0d2f108f3246de93fa1553b955263b43712fd35965d5c20808eec218e56d9cf3

Analysis

max time kernel
145s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe
Size

42KB
MD5

1fcea2613b43a3da8b77fa8dcf9d1620
SHA1

b1fdc1cc551600ca95a8fe3fe4abc79869573ffe
SHA256

0d2f108f3246de93fa1553b955263b43712fd35965d5c20808eec218e56d9cf3
SHA512

353bb2d8594a026591edf6b76df30e2f43b4620da4b45ddd5fc43d3f7e9152fd4931831a2bfcade04005bca23970a47a8f39096364371f4ac16138c64f04c669
SSDEEP

768:JU2Fu26dnx18PO5eTm3iT8tsJ0Cy/5TXkKPr3Tf7vLXz/bYEAmI/1H5o:6X5dx1jKAC8amCGQKPr3Tf7vLXz/bYEe

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpacfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cidncj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clldogdc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blennh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe

Executes dropped EXE 64 IoCs

pid	Process
5008	Boanecla.exe
388	Bekfan32.exe
2180	Blennh32.exe
2168	Bockjc32.exe
4936	Baaggo32.exe
2176	Bhlocipo.exe
1256	Boegpc32.exe
3556	Bbacqape.exe
4480	Bikkml32.exe
1396	Cpedjf32.exe
2032	Ceblbm32.exe
3272	Clldogdc.exe
3764	Cojqkbdf.exe
5028	Caimgncj.exe
4352	Cipehkcl.exe
764	Cpjmee32.exe
4916	Cchiaqjm.exe
4752	Cefemliq.exe
2596	Clqnjf32.exe
1248	Ccjfgphj.exe
2216	Cidncj32.exe
1596	Clckpf32.exe
5104	Capchmmb.exe
672	Dhjkdg32.exe
2608	Dpacfd32.exe
1836	Dcopbp32.exe
1944	Denlnk32.exe
2604	Dcalgo32.exe
1816	Dephckaf.exe
1884	Djlddi32.exe
404	Dpemacql.exe
4984	Dagiil32.exe
3996	Debeijoc.exe
3312	Dllmfd32.exe
368	Dokjbp32.exe
4892	Dcfebonm.exe
5020	Djpnohej.exe
452	Djpnohej.exe
952	Dlojkddn.exe
2480	Domfgpca.exe
3852	Dakbckbe.exe
4940	Ejbkehcg.exe
1724	Elagacbk.exe
3160	Eckonn32.exe
4568	Efikji32.exe
2764	Ejegjh32.exe
5036	Epopgbia.exe
3752	Ecmlcmhe.exe
4868	Ehjdldfl.exe
2796	Eodlho32.exe
3616	Ebbidj32.exe
2972	Ejjqeg32.exe
4428	Elhmablc.exe
4720	Eofinnkf.exe
3992	Efpajh32.exe
4832	Ehonfc32.exe
3008	Eqfeha32.exe
4300	Eoifcnid.exe
2348	Fbgbpihg.exe
2792	Ffbnph32.exe
4972	Fhajlc32.exe
5100	Fqhbmqqg.exe
2656	Fbioei32.exe
2848	Ficgacna.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ddomph32.dll	Debeijoc.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Cidncj32.exe	Ccjfgphj.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Cpjmee32.exe	Cipehkcl.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Clqnjf32.exe	Cefemliq.exe
File created	C:\Windows\SysWOW64\Ccjfgphj.exe	Clqnjf32.exe
File created	C:\Windows\SysWOW64\Dacdmi32.dll	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Opjeff32.dll	Bhlocipo.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Capchmmb.exe	Clckpf32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Blennh32.exe	Bekfan32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cpedjf32.exe	Bikkml32.exe
File opened for modification	C:\Windows\SysWOW64\Dpemacql.exe	Djlddi32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Aiagblgj.dll	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7184	6708	WerFault.exe	286

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenphlji.dll"	Caimgncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpjmee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbjbq32.dll"	Bekfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingckla.dll"	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpacfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnoenkc.dll"	Bockjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjcpe32.dll"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfjabqq.dll"	1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baaggo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodldljj.dll"	Cpjmee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bekfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahphpi.dll"	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Capchmmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmpfbln.dll"	Clldogdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 5008	4680	1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe	85
PID 4680 wrote to memory of 5008	4680	1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe	85
PID 4680 wrote to memory of 5008	4680	1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe	85
PID 5008 wrote to memory of 388	5008	Boanecla.exe	86
PID 5008 wrote to memory of 388	5008	Boanecla.exe	86
PID 5008 wrote to memory of 388	5008	Boanecla.exe	86
PID 388 wrote to memory of 2180	388	Bekfan32.exe	87
PID 388 wrote to memory of 2180	388	Bekfan32.exe	87
PID 388 wrote to memory of 2180	388	Bekfan32.exe	87
PID 2180 wrote to memory of 2168	2180	Blennh32.exe	88
PID 2180 wrote to memory of 2168	2180	Blennh32.exe	88
PID 2180 wrote to memory of 2168	2180	Blennh32.exe	88
PID 2168 wrote to memory of 4936	2168	Bockjc32.exe	89
PID 2168 wrote to memory of 4936	2168	Bockjc32.exe	89
PID 2168 wrote to memory of 4936	2168	Bockjc32.exe	89
PID 4936 wrote to memory of 2176	4936	Baaggo32.exe	90
PID 4936 wrote to memory of 2176	4936	Baaggo32.exe	90
PID 4936 wrote to memory of 2176	4936	Baaggo32.exe	90
PID 2176 wrote to memory of 1256	2176	Bhlocipo.exe	91
PID 2176 wrote to memory of 1256	2176	Bhlocipo.exe	91
PID 2176 wrote to memory of 1256	2176	Bhlocipo.exe	91
PID 1256 wrote to memory of 3556	1256	Boegpc32.exe	92
PID 1256 wrote to memory of 3556	1256	Boegpc32.exe	92
PID 1256 wrote to memory of 3556	1256	Boegpc32.exe	92
PID 3556 wrote to memory of 4480	3556	Bbacqape.exe	93
PID 3556 wrote to memory of 4480	3556	Bbacqape.exe	93
PID 3556 wrote to memory of 4480	3556	Bbacqape.exe	93
PID 4480 wrote to memory of 1396	4480	Bikkml32.exe	94
PID 4480 wrote to memory of 1396	4480	Bikkml32.exe	94
PID 4480 wrote to memory of 1396	4480	Bikkml32.exe	94
PID 1396 wrote to memory of 2032	1396	Cpedjf32.exe	95
PID 1396 wrote to memory of 2032	1396	Cpedjf32.exe	95
PID 1396 wrote to memory of 2032	1396	Cpedjf32.exe	95
PID 2032 wrote to memory of 3272	2032	Ceblbm32.exe	96
PID 2032 wrote to memory of 3272	2032	Ceblbm32.exe	96
PID 2032 wrote to memory of 3272	2032	Ceblbm32.exe	96
PID 3272 wrote to memory of 3764	3272	Clldogdc.exe	97
PID 3272 wrote to memory of 3764	3272	Clldogdc.exe	97
PID 3272 wrote to memory of 3764	3272	Clldogdc.exe	97
PID 3764 wrote to memory of 5028	3764	Cojqkbdf.exe	98
PID 3764 wrote to memory of 5028	3764	Cojqkbdf.exe	98
PID 3764 wrote to memory of 5028	3764	Cojqkbdf.exe	98
PID 5028 wrote to memory of 4352	5028	Caimgncj.exe	99
PID 5028 wrote to memory of 4352	5028	Caimgncj.exe	99
PID 5028 wrote to memory of 4352	5028	Caimgncj.exe	99
PID 4352 wrote to memory of 764	4352	Cipehkcl.exe	100
PID 4352 wrote to memory of 764	4352	Cipehkcl.exe	100
PID 4352 wrote to memory of 764	4352	Cipehkcl.exe	100
PID 764 wrote to memory of 4916	764	Cpjmee32.exe	101
PID 764 wrote to memory of 4916	764	Cpjmee32.exe	101
PID 764 wrote to memory of 4916	764	Cpjmee32.exe	101
PID 4916 wrote to memory of 4752	4916	Cchiaqjm.exe	102
PID 4916 wrote to memory of 4752	4916	Cchiaqjm.exe	102
PID 4916 wrote to memory of 4752	4916	Cchiaqjm.exe	102
PID 4752 wrote to memory of 2596	4752	Cefemliq.exe	103
PID 4752 wrote to memory of 2596	4752	Cefemliq.exe	103
PID 4752 wrote to memory of 2596	4752	Cefemliq.exe	103
PID 2596 wrote to memory of 1248	2596	Clqnjf32.exe	104
PID 2596 wrote to memory of 1248	2596	Clqnjf32.exe	104
PID 2596 wrote to memory of 1248	2596	Clqnjf32.exe	104
PID 1248 wrote to memory of 2216	1248	Ccjfgphj.exe	106
PID 1248 wrote to memory of 2216	1248	Ccjfgphj.exe	106
PID 1248 wrote to memory of 2216	1248	Ccjfgphj.exe	106
PID 2216 wrote to memory of 1596	2216	Cidncj32.exe	107

C:\Users\Admin\AppData\Local\Temp\1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1fcea2613b43a3da8b77fa8dcf9d1620_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\Boanecla.exe
  C:\Windows\system32\Boanecla.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\Bekfan32.exe
    C:\Windows\system32\Bekfan32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\SysWOW64\Blennh32.exe
      C:\Windows\system32\Blennh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        25⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        29⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        30⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        32⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        40⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        43⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        44⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        45⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        46⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        47⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        50⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        51⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        52⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        59⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        63⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        66⤵
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        67⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3232
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        70⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        71⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        72⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        73⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        74⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4036
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2528
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        77⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2572
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        79⤵
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        80⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        81⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        83⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        85⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        86⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2272
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        88⤵
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        89⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        90⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        94⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        95⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        97⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        98⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        99⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        101⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        104⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        105⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        106⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        108⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        111⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        113⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        114⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        116⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        117⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        118⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        120⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        121⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        123⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        125⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        126⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        127⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        128⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        129⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        130⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        131⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        133⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        134⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        135⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        136⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        137⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        138⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        139⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        140⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        141⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        142⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        144⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        145⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        146⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        147⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        148⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        149⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        150⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        152⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        153⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        157⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        160⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        161⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        162⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        167⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        174⤵
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        175⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        176⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        179⤵
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        181⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        182⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        183⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6964
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        190⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        196⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 400
        197⤵
        Program crash
        
        PID:7184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6708 -ip 6708
1⤵
PID:6628

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baaggo32.exe

Filesize
42KB

MD5
561848b1eaf819e5c6c1d0af4dfffa6c

SHA1
8c7d1de26f03605d37784c781142505565e595a6

SHA256
4cd2f48351d424f60bfb9ce6d08a2928afebb6f56dd361dc8a03595c856d1974

SHA512
275339eb2739c49597340365af51145d3abc16df3c1abfdc1d087bd5c4fb981b14080475847e19c6f274d016c30dd77ebd49d7aa181375958035fcda2dc148df

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
42KB

MD5
649e292b499b9752cd916615f4967d4e

SHA1
d33dc20ff943e72dbf3f794941ffa0f304449023

SHA256
fc52b908c43c6e975e5bd47f83d66fb6cc4a84466159d00e938aaaa1e82e158c

SHA512
fa22de29fe43f834d606f321e5bd21fbe2606ed7c9ea2dbde4ba60cd1edb60d2ce292dd19f4c7b4227987cd601161510cb0a2f1269cd0f39839d375dcb81b504

Download Submit
C:\Windows\SysWOW64\Bekfan32.exe

Filesize
42KB

MD5
1a14669368c4a534274920f6039c84cc

SHA1
24992fd1ebb9a4cb56bc587494a368cdefa10939

SHA256
c5119e5e5b67975320b9507eb9f602362104730657417ec6b33d6f5e33164736

SHA512
fb4452d1a7f25bb367533625aa0ff6d18f6a740cf4b7fcef102e9e8e8ff53b518c2b5aa0ee0814ae2ac807af0d59a68546bb984349e426893df64f9c07584365

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
42KB

MD5
eda4f61adbbdefa880fb2627ea003229

SHA1
062f07771818081e05bd788cf95dc4d169de5433

SHA256
4f19e9cd8b44e147b0d8a33af1f66a7a6dbcfdd896cf9ced2f102e93a96ad37c

SHA512
f516e8e7ac1fe8106c107f875ebc175d4336c76d043c41e1db81002ad652e6e354bb0e80f303e6d71458ca1e9f1fbd19dffc8322e4ad1b43233b5a4b4ab51acd

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
42KB

MD5
f9ffb20c6f06d786d2875b4757c7a37c

SHA1
2df7912c3fff902c1c9c073bab73cc4cd97760a6

SHA256
afcc3892c831b8308e307a360263c30a5dc4c58e59fc62a95190b4cf43bc235d

SHA512
725aaf3992b81c63a125d4bb2ec8a37ea05cc59c212347d94919e5c7f0e9b71c5440f34f0bbaf083d932bf40e755e5063afd612a24fa86e7f698b37dc89a1bfe

Download Submit
C:\Windows\SysWOW64\Blennh32.exe

Filesize
42KB

MD5
470b8c7cf53dbc50f302a0f85899700c

SHA1
267e745075acacb56e493064d6dea18e6c4b07db

SHA256
7d90785d86ffa7bfd565a22a3c02bbb86449b82ca75fd7eb9af4dd2aa1114158

SHA512
5959f0d2c8e13e6d324b3d66696460c19317cc57ed8565592d523e4f38ff61ba4fa9db0068266c976492233af3f37ad9f320abfb48e15e1a8b3f1c1ae6ce6e49

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
42KB

MD5
5d0e23773ab345954902fb83c8d07327

SHA1
ca106d55241e7ece08ce2374a7634e09085c3e19

SHA256
6a8347f15c7228945cd94552b3e648cfcc2c9cea906fbf564431abe7c55347c4

SHA512
214a532ccd491ef5d0b155c9f1be88af5d4b2b088d5ca6abddd79fff24616a7942407ac3f5e56f54af7debeba205a45ff5e8e40e5739e1bc4e13643a50bdaf17

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
42KB

MD5
106a10e39e33692d5e2ec99fe38081d1

SHA1
2065585d71d56aa4c0ac150347bb7fdd5fc72c9c

SHA256
3350f5da454de9babd1e39cfeee137356cedf8480b9ba8987cdb909173907688

SHA512
436fabbfbf420f68ee6869667a07d6cf80842906eeb562aef65cec9ae932589e25d5185fb7d52cc239be9a0590b09d1b98546c283c77fbdcd0b652b5ed9c8399

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
42KB

MD5
8fd86a72e6240f54ac93a2e0298c5011

SHA1
e31f8d0d113cf266b29fd4eb4c6c567662f3ce3f

SHA256
06dbc5e215da407813549ad7f22fc4e7c207e60c31fbb734fa1406b86bedc84b

SHA512
4e6578a76e98011b8016b55f4edffa266d8c0174195ca75df5e99ed34f72a459a608e3948de59c5ea002591e3a0d675239e453dbaab6ed3835d68bd56525135c

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
42KB

MD5
ff6e5d22e14875c3ec001f92e47f0d1b

SHA1
a759413ee7ceb4df9788a2bb900519424bfaabb7

SHA256
6e672d6604bd9f8c34d16f0b038dfbb5bed63ee470454c742f5cc0ff63a01c9b

SHA512
17d8edf8985606f47430819cb9fede0bf0fe831dcedfff3b4f26b3f74faa216ba6592c5aaae54ceb49d65424e590aca478cb329778a32731e075b9f1b7853946

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
42KB

MD5
3fd9d8d5afbafc317b9741c53ec77ccf

SHA1
55e97d6ab3c74102d834ced75a05d4890284e39b

SHA256
cb0959f82a0001d18c629389a45242e79414ac2bed3f809862aa51d239edc338

SHA512
24a198cef9ab7e2b89b0bc8c24ae58e6829f3e05ed7e6510ac36c6ebfc040a93c667ba02f0587f97d2c9ab12bcd3ef080e6e0720964660aab44299c84ac07ca1

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
42KB

MD5
83c6915af7ca4d82016f50baf22cc96c

SHA1
86e593f5426b0cdde9838d277061e9413efced56

SHA256
5a3f6099dabb522f7941d34b7f9f69a89111135cef35982545f7b888db517f82

SHA512
d544aca734449d5e6db32255b90676756d1f3ed9398360c425b0f7f16ed5bd3353a5748c8b00d52500d544ffe6a16ae55cee90de55d8dbbbef37f0a6f298bc0a

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
42KB

MD5
1ab929651a3b0004b51aa10c4aecfe3f

SHA1
b0eaf8ad3effc15e1f1593d25f987ed94dff7dde

SHA256
97a50e371484e0450b49718c531a81b27e1e67dc1ef0992065e584b43b2756c4

SHA512
cb1a29ba374a0044b3890fa30c661a334edacceff2111c0c1703e8e4b33ffee6cfd72c7c10bf907dbd72c1b327b245ed888085dfee7505cbe299d07d54e982f7

Download Submit
C:\Windows\SysWOW64\Ceblbm32.exe

Filesize
42KB

MD5
ffb8479459e5f2bba576f15bb89abbe5

SHA1
5580505fa10dcfb0240a3d67fd4a631865274b4e

SHA256
a6d1359546b322d5920a59b6d886f1c62c6ba204f989481c7c641ba6763cf672

SHA512
aec4ca052208fe8e48dde0e90b8f281d8911495bd54cc3f09157c9e563a9ab9ca61a6a03cfc45104580892713ce7d491ad6c0b485a8d8916f868489b4ad8bdd4

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
42KB

MD5
383e3865003ec5f3cc70a0863c1d8d02

SHA1
d8321fd059ca9f88ba1b3e91580538d68f4f7b05

SHA256
61e008b6e1a72dd6c5a843698913c14cae172f60aa94fe4a9cc6617195950105

SHA512
a78c44fb53644e3feaef6bf50052e60165bcaa36906a36858adca9f4a531d8d44e59ce3e7633275b4624afb0da563745ece0b53ddc6ef1b25693a5b086ad4768

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
42KB

MD5
364b0a671903ea44ab72acd049884941

SHA1
aed2145b4e9c31bb6485df3ae2098b62418de275

SHA256
37f29cb0bc7b2791998743c4973d60ae6f7cfb85383e79c9b9cc092b34d4893b

SHA512
12e3fdd191934b264ada31a8c84ce0e7d583aaa0050bd443b5a2bd76c6c46dfce9c59954ad5ce81a3b11e425c7ed9cb98e8846f1c6659671bf8c7ff513e964bb

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
42KB

MD5
0c7abe7eed8ca658478d8da4e42fac2c

SHA1
9085f70aff83220428299100a623c0e99dff13f3

SHA256
bcf3c882cb66d24c07e6407471171355b35a8a4abe5bdc6d557f4a59102dbf5d

SHA512
7da3978a762a6b4aaac502a036e12649d4ae30df19f331b9748638b44ca45f97c9e9b6ad422a20d6d19d7fb8440773cda5e629f35e00b6bebe3db35debbca8b5

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
42KB

MD5
7360b521f7eb283085cc8ffea307f03e

SHA1
b2cf697780167cd8be3c17821c60dffa12904720

SHA256
094cd22c316de22274760e8633bc8ed06663a39a7261e5bf19c7791ce86bdbc2

SHA512
70ba6dd7584d073ef327cde9859e2a5f133c9a0f1ee74857c38c01c0c26b842924df98074c1363f2e64558f014433f3bfa5afbf9f31254f482b992b586356f3f

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
42KB

MD5
ca65b312b9b259aa6e73c7e99ffe4f2c

SHA1
4726cecae4413cdae52df94dbbfbb2337406583a

SHA256
089e9603871bfbc2ad5244c8f100dc78d1b9275656add8729204d88b1be083f6

SHA512
0c03cc539c413a99e17f18e5e77d5f1d861323989863d072f23ab94bba27c3ef61b2c9f1342721d65bc222592bf0b6cacb9efb394aa96f733c897f8991a40bf6

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
42KB

MD5
a7dc44e70bbafb3a2c73c4c317969698

SHA1
3b9c6e1c3cd8bbcf6b34711bac5e1124c448142e

SHA256
43aaa5a043af0495d2839d8a424a4bfb2f0354354d062bfb3703981a4ce16515

SHA512
789446ff8b1ab6ec39ba5336cb389f2b0cf3bf0edb40d4bfca77ed996b943baa66296bc206a55710b8130d9bb2bf4467392de5af49d826b94642b7e9696574a0

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
42KB

MD5
f6d3fde590ca01b995a439769f33ce56

SHA1
929e41e77030e3e5dd1861961dd413ad65d83d67

SHA256
37994117c7f6b015d11c58f9a5305e68b13c0f8597ce449f6c773885703094b4

SHA512
4c8885b82a91028b36e2dc328617b9ce91459a3bd027f11c379abd42e5d4ed3f2d9f7315562822f9750c7f3e93580d0453caf18cfa2d0dc53c43be80abf7dcb6

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
42KB

MD5
f583997ead8a5c0690088ada6f4e3e2a

SHA1
352f34d919873477a948cd7fe9133597f763545c

SHA256
61cf26eebebd13752caa53ea132506acfc303bf5e58ae46c457a3e8f24ac34b4

SHA512
6b1991f4178aa32857f81e92443e2a1525b22a55a0a8e111e7cd4a680345ae34306c337107517fe40b51209b67c4ddb03f605082ea51e6d4ed9153b279a8a2d0

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
42KB

MD5
394afe59c5be9fd301311e420509f731

SHA1
5bc081f5ad95feac1e6dff6b7141aeec75760c89

SHA256
c5f99bc880a363138e27a9822b76320fe2ae2af74b574601dd15476dccd4b057

SHA512
274a7ab8f6a37e810429b89658cba37c6e00df986160d4f6eb64d9b404a48c0a68587be5421154e55638eecf261d9cc68a8ada9307158eeb260d89ae4663cac0

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
42KB

MD5
23102e450f7a060c0cae6c1c4c83221a

SHA1
e9733074a41ce08f4f3aed1d6bb3c5a7a793c111

SHA256
a62436bce13108e9c33cf5198a1960567d7471dbe8445b76f76374717a1d2a54

SHA512
711c6cb39edff81d71f06b83949cae9dfcedbd86e7d4658fe11077fa82fd263a92c7885f0eb882c07dd2746a4d7362a90f0590576bcfc4349715b16bebb16290

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
42KB

MD5
6a13bda21125cf5795584b08dd1c7188

SHA1
fc4560246098a9dea35ff60dd7fe9bc6f7edef3d

SHA256
8fdfd7bc85fe05d623ca780b91923476b51b7ca6d0d1ba9c996fe5cdd877d17e

SHA512
5244aa3b457e18448ec5ebfcfb453f6db8dcab4a6488f50b578e17b0f2982eb5630545d91e114767d01285165b72a7ab8eb6899c0a9c63bd88275d8aefd2313a

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
42KB

MD5
108ec0c4aba41c2859db22eac437e52b

SHA1
cc531e59a179209df472b6e8045c459f135ea3b5

SHA256
4b798b0b611bf05284d26b54e7f0b57e84704d2accf92bfca0e94a042aaaebf0

SHA512
b1cd4c4f48c7d60772d37fd11b4a9c3ae1782ab46a9dea0d8c9985258c6bc110a2176319bcdee166569e4ca01ef864ce6f0f09d91feed38f8045888c3f8c20d4

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
42KB

MD5
19ee14e1031a1def92fd76c4bbed2cd8

SHA1
4025a3b6b10d3215a999b8a0852e63ba2fc9dc89

SHA256
87e43ecdd4e7b8217ad8fd76c1e5eb8202f921b472d612d2a068f2170f4a7fc6

SHA512
c2684b64e3471931727f30c7f9fc3a7eec5f8bb6c6860f39392fdfb68417e64d9b9267e20eb79dcba57dadcb0065f4156376d3a3f753af86b8d40dde2ecec769

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
42KB

MD5
671aea1919d5179d71181647c113f03f

SHA1
84b0499edb82e74b10562efe6c1945e1abed4689

SHA256
dd7e0d58a96a197c7299507d5b06812ef8c45b5a00c93661b53c445bc6ecfbcb

SHA512
fb4f1819739555799c8f77bc2dcf5c472abb869c29d35416ded7af1800b552659711fe33e776d1ca2aad3c1d868f504d891e1e9beb518274014a05e1d62a8b33

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
42KB

MD5
467f8b74d764b8dd00daee0fe55bd6a8

SHA1
b77cf5eda3f87727cb88f3c1fde3eb9a186a942e

SHA256
45e71b0b45cf6cf30aae8a22c22b988e892268223c7b8c66c07c8d102559f104

SHA512
2b6b14acef67a7b85490f134eb17b6c11e71871887d1fed314c1be9f8d25b8345ae2608ebf4c96c3bf2ecf47f29a9abf9b7b0392fd64cd32ac705ceac926ca4f

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
42KB

MD5
b97c3e3dd3dd439c8a1fbdce47e60ff3

SHA1
384ce13e48781c9e36805528c4a9bc5d68c0018c

SHA256
7de04f79539f744794a86beedc4ecae159d73235bb351409d54c254336949a90

SHA512
c2dcddbe226053ba41fba015267c0bcf39c1d20547c334a27fbc604f908f9dff7d4b7e7bd71e89c2ce6bd40b4fd29e630f3a1147ea36f82e32dc818268edd841

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
42KB

MD5
243fdf70a35cf9426539f162bfe33e3b

SHA1
f7561e17fde4d9a4b566406f7697f29a96b3f695

SHA256
be949219d74da7d02fcad5899584293d6b32204a03f0a519d1d61f18697b1d86

SHA512
bc12a444f8f07f54a1b70b731399d6985f1f6bab683fa92bb00ea49db42b52d46aef63a18df2c3c8fba7e81ec02b82c3cad02627b08a817f3fadf439f007e9f3

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
42KB

MD5
b83a2499e326899b86aecd632bb32a60

SHA1
6c931cc953a1f7aada3d19731bea78ee594c567b

SHA256
7b594c6704b84b8c29f8332af146be02dbdd68f8bcbe393dfdf9c1ef782fdff3

SHA512
a2c7c450e0bbb2b1787149e35a0f27cd350eee05416ca64905d37d59daac585ee5f162394a17db69c62b0d868acc314451a4e017d35ad31a7e5283da99c27695

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
42KB

MD5
063ced8e3024d1e07dfc082163519827

SHA1
09da3a7a8c2fb3237b6a93164aeae1f37e7a2c79

SHA256
ff8e64754a8e7ba2af9efc1fe2398dbcb71ce8d4437ed0dbdfe6a67de723b398

SHA512
a81927038c79877588b5cbe17901985ed4d2ebdd330be4730dc3289bf73ba634885f78060074e83ce70c48418ededcc404a69e2108b0eb67f053639e31fc0bef

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
42KB

MD5
c9bcc6625d1464c6f575b48256ccfd6b

SHA1
3c321f21c27788cd763bb2ad75dbe75923c4ef88

SHA256
8238971777d02d4617a691e78fd35b7976201213e9c36b4930a90bbc5e4d70c6

SHA512
5db2c31d4ccc0acee5649358c4284c18ef416f29a1d5b19dd477a6a4955039866a12424949dd83906bc53b1629f8a70e2a77ea4f68657646fe94a09d0a7d7d37

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
42KB

MD5
41c0afc6f7917332025c5d853aec3877

SHA1
f2006da78ae05a54625a6b34be67b5f197822a36

SHA256
5189d9740e031cbee743a6d6cf65c53b99ae6e5e5897014937ba87098914f334

SHA512
9614f4d76031c719265ecfd57f8a4079b7da01e5be6274169536fe67ad43cbeab9cb8c3d9dd64f5130356478f477561023aa8c82270e2e1498239a8ee5f559f0

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
42KB

MD5
aea907c3017f8355d7d150d62761b040

SHA1
6852f585e3910844ccc18c40c4bf99b04a9e20ab

SHA256
ed48b126dbcb65543afa17e52935deb459dfa7aa9346a5c52759b1bafc990fb2

SHA512
43c39d1f4c921e48a4be326a9c5339527a2175a0f1e1079dcf88f6d1a8649a458087025998c321e3859644859113850edfe323c660daa0000da8c7338377d9e9

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
42KB

MD5
2e7193db5eda79609661fbf57728d170

SHA1
304bb4b7b418d3f5d29b6429cdd4b693f3cb18fb

SHA256
c68a8a5256b1ca3c36be418a3fb171247a3d3d0f215aced88174abbcefc587ce

SHA512
b897ee8364a4d163aa442b61f8f7c5d572bdcb00947763faae9781836bcf0455927977a45385adf2a9836de73fe00b447928fc74156e506a6b6750333e6591d8

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
42KB

MD5
d4fc194021cd5db03a237628f2995842

SHA1
e5966269bf2449542906fbafc38719c9eba33599

SHA256
0a5c911d8b4a64d32c34a0accdd3349502021cebd48c4ebe3f8e556f315c4307

SHA512
87911fd36adfafbcd4f93964c8282ab91333fda62a2b7bb218c379cf51d651916c0ecb2b4c3dc4c1c930f10769609905777d57ba45c32e9a50376e870584d468

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
42KB

MD5
d5dffdf8ea8a712e38c1dc3e89cb5c83

SHA1
a192d2e6fed46958c9d74a0a3d534558aeeea03e

SHA256
fb019e691a3705c243186442eafe5734633363eef23b4c6d3ea31d765f53d92f

SHA512
c21d858d7e41a54be6e23686525ab9e604bcf417dd8cd910ab2256d03ded4f966896af9d1fe413c7bb9887f2f6aca16d2ce620b518812ea4214eb4c1260d5fef

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
42KB

MD5
6da1e7b40061242bb70c204cca2658c1

SHA1
7132797165b2e16f4d7e15dfffd6f948b453c4e1

SHA256
93b0e10cfea86436a6a457f32c464824613cb7444cb45fc288b7ddea59d74a0e

SHA512
1cd71dc6d61205c6c64e54e3437833f01ec68c934fdaafd9ecaae85685d767ab859cfb2b493df2ff4f018c18989a3927730bbfa28f2ec0a710433f2a50380f60

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
42KB

MD5
8aa299a4e9781fe4f7388773e7f684ce

SHA1
55b812a52872a49cea0db708d0f0caa32e0e1ca9

SHA256
8e8a01ee14204400daf55315e305c1f90d01fb894479bb58624e226c8ad1faaf

SHA512
c667c8e44d030aec594fa8c5b5a301edcf04d8105efcaaf82e11df5ee41bb78505efed0d848fe3d499ae2d9e7a8bed5e657a72e49fbf1df12b1d63fe5dc8ae49

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
42KB

MD5
fedd23b636d0c77614865e023e0752f2

SHA1
2f4ad94827d1163a6830df6d6f0a77b0f2f29a61

SHA256
c505fbff65408ce85a95f17f1e742cb8109349bdb487752f449df3db9045ab6b

SHA512
80e99d1d171e037bb9a7f4ec81ed80d323410ec49d7d1952d4c6d8b674e214b50bd4dbfe514e7cd02c2cd77bb32700933dab3ea305fb044fb1e4a78c7c7f6254

Download Submit
memory/228-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/368-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/672-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3272-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-595-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3852-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4720-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5104-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5792-1412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6440-1352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads