94KB

MD5
67f7f7703aeedbbbc094a82209b7161f

SHA1
b837dffaceda31f2a74761ceb9f84442422dc378

SHA256
a66211ab81a151deef2b652a7d7685b9093d1a2be2d519d29cf9babc7dda0dc1

SHA512
dd791cc8c1d6d1b1cc36f36afb9284e1db2ed853b7a0dc701cac334997a0895a0cf7991b2ba5c18f1be8d6b65b9b059df500c4b9f240aebb6a7333229e9aa60e

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
94KB

MD5
7dc7b104e36c828a22f8297e18171424

SHA1
e61e5349d9c88c2cf5209ba063fe8739e07e34a3

SHA256
47d7d1ad74817454d12223fe14afa9a80b0908b4ed36648830b4a4d8c0270953

SHA512
ae66d0327f636b782f38bd5e6e6440d6a380a2ed38f1c821f4a11781314e3ec8b77a074c74b1427a8429d1e6415432563772f4584f262f5fe612c8e7b2956df4

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
94KB

MD5
c2bc8fa07af1f7a2a57e75a8f1cb7458

SHA1
590c6b8366befb8ba6fc7436c2d5a3983172a29f

SHA256
8e0732deb956c047233c246156f5239c7434f75452eab4fd51791673cb6125c6

SHA512
7841059f1310e8332eb8879b9b16b3a6d07cb4df1de9309a99fdd97da509dea0d9947442d838cc0c7e6140af090155c3c4023efdd0a6172c3e5c2f509125a1c6

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
94KB

MD5
7f1de9063382504fdb0d6a2246a63e24

SHA1
fd2d6c4926a79eb92ece1304c2a302fc329fbcc5

SHA256
28f200ab383aac1af1bb0a0d432b32d772f4dc2b4fc4c105198b5236b95ab630

SHA512
3c5bb09a944729c5b42bafc4870dc651b3f9e8e0952a5820eb45aa892461105e0f5f465cc1952abcdddc9c5fceb660cc9650f171d8ab4a0892476ec08339482e

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
94KB

MD5
c9c9d1bdba04cf93a9afa8c4a3bd417a

SHA1
6b7f3b71050a4870330b5c7438efd88b1232fa2c

SHA256
c9645b926e9fb2a8c5ec26590c36603b96b2df8fbb92640e6b62bd23a2c3ffa7

SHA512
af7374be0401e14fd0b38e5ce40c031e89a64811626ce0099133363511dfca690288785524d924edcc70d2e3a463e411ff29845729a5eca4286796e0b3e002ad

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
94KB

MD5
8750cf78556ce49ca94ccf5900d2ec25

SHA1
dc5320f4c6f1c942b1ddf58fbd75dfaaf79f78a8

SHA256
a06f3290ecc2f302f76196d3ef999ff838298c48bcd5ec269d296fe53f8d54f4

SHA512
1e9ad099c6e8d94d02ba71c6d966ecdff16ae224c436b4fcec63b4d2f0f39fd5937ab5b1a41c8ed863087e1ff06a7b3eefd12c5c98611f1d1a434690af9105d4

Download Submit
C:\Windows\SysWOW64\Cohdebfi.exe

Filesize
94KB

MD5
3a0cb3bb2ba4d8ed599bde94c544d03b

SHA1
0ea9df8dfd73912a94f59325f779d82f2ea7b4e3

SHA256
9dc0b056ef74efe82635978d51d204d2b0fb25ca13d589990a0f7ae8c50a5711

SHA512
6591949cf1917830a1a783eadb178e666c737b7c42b81ef756425071387f6f2487f3a79a4cd40940ef8ff28c1dc7db5ace90f6012bf95166f7abc5997ec46797

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
94KB

MD5
88a34b7bcad9c07b17340c7232d5698a

SHA1
f1db807b12fdadc9721f0b528b7c52df59ea88f7

SHA256
88e6ac667e7208c62bd9fa0f3301390efb3db6951dd7d616a85190ab65bcefac

SHA512
58a40177947c8b5ebdda217b931323d2338995cf672e7ece8d46bbac16878e416bed49331402896ef60790906f4cd33e1847ef42c3ac4217721cff74655bdb11

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
94KB

MD5
13856b370eee3f13819ff253fd29f790

SHA1
638e56aace6d67be741d55aa78480d823ad24c92

SHA256
20505dcab5ca80a4427653e8d27a0e965d7c0e0f3250e78e54cec7de0d38b611

SHA512
d58ddde4f06fcc78f429e83b0d73863dde0e1d129fa06b3f82e08c8d1ebb48f1daffec3401a416ebdd014bace1c6bd84e565faa2a876b7ca6007374ebe7e7917

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
94KB

MD5
f546d8b3b06be49ec8387b83e465de25

SHA1
7fc250170c30c669fe1a76bc246c7702c13a2c68

SHA256
efd3c059d5319523883f3b93ef34b022f911d96f3abbe8dc783675cbd75ed0bc

SHA512
91e71d3be10038dcb16640173ddf3b7df32fd151becca44efe92637efe835e174664df53a4694a42d07cb66b639db440336632700127cc3a30f0d005a06445a0

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
94KB

MD5
bf518d8629b677274d49f78c48b27d61

SHA1
9e781ae862517f6f388aac1f55789110691739ce

SHA256
9400d9932551b531be7838dd758a82c108726c63526bf1e82cb28a9e2d2464b8

SHA512
27129ab0159979ef90cf8e2fc1393e6ffd5c9b5c4e589a30fa9a660ae673ac00f38c8242f133134958cfa14a82efdb1ef88becab7f64770ef4044292d9f30d0f

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
94KB

MD5
7081e4d6ce2c96f89a751b688ba4dd4d

SHA1
02eb5302b023f1d203946719bffb8e9723842279

SHA256
4f6d7c8a8f1c49b9e87acec258475b8dacabfb9f499bb4877c4f8d42ac350386

SHA512
90b4c0eb81687ee65415c6bda97f5c5e64bef3aa61fa52a60edba411967e4f43fe05fbe87d3a86ce2f70d61906d475ecd347c7cf8e47febc47548e2a8bebb995

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
94KB

MD5
a139cb450463357315f000a130343d08

SHA1
146b59b9d7ed450cf241395088181afdc7a9c439

SHA256
43fe8be5b333eeb407315ced2819c5620343f2bbde983fe48491d8b9ba57cfe6

SHA512
28005410659fd4c4368954b7f67290d44fa8a615fe2c8ca08164b7df0dd8f40f566615b9bacb6be18c27ddd783857299480b29ae7beb4431f844a6ab886572ad

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
94KB

MD5
76d2f9a6d0c78bcd62b85a6040f05293

SHA1
da4fb2acfe1e5d7940565501ddacd1ac9dee8c3e

SHA256
b5472b497d0a9975237d086358ebd2315e47f2faec8f588d4987e0f2aae16cbf

SHA512
abcc2e407960e99d213c61a1e315ddfb8b902e924652174a7437e5c0b5d56bf512cf14b26f42b05f6f26c54d84fe51713447d2710ccd85f0f88e591bfabf7802

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
94KB

MD5
f4e68c08f8374a025c60774e3049d5bf

SHA1
94131069442dfff6e3767b4c65ff2b748841523f

SHA256
349267185db78bb750a072c4ad3f04e5c690ef8572436f8be2073f0fd96b92dd

SHA512
9ef07e4dcaa0e1eb4573fafffb641d647b264b584440895d8cb4ea85c516600626ddadafecdef6792ee8f0f8088845e2a3d6a2438eb77fbd6787ccb25964e1a8

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
94KB

MD5
2281ef6e2dec06c7a0fe2644514f91c1

SHA1
4f510024319b3d8dd92e4a5909a92f17d3df8222

SHA256
850bc2f17191d103df93befd7e0a824eb3cdb396ad95377fd670ff530b425c40

SHA512
54063c1558198bb931956d5c1fc4500c40182c44e35193ff0a0903d4ca1af7a6847a69ec0800148cb3bbbd216c66d00b3e6949e3f7761671d940b715ee7a44b0

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
94KB

MD5
01075ac0c65b99eee8752b1a39c14396

SHA1
aa007b90925e4f5dbe986b60f703b4c71a9c7281

SHA256
34dec11aa0116540a478ae7c4388556db860ced4d6ed85d6524f9e4947721c28

SHA512
9461a72af1bc00b4af32c13ad7befadaeff394c0f1a0926a52725d1c8486db7c20c18277dcd54e609149d572a7f3e8f84eaf5e7cd694c5877dba874c2ed6b539

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
94KB

MD5
49cdd13792fd352b6abbf85e3fb80da1

SHA1
dfb2ae6ebfe067bfe0cf343ac7392f780c83ba5a

SHA256
4456c615625c1a09bb4831bf9724a5e9fc66678a1fa6bea9ab164c97d17d07cd

SHA512
3446abadead275ac62c800aec846d8c6d1b71df6331161d9c2ac73a0f5a043a185a1c49b7113250d81523e3ba7fad94b1532edf87498b1f058744a3b6a4917f3

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
94KB

MD5
3c81ee60f9162f14093eee4313a90656

SHA1
4b209edbbef89e95ff7c0975d9d1cde742dc1f67

SHA256
1359f10f28a5a3f3f5b2756e553d075a3a684917eb396dbe60c8aab7631f111b

SHA512
1de9309405377090992d16b5d44ea2c11a72f843e7247b3aa58c9dbbc06b7830822ffe6d0f886d958550720bbdff9dc7f0c9d4ea6a192e000cda51c61cbc5e8d

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
94KB

MD5
bd798d92be72ac74d09bcaa34a5bfcfc

SHA1
41c56b6a70cd9f46e240b97690cbb459145536b5

SHA256
9efbc5de0fa915f0853b2ab6b77f71c2513378661e26dd9c510d18974a1c6b46

SHA512
37a8cf8adf9077e24e33afe283cdc76f458d350704557a13ad8ebd4662304cb2f7caf02d582acd0d4f525c07e0e6f567bd5dce81e03739425a001b9f236cf99c

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
94KB

MD5
103949d53ae69caf90111902320a0751

SHA1
4780e7fd8a6e216050542b6815407c8420c5c95b

SHA256
64083ccfe96d249767c27564fad6216a0e10284d460b6bae8d0221857d9806a3

SHA512
d26ffecfd1c43182f3852f607229bd8714dbc5362644f44370305aa980420b972f6436c53ae4e7a7992446db46c275366ff8f693ae0387ea076166b9b725a938

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
94KB

MD5
92749c2db24a6ed0df3cb2c71144b23b

SHA1
cfcca119491995ce2ac07dd03dcfac79febb6cbf

SHA256
e58900b15c31794803446d72f102f31cede3ea189eb76284f4cdd26d08ed59f4

SHA512
af4bdf526a17be85a4ca9861054be8a31928556ace27add0a3a770b169b8afaacb0f331355b7bbd0f1907e56fe09e558435199629d28bf5b10017f71d6c8ddc7

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
94KB

MD5
a2c918c9765c0efdf5e95620b04da954

SHA1
b5e31103085c8d2064f9718496dd94b5f89df1fb

SHA256
41a95ca411a5c3e82e6a59bf2f221db54e30b8e18a1b2facdc5d63ebbb557cf9

SHA512
a08f78970f15bced87a099bfb50e8baefa257f3a372c6031ff204fd85ce6ac80a0949d260e153243d0c4b3db658710d2325206c85fddfbafc9cf07fc2d030076

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
94KB

MD5
22d9b2254fe3303a145b6dd34f5d5781

SHA1
516bc7f0a72a469958632266f6bee416694bae5d

SHA256
9fd27a5377e91b7c06387adbb6df9354ac9de36f4db3796737ced82f272dea85

SHA512
d72608765eb514470bef3899ed14dfcfabf1396369b565bd7f915792f288c3cb53ad7c74a6fffe7833634c4861a1d06e91255edd82dc986f384dc7e7d9a6d784

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
94KB

MD5
eff97f893ac9444fc6d43d523c3f0499

SHA1
57f95061dd75467c895b812a8d0e72170f2b9bb8

SHA256
844692fff300227acfa244e8da6b035527c1838304cb98b2f73c008df7bba302

SHA512
56f6554800fa69ba59405d876661f7b3836e78312bdae50d15b9594065a6d355a6244265fc88ac0bef99de635385989ba3d962a91d92e98739c9f749570dee2b

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
94KB

MD5
1e84ca6880a1a7d2fe974d92684f1b92

SHA1
a73836a20d09889e1d81d19671ef2a77e19e061f

SHA256
e09621c1c1d2d4c22a6303056444fcf73437ca8d3b3f0b04b781403e1c4f2b48

SHA512
b78cc4b8879fe3b1baca48a44624b9d6ce1fca400e84138dd4d6c858b8be91bb823fe5b802d928d576d927460f19d92f46cd4e1141cdf18af7b964ed51090f13

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
94KB

MD5
a44f8a854de7ac98d017ed6317dba21f

SHA1
f1089ac440e2e8b94f0c113337d4143f2eaa13a8

SHA256
a985abd5b2c6fbcc918851a7e2e815b344ad9c7376ac5ca0c9d1dedf2b34a651

SHA512
4ef1a9a9e12d4f6a657663ab812f2a87a0037a0c8218f2074005817b59babd51854106ce9a525afdaa11865f05587634ae8d20238994ceaec7a74cc3c0118b00

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
94KB

MD5
9fbb0f08fa6e36087c068b45e531db23

SHA1
8bf089370188b390c6785f5fcf89070663bf2d2a

SHA256
da5a04bf104929793e5d5706616fb1ffdb717e9f7003de1e25e2cd9c79a197b4

SHA512
91776c940a4e1cab96af402908aa7be3e6b82838449200412453f95460e7037a3f4ff30e5148de15a8d57b20ebd72ee3f5b85446452d266d0c7843181016c50a

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
94KB

MD5
7cc881d9fb91e115e6e44474b8736c16

SHA1
138a7d9ebcfa7973cd1250327d8e4416b6605042

SHA256
a5822c5bff3f2ed0f48f5a3cf13035ccb2ccd9fa6071353ec2f772842be85591

SHA512
c4c063d4833c25e00d403ce6c208412189d7362c587f378e4f62743f342937ccb8a9eb97d723027c998fd013b3527ab52cf49c0eff98d6b1678b16f6b704d6e0

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
94KB

MD5
c0db7d461ae54cfea523282e4a40c47f

SHA1
b72d12f172d40bfa9523b79ee634519f577b86bd

SHA256
9f0b74f6170b67a503d92a5c12ca276553f9caa48a280e6346d49d353e4f81c5

SHA512
9fd8b30e961cab91e6d1f2eacf81f598076771bef771acbfe30da2f724b62502e31db27483fa97afdc40fba75681ec1a28f15d357ca9ee8f11723db79e37186e

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
94KB

MD5
c1265e90551fa2eb45f1052015424004

SHA1
b3b35ba7e5430eefab1a0c2ad4ac02ed21ef1311

SHA256
066bae5d4dcb5142f4c5a884880ac8b80b80332bf803bff3a167cfaf23f796d6

SHA512
65f625929bc4711c138576547ee986e7ab87368c57d48b0155cb0697396f50a1f50ebdc07909386dcad6597afcbab171608d4f03593651605e83b7d5038fcee7

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
94KB

MD5
2c2acd135cd7efb2a7e7d78bc1cb6411

SHA1
dd4dd1f2c311d8902f946a5a43c362daa382bd6b

SHA256
d7d3148b4de2b3a12e5917b6415d0ec2eea16246bfe99e4ea948b09a097d46c3

SHA512
c2892a474f7fe67597012bd1fed5a08668425ee191d94b0054f7365a980d33ccb1bb1f2c91c659c1f3726b6a8c5b40f39138516c8ad92352058e933e25eab627

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
94KB

MD5
e2780b0bb7b449be0d5f5cdf480ed835

SHA1
a51d9a07db11002f83f314a104dfa687736a3a62

SHA256
4d50888f8e140df2b0e63c498f2a38b912e9621c9d55a8ade4d04e3f941f0462

SHA512
f432ac2da7636a129500c41a2a99c4f30e9ac00b2e77fc702142e5b4cfe9dbbadabff56d84f9e8c6c34a2edd3e85c2e2769e5b0db9183781b65bba37abec1ecb

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
94KB

MD5
1f2a5a3e06f18be81b20892a5c8c3925

SHA1
1709dd18a11b88e03bbc73237b4d260f76765a90

SHA256
c2bcc58dcd7dad07fec2f60b6d582cb9fa60fdfa1d765ccfc9733719723d1286

SHA512
ed1182f50f2b3b31ffbad04dcc092bed9ac70ae409791a4c47b0daad949020c366f6c0cf1a616501edf80d632d3bf9725600505089819c5455d00e35b9b4a9f0

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
94KB

MD5
cc15f90bcefaffa6827b0fd910294c2f

SHA1
92b892f015062b08053b8ebb1447e88a1daaacd2

SHA256
0b8733901f08ea8e12015173fd03ba974e0d1403387809334722560f5d27d9b6

SHA512
01f961c82b64d59d466fa2c3c55a09ded8f3dafcb674bc4ef3ce0234bda61595ace6c5f26a8ba64141f694b04b230f31e027be60a24f70ba061ee5c66278a9c8

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
94KB

MD5
90fb14c0ff98f917220fa70809d8b24b

SHA1
9c312418b98dd5113cf8ea9de3a74710db2cb462

SHA256
fb80c754fb09598e72d9816b1eacbf953b56a8aa55d0762eccbe3fef5fd8e65c

SHA512
cabcd51edc71c9f728fee93c791d66686cc2a58053b674e9e1a10df3348bbe261bd35bceff264b95098f22e4be08c53291e0fdd3d136a60ef3d9997eed82dbca

Download Submit
memory/368-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/368-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/412-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/676-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/676-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/704-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/704-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/724-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/760-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/812-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/812-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1020-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1020-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1136-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1136-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1356-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1416-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1416-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-440-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1764-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2272-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2296-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-381-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2536-447-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2668-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2868-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2868-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3112-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3112-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3388-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3528-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3528-272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3672-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3672-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3680-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3680-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3840-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3840-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3884-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3892-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3892-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3964-441-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4108-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4136-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4136-3-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4136-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4528-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4740-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4792-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4792-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4928-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4928-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads