bac0a3745973621ebc9f6dc027655ec97bf1c6701eb9c324d2748586a46e4c35

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe
Size

60KB
MD5

1a5196acc844ba0e11ce5b74e1347670
SHA1

fc472bea5d8e95d74c148987fe2befc0f7c09e61
SHA256

bac0a3745973621ebc9f6dc027655ec97bf1c6701eb9c324d2748586a46e4c35
SHA512

3b4e76b9c0c3e9df3cd60bffbc950083f5a55db74f5fc25a885a128138271fae5341179cefaba466ab79e47261bb0f278d83a1e5d4e0ef558b230b1787311684
SSDEEP

768:DoC8Y9kH+DgRbsexJDTsDc4WyeVZy7j5IOFrTx/1H5LAB+XdnhMl/Xdnhp:Dv80ke0sexRTU71HTzdAB86l1r

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedgjgkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnahdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbiockdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Domdjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbpajgmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoeieolb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iacngdgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbpajgmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnlodjpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dflfac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlepcdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igajal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edplhjhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edbiniff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahokfag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koodbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblmgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbnajqc.exe

Executes dropped EXE 64 IoCs

pid	Process
1460	Akepfpcl.exe
1764	Bedgjgkg.exe
2888	Bdickcpo.exe
2436	Cnahdi32.exe
1028	Cbpajgmf.exe
1608	Cbbnpg32.exe
4848	Cbdjeg32.exe
792	Cdecgbfa.exe
3088	Domdjj32.exe
4724	Dbnmke32.exe
4664	Dflfac32.exe
820	Dfnbgc32.exe
3392	Emjgim32.exe
3212	Eeelnp32.exe
3968	Epmmqheb.exe
2656	Eppjfgcp.exe
524	Fihnomjp.exe
900	Gmimai32.exe
4084	Hfcnpn32.exe
1596	Hlepcdoa.exe
2216	Hoeieolb.exe
1488	Iebngial.exe
3632	Igajal32.exe
788	Ioolkncg.exe
4588	Jpaekqhh.exe
4384	Koodbl32.exe
2616	Kjgeedch.exe
1332	Knenkbio.exe
772	Lfbped32.exe
4964	Lfgipd32.exe
3436	Lqojclne.exe
3756	Mmmqhl32.exe
644	Mcifkf32.exe
1232	Npbceggm.exe
3752	Npgmpf32.exe
4812	Nceefd32.exe
1824	Omnjojpo.exe
384	Ofhknodl.exe
4836	Omdppiif.exe
3416	Ogjdmbil.exe
1532	Ocaebc32.exe
1692	Paeelgnj.exe
1328	Pfandnla.exe
4368	Phajna32.exe
1064	Paiogf32.exe
4440	Palklf32.exe
4324	Qaqegecm.exe
3664	Ahmjjoig.exe
2528	Ahofoogd.exe
1212	Apjkcadp.exe
4604	Ahdpjn32.exe
4572	Adkqoohc.exe
1392	Bkgeainn.exe
3560	Boenhgdd.exe
232	Bhmbqm32.exe
4216	Boihcf32.exe
4220	Bhblllfo.exe
2440	Cggimh32.exe
3036	Chfegk32.exe
2556	Cglbhhga.exe
4580	Cpdgqmnb.exe
4528	Cdbpgl32.exe
4792	Dhphmj32.exe
2832	Dpkmal32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eojpkdah.dll	Hicpgc32.exe
File created	C:\Windows\SysWOW64\Ongbqjjf.dll	Domdjj32.exe
File opened for modification	C:\Windows\SysWOW64\Dflfac32.exe	Dbnmke32.exe
File opened for modification	C:\Windows\SysWOW64\Kjgeedch.exe	Koodbl32.exe
File created	C:\Windows\SysWOW64\Lfbped32.exe	Knenkbio.exe
File created	C:\Windows\SysWOW64\Ahmjjoig.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Fganqbgg.exe	Fofilp32.exe
File created	C:\Windows\SysWOW64\Cnnjancb.dll	Gacepg32.exe
File opened for modification	C:\Windows\SysWOW64\Mbdiknlb.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Ncmhko32.exe
File opened for modification	C:\Windows\SysWOW64\Ojqcnhkl.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Jahqiaeb.exe	Jeapcq32.exe
File created	C:\Windows\SysWOW64\Omnjojpo.exe	Nceefd32.exe
File created	C:\Windows\SysWOW64\Ocaebc32.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Figgdg32.exe	Eomffaag.exe
File opened for modification	C:\Windows\SysWOW64\Gbnhoj32.exe	Gbiockdj.exe
File created	C:\Windows\SysWOW64\Jeocna32.exe	Jblmgf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Ncmhko32.exe
File opened for modification	C:\Windows\SysWOW64\Pbjddh32.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Ghfedh32.dll	Foclgq32.exe
File created	C:\Windows\SysWOW64\Filclgic.dll	Fihnomjp.exe
File created	C:\Windows\SysWOW64\Mhegobpi.dll	Igajal32.exe
File created	C:\Windows\SysWOW64\Mcifkf32.exe	Mmmqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Ahmjjoig.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Egcaod32.exe	Edbiniff.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Ahofoogd.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Aanfno32.dll	Iialhaad.exe
File created	C:\Windows\SysWOW64\Mgfhfd32.dll	Khiofk32.exe
File opened for modification	C:\Windows\SysWOW64\Koodbl32.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Hnnljj32.exe	Hnlodjpa.exe
File created	C:\Windows\SysWOW64\Cbdjeg32.exe	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Iebngial.exe	Hoeieolb.exe
File created	C:\Windows\SysWOW64\Gadiippo.dll	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Aoibcl32.dll	Dqpfmlce.exe
File opened for modification	C:\Windows\SysWOW64\Nblolm32.exe	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Cnahdi32.exe	Bdickcpo.exe
File created	C:\Windows\SysWOW64\Cbbnpg32.exe	Cbpajgmf.exe
File opened for modification	C:\Windows\SysWOW64\Emjgim32.exe	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Gbiockdj.exe	Feenjgfq.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Iialhaad.exe
File created	C:\Windows\SysWOW64\Khiofk32.exe	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Jkchlonc.dll	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Aablof32.dll	Koodbl32.exe
File created	C:\Windows\SysWOW64\Qedegh32.dll	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Iialhaad.exe	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Mjidgkog.exe	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Ojqcnhkl.exe
File created	C:\Windows\SysWOW64\Emjgim32.exe	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Lqojclne.exe	Lfgipd32.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Figgdg32.exe	Eomffaag.exe
File created	C:\Windows\SysWOW64\Mjliff32.dll	Kcapicdj.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Ojqcnhkl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5656	5744	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dflfac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojpmiij.dll"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcdlpbd.dll"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flinad32.dll"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfhfd32.dll"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpjc32.dll"	Cbpajgmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eppjfgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikamapb.dll"	Hfcnpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbiockdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegac32.dll"	Gbbajjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcajc32.dll"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackekpfe.dll"	1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdnhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfgipd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npbceggm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll"	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecgicmp.dll"	Fganqbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll"	Eeelnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll"	Akepfpcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll"	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdgna32.dll"	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domdjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlepcdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmmqheb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1460	2964	1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe	90
PID 2964 wrote to memory of 1460	2964	1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe	90
PID 2964 wrote to memory of 1460	2964	1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe	90
PID 1460 wrote to memory of 1764	1460	Akepfpcl.exe	91
PID 1460 wrote to memory of 1764	1460	Akepfpcl.exe	91
PID 1460 wrote to memory of 1764	1460	Akepfpcl.exe	91
PID 1764 wrote to memory of 2888	1764	Bedgjgkg.exe	92
PID 1764 wrote to memory of 2888	1764	Bedgjgkg.exe	92
PID 1764 wrote to memory of 2888	1764	Bedgjgkg.exe	92
PID 2888 wrote to memory of 2436	2888	Bdickcpo.exe	93
PID 2888 wrote to memory of 2436	2888	Bdickcpo.exe	93
PID 2888 wrote to memory of 2436	2888	Bdickcpo.exe	93
PID 2436 wrote to memory of 1028	2436	Cnahdi32.exe	94
PID 2436 wrote to memory of 1028	2436	Cnahdi32.exe	94
PID 2436 wrote to memory of 1028	2436	Cnahdi32.exe	94
PID 1028 wrote to memory of 1608	1028	Cbpajgmf.exe	95
PID 1028 wrote to memory of 1608	1028	Cbpajgmf.exe	95
PID 1028 wrote to memory of 1608	1028	Cbpajgmf.exe	95
PID 1608 wrote to memory of 4848	1608	Cbbnpg32.exe	96
PID 1608 wrote to memory of 4848	1608	Cbbnpg32.exe	96
PID 1608 wrote to memory of 4848	1608	Cbbnpg32.exe	96
PID 4848 wrote to memory of 792	4848	Cbdjeg32.exe	97
PID 4848 wrote to memory of 792	4848	Cbdjeg32.exe	97
PID 4848 wrote to memory of 792	4848	Cbdjeg32.exe	97
PID 792 wrote to memory of 3088	792	Cdecgbfa.exe	98
PID 792 wrote to memory of 3088	792	Cdecgbfa.exe	98
PID 792 wrote to memory of 3088	792	Cdecgbfa.exe	98
PID 3088 wrote to memory of 4724	3088	Domdjj32.exe	99
PID 3088 wrote to memory of 4724	3088	Domdjj32.exe	99
PID 3088 wrote to memory of 4724	3088	Domdjj32.exe	99
PID 4724 wrote to memory of 4664	4724	Dbnmke32.exe	100
PID 4724 wrote to memory of 4664	4724	Dbnmke32.exe	100
PID 4724 wrote to memory of 4664	4724	Dbnmke32.exe	100
PID 4664 wrote to memory of 820	4664	Dflfac32.exe	101
PID 4664 wrote to memory of 820	4664	Dflfac32.exe	101
PID 4664 wrote to memory of 820	4664	Dflfac32.exe	101
PID 820 wrote to memory of 3392	820	Dfnbgc32.exe	102
PID 820 wrote to memory of 3392	820	Dfnbgc32.exe	102
PID 820 wrote to memory of 3392	820	Dfnbgc32.exe	102
PID 3392 wrote to memory of 3212	3392	Emjgim32.exe	103
PID 3392 wrote to memory of 3212	3392	Emjgim32.exe	103
PID 3392 wrote to memory of 3212	3392	Emjgim32.exe	103
PID 3212 wrote to memory of 3968	3212	Eeelnp32.exe	104
PID 3212 wrote to memory of 3968	3212	Eeelnp32.exe	104
PID 3212 wrote to memory of 3968	3212	Eeelnp32.exe	104
PID 3968 wrote to memory of 2656	3968	Epmmqheb.exe	105
PID 3968 wrote to memory of 2656	3968	Epmmqheb.exe	105
PID 3968 wrote to memory of 2656	3968	Epmmqheb.exe	105
PID 2656 wrote to memory of 524	2656	Eppjfgcp.exe	106
PID 2656 wrote to memory of 524	2656	Eppjfgcp.exe	106
PID 2656 wrote to memory of 524	2656	Eppjfgcp.exe	106
PID 524 wrote to memory of 900	524	Fihnomjp.exe	107
PID 524 wrote to memory of 900	524	Fihnomjp.exe	107
PID 524 wrote to memory of 900	524	Fihnomjp.exe	107
PID 900 wrote to memory of 4084	900	Gmimai32.exe	108
PID 900 wrote to memory of 4084	900	Gmimai32.exe	108
PID 900 wrote to memory of 4084	900	Gmimai32.exe	108
PID 4084 wrote to memory of 1596	4084	Hfcnpn32.exe	109
PID 4084 wrote to memory of 1596	4084	Hfcnpn32.exe	109
PID 4084 wrote to memory of 1596	4084	Hfcnpn32.exe	109
PID 1596 wrote to memory of 2216	1596	Hlepcdoa.exe	110
PID 1596 wrote to memory of 2216	1596	Hlepcdoa.exe	110
PID 1596 wrote to memory of 2216	1596	Hlepcdoa.exe	110
PID 2216 wrote to memory of 1488	2216	Hoeieolb.exe	111

C:\Users\Admin\AppData\Local\Temp\1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1a5196acc844ba0e11ce5b74e1347670_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\Akepfpcl.exe
  C:\Windows\system32\Akepfpcl.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\Bedgjgkg.exe
    C:\Windows\system32\Bedgjgkg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\Bdickcpo.exe
      C:\Windows\system32\Bdickcpo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\Cnahdi32.exe
        
        C:\Windows\system32\Cnahdi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Cdecgbfa.exe
        
        C:\Windows\system32\Cdecgbfa.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        25⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        30⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        32⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        38⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        40⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        42⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        44⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        47⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        51⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        57⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        61⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        68⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        71⤵
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        72⤵
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        73⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        74⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        77⤵
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        80⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        82⤵
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3924
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Hifmmb32.exe
        
        C:\Windows\system32\Hifmmb32.exe
        87⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        88⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        90⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        93⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        95⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        97⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        98⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        102⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        103⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        104⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        106⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        108⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        109⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        110⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        111⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        112⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        117⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        118⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        119⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        123⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        127⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 400
        128⤵
        Program crash
        
        PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5744 -ip 5744
1⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
60KB

MD5
df3c853912e1c0f035604c5ed55fe50e

SHA1
c717fa26a0376860668a6bb8c851468739d108bc

SHA256
9907afc97893eb6c4152bbc741cbd45dac32568fa670e9ff4a98874011c2813e

SHA512
cc7917296e2a386114b0902946246655326f93cd6ce9298ba409211bf320f39ed7a67fe88254b6a3d27d7c6b4fd3b2bfbbfa7dd28c81cd3c68e55091c773a9ea

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
60KB

MD5
e1b293bb7e7cc1d27ec75a871fd4b52d

SHA1
891bacd952a55845116dc563d026d9c7ef840f6f

SHA256
eef7e82d692d8336136fdef5447889b51b125157858227923b78d5d5cd9266e8

SHA512
cba7b3abc41487ad9fb01de8d94cf5f6a693d05d2340813a463e0d22b748e8883725349aba6ae1c7be1c315db4fb8aa9d9343e6fbb6631f0e8ef922996a4a5b4

Download Submit
C:\Windows\SysWOW64\Akepfpcl.exe

Filesize
60KB

MD5
208ce5cc8368e4d605610533176ec6a9

SHA1
64c8a1c0aaa2ea9e1050f566f43ff4c20867504e

SHA256
e1f546af00f3ee5a0e2902f1fa508f577b832742fea13f646d710f7e79710f11

SHA512
d2361cc432f8418afaa29e49a4185bcf81122e3a081f7cbc91dc1da641b924f0f4d4d9fcb6f7fae627beecc416b5c1b64846da268e848a8a45002b72b392190a

Download Submit
C:\Windows\SysWOW64\Bdickcpo.exe

Filesize
60KB

MD5
e38b78d06cc25c6e35a920e9e4b02f13

SHA1
20e194c61ad278adffe66a7fc2e3a7d0522778b0

SHA256
88b9ae9c8e83e5840e3ae14914e67be0fe943c7db1fc97e06a22d836820718b8

SHA512
8dbd5f4cf1793cce48c930916497b369a13fc3efb4cd01a32f2149e7114f3996bb9654c1dab6d0d5f82483ec81e94c0d8c0ec787cc530b07fc92700e000def3f

Download Submit
C:\Windows\SysWOW64\Bedgjgkg.exe

Filesize
60KB

MD5
f16111714857a953f28ade35a5478514

SHA1
eff7440690f797dad98a9a17d49f3149fa956659

SHA256
d5ae5e89ef237cc617987cbf109e515c9ce7428c2487dee560d2213f4139b8bf

SHA512
7665198a76686e2718f8c9736f281e4fb09d17958a2194587a9a6d96b8113f0b512db7165f1df0c85d500e04776260cafeb3b6cda5a7b2920fdb863e767515bb

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
60KB

MD5
e642376d6973f359da97919a5ca3e227

SHA1
00e627b6dd49948b69414f3f0f9d4af1c3a33ebd

SHA256
7e392c45ba38676ba9cc75695fe3e29cda18382ad4568cfd5d730e44e771d7af

SHA512
18181920c3790d48809e888d9f5c6a85e12e3a46238b1792ac6abce0ee48197cd4559f5c9b63480124657dbf9b07859c0ca09efbe8f33f50be5609026e15dc76

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
60KB

MD5
acfc03dc9514366870b5aa4ee0127f2c

SHA1
18b1d344ca7803d3c546d9ff193aba7cec2612b8

SHA256
b94937a7c5502b6e9bae9623d8dc21eec0e07a1c64b3a1bebfd2f1c136ce0577

SHA512
16747f91eee74ee6715caecd876923282e947f86ea0bf203f9897caaef0bb1448f00335974fd9ac802a184714d54379ab6ebb10f633b1b6dd6ad4b62ec7edf22

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
60KB

MD5
32999703b8eee21f5ae2b0facff5af79

SHA1
f8c42407b622b54b7e46aed513b7d7f57564bd8d

SHA256
242632f75153f1f8775fd6a796a595bd2caf29618ee3a2817ec05ef833b2820b

SHA512
83b533aeefc9f763d9691b1fa109da782afb66b113fd82cb6df1af977b631813a4b682aa9880de63cca3f4a03a29dfbc44848ab622de5fd3d5bf6ec75915340e

Download Submit
C:\Windows\SysWOW64\Cbpajgmf.exe

Filesize
60KB

MD5
afe3ecd78a368f4560798e03861f9ce6

SHA1
8cd15af6f6b218912d563560007315fb12f56bdf

SHA256
07d9a67224f7f23d7509022e908ef6fe616837197d8187c4ca15d55bc5768251

SHA512
b6a2f81f737ed2e0083737ac7682e259621e10d62780914faa6193d56f072df5844ef76d606ab2791e29f6e43869ea9b1151095dcf88e1e801760b6f85566c5f

Download Submit
C:\Windows\SysWOW64\Cdecgbfa.exe

Filesize
60KB

MD5
d2ea35c7e7f3d325ef4bb003078ff9b4

SHA1
2be1c667794baced594596f0c51ed390424580d6

SHA256
82ecb37b2b47b7990be8ab57aec6c197d35007cc1f79f1d38d9b2d0a541d145c

SHA512
7757a6be09b97914118d16575418674a842958f63fce9ea97159410bfa58eefa665d0bf39f524d7b6d7b0f3b995a19513ba5f07659330cc7acc7de6069d0840f

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
60KB

MD5
5f2a171b926585c8531a032674e1ff27

SHA1
f16900317c14f03273f878cbdfe4d5852d9fbb8b

SHA256
34654651f189b9146d7e7ab689d744af458fefcf6bd05bc04be0648a744fc977

SHA512
6dd0599d1b43037cb5976a17814465a8c64742384215df66693aabe4dc30d02268d14d33410a2d05d6dd94af894b6f5eb4bc9b8c75f233f6eedbac7b9b244af3

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
60KB

MD5
d17868d8eefe4df3f1889c1ac079506e

SHA1
1318f9c014fc822ff0324d700b471de89512565f

SHA256
296dd55ebb2368b0acc577b3e05583c5e7b3e5ad350fbb38a874c1284be6c009

SHA512
a4d57c33f5e3a82957478c155adc4d5a0e7a17cf28470ea0cd63d7c99f3c9a5a5479ca0661a6b87ccac145c33a82f4fce23e84e22f66ccf854be44b129e99342

Download Submit
C:\Windows\SysWOW64\Cnahdi32.exe

Filesize
60KB

MD5
3678e8ad3a5ddf583cdb3e71968f8636

SHA1
4eb0196c1456631552c6cb033e0ab284ea3fb5bf

SHA256
a5175213eec0eb1732e5e97fb9c788a4c2a0d2dedb8488f50d449abd6e916e47

SHA512
921c1e7406c8e58115a02f9edad19d83c16bd7d5bf328acea62422d8741fe827113e9cf667e1a853611c5eeb2479bb659617d253c9b92c12808f3dda5cb008eb

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
60KB

MD5
d1de48c31e87925028a3fa18a723c62f

SHA1
f1098c1c55f74622c38c6c029b9d0d9833de389c

SHA256
b210a9c52299f2f99e113fafd93c0030cfb4639165bdcdcbaf4e3b7b7865d6ce

SHA512
70c6a5dd2a08fcfa7af2dd577554989502abf25e985aaa474c6ed6ed82c5470387f8ec7bf3b9d0c52586e95bc1a904fce52909f7d16dd3017efff13f844e5f23

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
60KB

MD5
06e4e224051a4be7927c020af99aae7d

SHA1
f0a46d5ea2f78104c609588ce70150914968e696

SHA256
e0030a45061a0c815649afedd637e2265f3ad613d908bb3dfa5cc462b74b98ae

SHA512
3b4b0f9f17ed3deb1398085f7e0d11575d84e501e1f5c5761c69d9b1a056a1377c3058dbf949f2c0172d5a9d9e6382495a9f87bb98a7b86055929d20b55d3f65

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
60KB

MD5
e4e6dc5241feb440b5b3ac22adb776da

SHA1
28547b35dd4b3e7903a991baad6765c920ca9545

SHA256
3c72a6e7f4942d9453bf3acb5c0efe716db91034085ecca24e257f11d0707eee

SHA512
fbf96cdb0c35b88463213f4b867001eb3e2f4fe237b70ba44abea09b1b61688a74b611c1a927ca6088f9e03e08ad72b7bdfb4c1b307547f520f6c514b06d457f

Download Submit
C:\Windows\SysWOW64\Domdjj32.exe

Filesize
60KB

MD5
a2decefa3a0bb0785965656ddb90e6fb

SHA1
393b9b8ebe18fabc128543a0d77d4857e7d9ec3b

SHA256
dbaac87ec73f4a63c3942a7ff3df10112eb8071b5f60bb898c5f727c86280c41

SHA512
591a89f75f21e67cbedf4b156d964d96e8bd9ccbf389773232c81ed2fbaba75b9b8cae17438bbf5dd44524c1832a8b80410b25688640926e35523bb68f2f2f1b

Download Submit
C:\Windows\SysWOW64\Edplhjhi.exe

Filesize
60KB

MD5
ab1db960013f43da5bb3c80a44d3a6e4

SHA1
10e2f95a09fd7bbb87b558ebf4db0e230bb17961

SHA256
4cf12d03f3a0f6c559a52a88150243cf29fbd9f887f96ee5fb77dc3c1b0f58ec

SHA512
f1d0d29522960353541c13dc2b9af7aaa059a5283bdf7199c60928b4b21acd85bac4c07e4ba5cffc5fb97c8aae5dac02238c6b871ee6e63d84ced48cc31a4534

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
60KB

MD5
dd0093a643939a97bd6427b5382f1a36

SHA1
436dfba9d9de7a04a5b96e0c27c19310982510f6

SHA256
9bbab78ffd693c4d07ee593a9228195d7f9a86dfe0be7a3595ce8cca5552b60e

SHA512
9950befe64882d0d453f6b2d0c039cacccf9e80252bdb65b4d04649ebcf0d18783d26485b52206f100de21a4ee3bac6852f6853b407423a4ff3ce384ddca297d

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
60KB

MD5
816b27f39a478756b183aaf1c09dfd17

SHA1
9b9d7caaaa25a0c1d4bde406d7d7fdef9c29e7aa

SHA256
894699c15743aec756664907e7a62eb9abc6ecf6215414277fe6ef0863412f3b

SHA512
21d1051872086d262bc4b7f11645a8f07a97e457a2870cf88c4c24f04f58584f65ebe21e92f7ba4400fc1ee5563123d101aaa5804dd71f00d913c01030d41abf

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
60KB

MD5
b3ee7c9565264f1d32c665947af9248f

SHA1
7629e889ca42ebef1258448b1ef9ebd889f727b3

SHA256
e23fe3d312002dbd5d0a24f122f6a1d2b5773b35aa0fa19166b8aed4d699b187

SHA512
6226968e8c8a489299e80bb88ced40c0a1e55d12ff81d3ee496e266fe28931fb417f1a1280f4d4cc55ebb93249f3b1a77f421cc29dc1305cd466703a462244a8

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
60KB

MD5
7fb81b53ea342c4ea91d7ccda9a00d11

SHA1
9281a14e52ae9ff246296eb2a30496884c024d9c

SHA256
bf263bb14895cd43eb084d4d1cbc36510141bbf6c774b4ffebac3d352792071c

SHA512
8adfac795e7c13d32da8be07ab55da8ccdc5a308fd26eb1b0d2a247dbaadacf3757969682ac29237bb516d16a6992c717c97f9bc38ce481ae6ebf21263022804

Download Submit
C:\Windows\SysWOW64\Fdnhih32.exe

Filesize
60KB

MD5
7777789559f15c8a73f2d7095fd23513

SHA1
8a93a035f2eec7845d73c693815895ee9e8ab953

SHA256
4805f606e66573112939038ba4ab396836d429618a1e5f784f2551e347a326d8

SHA512
a9b29d30788ba1ca6256a28689c5328c0990c80e33265e077bce7530b65e3a8293beca6151860246e392cdc0b1ba24fc8ade48610d196e575d963e6c459a3604

Download Submit
C:\Windows\SysWOW64\Feenjgfq.exe

Filesize
60KB

MD5
f09143348f9b7f1372cb183433dba09d

SHA1
81cca215c9cf78ea63ba50093c5f4b468e43e08f

SHA256
3b3b303ef40a37c15a0278c5807e3ee0f9e88a1aa2b463cde2ae7fcd25a74e3a

SHA512
7860850bacc6f364ab44285241e7045657debb0e4dc0ebbf8b80af44fece648e39486d8148ee4c894bfcbc0d775a1ed3e62a42b485ac079f4fe4ce7a91fb103f

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
60KB

MD5
e676bc9a2d9e0ae78a7a0d9641ceb2ac

SHA1
b6a91deda9ebbdb2206bf60801fd604d8f46af37

SHA256
1718d4d79a2760f5b5436ef4514e4480183295681f588d11e4d357925a1a7e35

SHA512
486601b54cc13f60512219e6fb6e3b2c6d2ba6466f7c8e7180e5810e97bf785127a816bbd9364bf0639cb11c061729fd4e8cf41e0b93b7e86c7a43689241ddcd

Download Submit
C:\Windows\SysWOW64\Gmimai32.exe

Filesize
60KB

MD5
14783e4fad6a4742935f88f84f1f9019

SHA1
cb3b3c3eb7f834d5b58f5a68fd3b9d9338b26592

SHA256
7431aba05e5b1e3f498d3e883832d752a224fdcac9086d9bbc8cf2d6947b087b

SHA512
a0aeb3443593b4c5701e48855af80b989080f560c9ce47fb9e34d44719ebc937f22c6c2ed52c5f889aa4434248b5a43391d6d1000cdddf26796d33ff9f1d9233

Download Submit
C:\Windows\SysWOW64\Hemmac32.exe

Filesize
60KB

MD5
71014572c9584bc5410d642977e9f0c5

SHA1
8b73e5660d4e3d011f9b6e502790d6990562d2c8

SHA256
927b5c04a1aca5ebf48f9eeca73b2171e9d31c65eb7158e53c946eab29177917

SHA512
31a956ecb3e7f8d600a1ae53c87b71c1a5f0f01a70ef443a1869ad5de99587b69804d5195325de43bfec6579c75c5c4fe9c87d0ddfad06cb50e972cb1d3b6631

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
60KB

MD5
4f78643861cb9c20d6ec10af2fc258ad

SHA1
0559e01ca4a28e4e2843fbc9a15d224032dd2645

SHA256
7d19fd684ed88a70f53fb069d9a996244168d4832669ef137a2c79149c8f4efd

SHA512
bfa3b72dc3bfb3da16a2c8403dc5af4263fbe2a70b9d90c2b0857d1d309f0d8abdd351cd4a41d52c79c191bebce52d6fe472421c907883a600bc4619bed4e39b

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
60KB

MD5
a0894f08d105bb2bdb7845da1d715525

SHA1
197d1ba20815d7881d13c0c35def676afd03ad85

SHA256
9b6c2adbbc341f9408240177fc1398b828106040dbda2c5aca9cac1612e79368

SHA512
c7e5d74252718b87d25b47bd2211a42b6997c7331f4636481e15411c2196f24382e7791cf19cca39f7026b928613fda066ccd096ad9db3faba574e0d11c19d22

Download Submit
C:\Windows\SysWOW64\Hnnljj32.exe

Filesize
60KB

MD5
10a5fb92ba91441e12daecbce6825070

SHA1
541bf724b58288c77081b9247cbbea17e807fb08

SHA256
e487a91195788c622ed4b05666a4137287f139eb1cd6009dc6327a37c7053f36

SHA512
94b9dd915fc788c3e6c42f383e95c87d65b11f63fd007308849a1cbc7f163f28a7b289466f146cee6c990b3fcb755862ff5ded51e2cde3b97169378aa7077aed

Download Submit
C:\Windows\SysWOW64\Hoeieolb.exe

Filesize
60KB

MD5
635d197416b0a04aa3cbb2a1a52abc86

SHA1
47eb5f8025a5405a8be778489d4249b7684ab5e9

SHA256
c6a0526ca9e7520578b2ff4e3b2d6bef08131f22500087b0835c045331d1caa4

SHA512
b8da7946970bbc5196d2e1ba46330046f88dff49ffa142ec5231f9e09d5158ad612395e58b93b0d6d58b4c426213e3c6ce8feb65372c0c7062e7ba95bd53f98f

Download Submit
C:\Windows\SysWOW64\Iebngial.exe

Filesize
60KB

MD5
93082db884334adcc6d0058daf3c3f6f

SHA1
c968e74cc62687312fb149abd2e97b9cd13b7cb2

SHA256
13953dfc68ebe6cbddb365a9917e972f002b6be933eeab3788c18cdd17d99dea

SHA512
61bf1ea44d6357e83948cb7cc751832c87ab8bc692b58ae201ff5a50ce09b5d9e2f3e63d70c86d38cbac5a30e346f1957a6aa09111ce14c1fc1863cd359ba97c

Download Submit
C:\Windows\SysWOW64\Igajal32.exe

Filesize
60KB

MD5
716b1c1d8459c8ff5ae1ee6fb41d7afb

SHA1
0d5872611e941e1ad8d64a6321014817946c181a

SHA256
8b5c8dd5e674258ff22ad1c0d9c5fe61350fc0267e799046c0c677e5d25fe1f3

SHA512
beac33a319f6a16e93970ab5289ef3e862d0716a1f4c1dff668ffcf219ce3c6627a725a8dd0d63efadd066524251064e77bc07c68c7b74a4cd5b4bb5da7b4b31

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
60KB

MD5
0ff38770ed3fe3530af0403b2e1b5ed0

SHA1
077fcceaca8c152f6b247dc1f08744701564178d

SHA256
e72870e89d1727edb40c90f9515a134155cd3b23ddeab31c1630efcbfd1962fe

SHA512
1c17687445f224042486e34e898ec4ea80153b1c8f018877ddb016a1b909bb10603a067282dc1f159d6faad114d7fcd4b41dd3cf1bdabdada18bb0c37668cff4

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
60KB

MD5
427085ef824f195df9d90ef56fd4aa79

SHA1
f417469891e8393fe43b98c84e1b4d9934c45914

SHA256
08d1212c974d7ca86c182dc092c064d326bf96a7507da081775f034c9865e6bb

SHA512
3f8316404dd9efb461878bec9dad9b2cb6441b22a163f59c807d7f93ed12738e80843292af0ebb8555f93b4a27951a36e34cb8fe868420ea5e0541e378ee211b

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
60KB

MD5
a3c703cbe65d3c9dbad6f928558148e5

SHA1
232e772ad7a95a4e0e86eb3322995199c1f02532

SHA256
2071b8d93d7da7e2bef99158df4363fe46be924bc11c251a3bb2f144b77066c5

SHA512
aa3472a07930ac21449f4906a1c9e0531c578353f8cbb90077c342c9ad59b1dfb6da98934c142b76654158d1e8dc1e6646b5c28711a3c00a78d25a890ad67a8c

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
60KB

MD5
1de2e795ff1aa37ff4eb2dcc2f0e8c88

SHA1
8020a44abb1e4ee86dc877f24a9e15c701d41d12

SHA256
f1d3cb7b5ae0815d1b55bffba93b7b20d1844485b1221b4cbbfd9f425c58c0bf

SHA512
a996be7dac2f230dc199aaaf125af5ba018dd7618b34b104570872e5b6e79edd45b7496a26ef6d1a3008a4abea54dfe138ee30a4aecb42f0c28dd2833f4eb2d1

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
60KB

MD5
bed4e9952ea344f69ba9a25882aa8245

SHA1
5a67cef1ab6b9d0f230f43d961e0f1ce4ad674f8

SHA256
739555dfc46db06adf512d3c676b9c9d04dfdeb45a3372f12ace0daeb789c81a

SHA512
ba52b8c6b0887f5d8449efda882d950d0e4d54adee060b78a184d4e5815ea80b319ac35f86f37d41a6410d68740e2f2627da22e1c374b8bf378e694b7cff1ca2

Download Submit
C:\Windows\SysWOW64\Kemooo32.exe

Filesize
60KB

MD5
fe35e4aac2ee28234b3861be97527221

SHA1
2b5714f7c6f6cca7ccc0eff305dc76fdb73ed77f

SHA256
4408f3a2a000f9c5d5407c8bed04ba61a661b93af24545a55773da673b875078

SHA512
bf749af186340608cbb0680844adb96ff10071e20b2ad6e9eb2b2979498ef0a4bf398b1c5a54e9ba39ac14e17b2922847b635796681284383cb5f3ee9ae864dd

Download Submit
C:\Windows\SysWOW64\Khiofk32.exe

Filesize
60KB

MD5
38936656563126adc7b7237471cfdd22

SHA1
51ff1fd80aff938df7cffa21589fd61d7c7800b7

SHA256
906d7bf210d40f4b2fdbdb7d60d41062dbaf59b2c264c0901d3e46c2041ee68c

SHA512
b2a59da2a86aa2caf756680f9abfcfcb0b0d34b076fd6c9b6d01915915d3d35cbb24bbf7f01855cfb752632e0905d429f01cf78bb2c2c205a28600ce6de8c654

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe

Filesize
60KB

MD5
3b8a719656c48c08cf8953b21aed25dc

SHA1
c61891ee8adbb75f08734266a01b1fd8e36686ef

SHA256
a64921a032e946a7c8985f56945ba2debaec7c68fcff41005bd360ffeb77365d

SHA512
df3f89fa85aa10854089580485459491463ff84566aed660d56fdc5d88c60e347ce3a0e5420b5cf93e0777dc702ac7063de80e9a1307c237aa5668cfee62dc50

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
60KB

MD5
5c09ad65b58d36d2953708699fcaf1f9

SHA1
ddd5bcdde65130742b43129c3e40a94a7d057f80

SHA256
a4ac804e246c04e459ff89822edd95242229b439e521ffac1bfaf3d734f0bab5

SHA512
d4f7b0639e1e9273ab312d2cb9d2cf753311f2742a2d0e07c8f88968faa574b4c199038964b5e36956bc0e4e567fa975d1ae0f41b5cfdec40d7ba9b1a94b6f4d

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
60KB

MD5
aed89511e0f9aceece2259763eba7d4e

SHA1
24ddfbad69f4a67880597a6fa5b9d67673e69b7b

SHA256
af38c213958a485b78c6c0fa175dbaf84cb6ae9135adad72049a2ebd585eda79

SHA512
4f0fa277335ea1abf54dfb36102d2b83fc733b716aca7044f48975f16a328ad56801fa3a7073b829584989a41e6c6c2bd74cdb14cb705c80d1668c591b449e04

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
60KB

MD5
6b76877eb7373b6f725d65fd14a9fa24

SHA1
c0d031c3c2e0c91b3e1c926c1e4fd0d3a9d72054

SHA256
62d3e8fb1f302d23c4c34a76c79c262a2114ecb636192de32f5ed78685b4c7e0

SHA512
5283537f2cfbfd752ac315148a5399b78e3435ddfd3135961ab7446e094ac329d5414ba0d07a7543361cef6474f9b1f8c92684c4fda523ba58f8354949ca11e0

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
60KB

MD5
c413c0815b0a174edac71b205e03669c

SHA1
e7b129e3346fd5cf0ffe0e8ab243cc11fda13d7d

SHA256
001a50a8070a5172ea75b85ac6a48b473f9c6ca575a1a24704c6ec9514655773

SHA512
cfb1c2791934d73c063797f8f3a89fa92f04f128eef195d3e812782188f057f5a422988e07e7829b23d11ee0320f22170b8e9120952e260c0fe8cb4afec9a993

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
60KB

MD5
47ea8b8deaa578bfaf1e5063778589aa

SHA1
d0a6767b47289b7663a7e42aff9f187ab559c9e9

SHA256
335261fb17c08777f32cd09db18ed44fbd05fae9e341982a33f25a57cf3a56dc

SHA512
a109f497449e39f23f8774ac89e1a8efc8f880c3ba846c5dac6f1c69bd656f5de99e4ead7b0c6c2093dea6309bfa2193491cc96f90ac7aba208e8675fab0c694

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
60KB

MD5
dbb9cc35b0dbff2a175b65cf97ba8ff0

SHA1
578bc64afa7e190ca7d42f180ca160dde7a89d33

SHA256
474ff5bb722ed705063d27518394d1ad2056205f64119d3bb4dee6f299e89d0b

SHA512
a0c45c58287a443563d249238a8bbb4b22ba44f731a1469d6106c9e5b0294603ec60c87c50adab62b6337676e5669825f5e6f52465147b29d8ac938c3d82cfda

Download Submit
C:\Windows\SysWOW64\Lqojclne.exe

Filesize
60KB

MD5
733f4b36be0e4df1fcf55faf7d72279e

SHA1
42e4ce46f195ca7b47285339ad715b7c89f9c5db

SHA256
4f84366d3a6cc2999bdff5c2e90d9943b50f2b7192594288d3130447c077ea00

SHA512
b6c1d9a4e85befcb339011e9af85051de70ebe178fa78b87654d4d0300fa664a5b33682ef226daca35d121a3fe1dae3ef8c315f8fbc8468a463d9ea3b2115d40

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
60KB

MD5
bae5fa3614062136bcc0a27015ce9c1d

SHA1
8c9434b89f24b2dda83e47e7652472ed6ccab66f

SHA256
fdb8733f86035d6dc8ecb71629846b48ac3368c840e762342dfbb999c6d4f1bb

SHA512
73fa0707ea93e40a254a70ed23845074b423df4b4571dcb8a35e093fdefe8be840d9552a1eb09e0f65f596b5352f5e9f33c2cfc47423f6c87b24a6052dff750c

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
60KB

MD5
93eb3d5f487f1b718817709cfcb1cbf1

SHA1
838b40f36858308caf951b3db2c97c0711fd71cd

SHA256
4732e39396f73159e243a7189cfad8c39df4c295b11ab18cd65671b9a592cf5f

SHA512
b8078e8363e536e286048f6db3eb0920f2e834fdcfc129e0e07bbd32cb58241ea8a936ce49340d08e1fcdaf38718e1b1333cb48a415ddb49c865a13a25deb7c3

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
60KB

MD5
0e2511375ada65dab353d5837c4a5e02

SHA1
a60f174c3790a7cbb320fd523963fe9e23863bf9

SHA256
8090b9fdcb4609b1c4b3fd906b168236564ecdee2652e079bb24255931661cc5

SHA512
f9747d04d667c4469ae1354e7605959d3f1d1c0eee4912884e8e93d6475654b4a180c95fcdf011329284f888edb024bc79fa6557864e1b84293ae19940dc40b9

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
60KB

MD5
c2e2145412ff4377f35d2c104da89a70

SHA1
f093a186e52758eb07636dee69ca71925537016f

SHA256
186be02453d326a0f7fc2300af52422d4a7575fde2f4bcd73f4d33ec1e7403e0

SHA512
f312eccdeb0074450e7a335e0440ef61e28acec55edba374b36b2991ea5dc9c42a2b885566bf641616a083c365e4884480551cc99cc49a7aae2b7fe9514877d5

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
60KB

MD5
e748e677db3efb51ede09f49cfd5e8c2

SHA1
668b3fbe3824b8863307114d53201d381c6a1dee

SHA256
5db3d8e0684439640324f474ba621094d7773d53b21f183d2a6f2cb7575c96f3

SHA512
5963d65a48faf720a632773581fd88f72df73dfd8931d768518db8d21c5ad8a965bd3b4e39930b0a8d8b835c8b5c8fc49cacef407d8bea4c28c45b573c16fa14

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
60KB

MD5
e9fb95ba7806843280eed5cdf46c751c

SHA1
8bf77cbd70ae12d4b7b2e2439cb38ddd3cf48468

SHA256
91cfbb7b3192650ec26a50f8ad3a988dccd0b91e83ea3290f31cfee5905df261

SHA512
3777de88d59acdf9893d089d56bc1052e83e8033cc94e4e7a491dfae1b89087777dc94fdaf20d975b9d46b66a5f2c2d63243c577826f55b27e784e173ac61600

Download Submit
memory/232-429-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/384-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/524-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/644-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/644-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/772-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/772-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/788-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/788-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/792-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/820-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/820-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/900-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/900-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1028-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1028-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1212-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1212-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1232-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1232-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1332-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1332-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1332-1126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1392-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1460-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1460-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1488-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1488-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1596-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1596-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1764-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1764-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1824-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1824-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1864-1020-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-178-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2440-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2528-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2528-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/2964-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-459-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3392-109-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3392-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3416-329-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3436-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3436-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-282-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-450-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3756-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3756-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3968-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4084-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4216-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4220-443-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4324-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4368-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4440-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-408-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4588-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-177-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4812-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4812-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-1105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4964-258-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5272-965-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5312-938-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5632-955-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6088-972-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads