afc5ddff73997803b460e50f8c776acec14f0683b67794aa06f418f92c61ce1b

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe
Size

88KB
MD5

eeae3028f5ca9d07c3c2f6c61dd39020
SHA1

20061af5fa32ed7898747247adc894dce9276689
SHA256

afc5ddff73997803b460e50f8c776acec14f0683b67794aa06f418f92c61ce1b
SHA512

40a9bfbdeb0e9fca8fdb53135c6049770efc26c853de52cf5d9fc890223efd6630315d22c016a002b831ff2c048d455b20e6d1e129a45064028bbb747eb07660
SSDEEP

1536:REbi2mNurT4xL01GHDOfHE3g9MrAaLg2S+JzC1uiGep13nouy8L:RSBr8xBjO83g9Mka7S+FEB1XoutL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklbdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llodgnja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnmkfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhnikc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpbpbecj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpode32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiipmhmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbohpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljfhqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoaojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaekqhh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkgje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofgpikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibhkfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lggejg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhnjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gblbca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmfimga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnmkfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domdjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaekqhh.exe

Executes dropped EXE 64 IoCs

pid	Process
3620	Lklbdm32.exe
3540	Lnmkfh32.exe
3724	Lnohlgep.exe
3824	Ljfhqh32.exe
1364	Lndagg32.exe
3468	Mnfnlf32.exe
2760	Maggnali.exe
1804	Mmnhcb32.exe
616	Mjahlgpf.exe
1372	Mkadfj32.exe
3608	Nghekkmn.exe
3092	Ngjbaj32.exe
1412	Nlhkgi32.exe
2092	Nhokljge.exe
4840	Ndflak32.exe
832	Najmjokc.exe
4076	Adkgje32.exe
3100	Bhnikc32.exe
4392	Bddjpd32.exe
4452	Bdgged32.exe
3924	Bffcpg32.exe
2108	Camddhoi.exe
1564	Cfkmkf32.exe
4244	Cbbnpg32.exe
1392	Cbdjeg32.exe
4136	Cfbcke32.exe
5008	Domdjj32.exe
3644	Dnbakghm.exe
1444	Doaneiop.exe
4412	Dkhnjk32.exe
4780	Eofgpikj.exe
436	Ekmhejao.exe
392	Eiahnnph.exe
1692	Eblimcdf.exe
3348	Fbpchb32.exe
3464	Fnipbc32.exe
4684	Fpimlfke.exe
4480	Fnnjmbpm.exe
3152	Gblbca32.exe
1012	Gppcmeem.exe
2960	Gpbpbecj.exe
2324	Gfodeohd.exe
1620	Hfaajnfb.exe
4760	Hefnkkkj.exe
4632	Hbjoeojc.exe
2816	Hoaojp32.exe
4472	Hbohpn32.exe
4604	Hiipmhmk.exe
688	Imgicgca.exe
3616	Ibhkfm32.exe
4616	Ioolkncg.exe
3648	Jpaekqhh.exe
4004	Jlgepanl.exe
5068	Jngbjd32.exe
3632	Jniood32.exe
1188	Jjpode32.exe
3704	Komhll32.exe
3952	Knnhjcog.exe
1628	Keimof32.exe
3380	Koaagkcb.exe
4456	Kncaec32.exe
3476	Kgkfnh32.exe
1988	Klhnfo32.exe
1160	Kcbfcigf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Aciihh32.dll	Mkadfj32.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Fbpchb32.exe	Eblimcdf.exe
File created	C:\Windows\SysWOW64\Ndmdae32.dll	Hefnkkkj.exe
File created	C:\Windows\SysWOW64\Mcpcdg32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Gfodeohd.exe	Gpbpbecj.exe
File opened for modification	C:\Windows\SysWOW64\Hiipmhmk.exe	Hbohpn32.exe
File created	C:\Windows\SysWOW64\Pccahbmn.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhkgi32.exe	Ngjbaj32.exe
File created	C:\Windows\SysWOW64\Bddjpd32.exe	Bhnikc32.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Bffcpg32.exe	Bdgged32.exe
File created	C:\Windows\SysWOW64\Fiboaq32.dll	Domdjj32.exe
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Mfhbga32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgged32.exe	Bddjpd32.exe
File created	C:\Windows\SysWOW64\Gpcpel32.dll	Jjpode32.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Ojdgnn32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Baannc32.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Dafppp32.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Ibhkfm32.exe	Imgicgca.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nagiji32.exe
File created	C:\Windows\SysWOW64\Ndflak32.exe	Nhokljge.exe
File created	C:\Windows\SysWOW64\Qofmkc32.dll	Ndflak32.exe
File created	C:\Windows\SysWOW64\Komhll32.exe	Jjpode32.exe
File created	C:\Windows\SysWOW64\Ekiapmnp.dll	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Ibhkfm32.exe	Imgicgca.exe
File created	C:\Windows\SysWOW64\Mhegobpi.dll	Ibhkfm32.exe
File created	C:\Windows\SysWOW64\Jlgepanl.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Chiblk32.exe
File created	C:\Windows\SysWOW64\Mjahlgpf.exe	Mmnhcb32.exe
File created	C:\Windows\SysWOW64\Mkadfj32.exe	Mjahlgpf.exe
File created	C:\Windows\SysWOW64\Pfnmog32.dll	Gblbca32.exe
File created	C:\Windows\SysWOW64\Amlogfel.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Ghdief32.dll	Ljfhqh32.exe
File opened for modification	C:\Windows\SysWOW64\Cbbnpg32.exe	Cfkmkf32.exe
File created	C:\Windows\SysWOW64\Gkjdipap.dll	Llodgnja.exe
File created	C:\Windows\SysWOW64\Baiinofi.dll	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Lnmkfh32.exe	Lklbdm32.exe
File created	C:\Windows\SysWOW64\Lfipab32.dll	Eofgpikj.exe
File opened for modification	C:\Windows\SysWOW64\Fnipbc32.exe	Fbpchb32.exe
File created	C:\Windows\SysWOW64\Hilpobpd.dll	Monjjgkb.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Mogcihaj.exe	Mcpcdg32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Jkchlonc.dll	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Cmpdihki.dll	Fnipbc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjpfjl32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Lhnjoi32.dll	Fbpchb32.exe
File opened for modification	C:\Windows\SysWOW64\Kncaec32.exe	Koaagkcb.exe
File opened for modification	C:\Windows\SysWOW64\Bffcpg32.exe	Bdgged32.exe
File created	C:\Windows\SysWOW64\Doaneiop.exe	Dnbakghm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3828	5276	WerFault.exe	223

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjamhbn.dll"	Doaneiop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnnjmbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnohlgep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmnhcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll"	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbbnpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll"	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbcke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfnlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll"	Cfbcke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlhkgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hoaojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll"	Hiipmhmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchinmk.dll"	Adkgje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbpchb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklbdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngjbaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adkgje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll"	Bhnikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgkfnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gblbca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eofgpikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Cdkifmjq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3620	4796	eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe	91
PID 4796 wrote to memory of 3620	4796	eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe	91
PID 4796 wrote to memory of 3620	4796	eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe	91
PID 3620 wrote to memory of 3540	3620	Lklbdm32.exe	92
PID 3620 wrote to memory of 3540	3620	Lklbdm32.exe	92
PID 3620 wrote to memory of 3540	3620	Lklbdm32.exe	92
PID 3540 wrote to memory of 3724	3540	Lnmkfh32.exe	93
PID 3540 wrote to memory of 3724	3540	Lnmkfh32.exe	93
PID 3540 wrote to memory of 3724	3540	Lnmkfh32.exe	93
PID 3724 wrote to memory of 3824	3724	Lnohlgep.exe	94
PID 3724 wrote to memory of 3824	3724	Lnohlgep.exe	94
PID 3724 wrote to memory of 3824	3724	Lnohlgep.exe	94
PID 3824 wrote to memory of 1364	3824	Ljfhqh32.exe	95
PID 3824 wrote to memory of 1364	3824	Ljfhqh32.exe	95
PID 3824 wrote to memory of 1364	3824	Ljfhqh32.exe	95
PID 1364 wrote to memory of 3468	1364	Lndagg32.exe	96
PID 1364 wrote to memory of 3468	1364	Lndagg32.exe	96
PID 1364 wrote to memory of 3468	1364	Lndagg32.exe	96
PID 3468 wrote to memory of 2760	3468	Mnfnlf32.exe	97
PID 3468 wrote to memory of 2760	3468	Mnfnlf32.exe	97
PID 3468 wrote to memory of 2760	3468	Mnfnlf32.exe	97
PID 2760 wrote to memory of 1804	2760	Maggnali.exe	98
PID 2760 wrote to memory of 1804	2760	Maggnali.exe	98
PID 2760 wrote to memory of 1804	2760	Maggnali.exe	98
PID 1804 wrote to memory of 616	1804	Mmnhcb32.exe	99
PID 1804 wrote to memory of 616	1804	Mmnhcb32.exe	99
PID 1804 wrote to memory of 616	1804	Mmnhcb32.exe	99
PID 616 wrote to memory of 1372	616	Mjahlgpf.exe	100
PID 616 wrote to memory of 1372	616	Mjahlgpf.exe	100
PID 616 wrote to memory of 1372	616	Mjahlgpf.exe	100
PID 1372 wrote to memory of 3608	1372	Mkadfj32.exe	101
PID 1372 wrote to memory of 3608	1372	Mkadfj32.exe	101
PID 1372 wrote to memory of 3608	1372	Mkadfj32.exe	101
PID 3608 wrote to memory of 3092	3608	Nghekkmn.exe	102
PID 3608 wrote to memory of 3092	3608	Nghekkmn.exe	102
PID 3608 wrote to memory of 3092	3608	Nghekkmn.exe	102
PID 3092 wrote to memory of 1412	3092	Ngjbaj32.exe	103
PID 3092 wrote to memory of 1412	3092	Ngjbaj32.exe	103
PID 3092 wrote to memory of 1412	3092	Ngjbaj32.exe	103
PID 1412 wrote to memory of 2092	1412	Nlhkgi32.exe	104
PID 1412 wrote to memory of 2092	1412	Nlhkgi32.exe	104
PID 1412 wrote to memory of 2092	1412	Nlhkgi32.exe	104
PID 2092 wrote to memory of 4840	2092	Nhokljge.exe	105
PID 2092 wrote to memory of 4840	2092	Nhokljge.exe	105
PID 2092 wrote to memory of 4840	2092	Nhokljge.exe	105
PID 4840 wrote to memory of 832	4840	Ndflak32.exe	106
PID 4840 wrote to memory of 832	4840	Ndflak32.exe	106
PID 4840 wrote to memory of 832	4840	Ndflak32.exe	106
PID 832 wrote to memory of 4076	832	Najmjokc.exe	107
PID 832 wrote to memory of 4076	832	Najmjokc.exe	107
PID 832 wrote to memory of 4076	832	Najmjokc.exe	107
PID 4076 wrote to memory of 3100	4076	Adkgje32.exe	108
PID 4076 wrote to memory of 3100	4076	Adkgje32.exe	108
PID 4076 wrote to memory of 3100	4076	Adkgje32.exe	108
PID 3100 wrote to memory of 4392	3100	Bhnikc32.exe	109
PID 3100 wrote to memory of 4392	3100	Bhnikc32.exe	109
PID 3100 wrote to memory of 4392	3100	Bhnikc32.exe	109
PID 4392 wrote to memory of 4452	4392	Bddjpd32.exe	110
PID 4392 wrote to memory of 4452	4392	Bddjpd32.exe	110
PID 4392 wrote to memory of 4452	4392	Bddjpd32.exe	110
PID 4452 wrote to memory of 3924	4452	Bdgged32.exe	111
PID 4452 wrote to memory of 3924	4452	Bdgged32.exe	111
PID 4452 wrote to memory of 3924	4452	Bdgged32.exe	111
PID 3924 wrote to memory of 2108	3924	Bffcpg32.exe	112

C:\Users\Admin\AppData\Local\Temp\eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\eeae3028f5ca9d07c3c2f6c61dd39020_NEIKI.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\Lklbdm32.exe
  C:\Windows\system32\Lklbdm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\Lnmkfh32.exe
    C:\Windows\system32\Lnmkfh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Lnohlgep.exe
      C:\Windows\system32\Lnohlgep.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\SysWOW64\Ljfhqh32.exe
        
        C:\Windows\system32\Ljfhqh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\Lndagg32.exe
        
        C:\Windows\system32\Lndagg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Mnfnlf32.exe
        
        C:\Windows\system32\Mnfnlf32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Maggnali.exe
        
        C:\Windows\system32\Maggnali.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\Mkadfj32.exe
        
        C:\Windows\system32\Mkadfj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Nghekkmn.exe
        
        C:\Windows\system32\Nghekkmn.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Ngjbaj32.exe
        
        C:\Windows\system32\Ngjbaj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Nlhkgi32.exe
        
        C:\Windows\system32\Nlhkgi32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Nhokljge.exe
        
        C:\Windows\system32\Nhokljge.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ndflak32.exe
        
        C:\Windows\system32\Ndflak32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Adkgje32.exe
        
        C:\Windows\system32\Adkgje32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Bhnikc32.exe
        
        C:\Windows\system32\Bhnikc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        23⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Cbbnpg32.exe
        
        C:\Windows\system32\Cbbnpg32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        26⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        33⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        38⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        43⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        44⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Hoaojp32.exe
        
        C:\Windows\system32\Hoaojp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        52⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        58⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        59⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        64⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        65⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        66⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        67⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        68⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3368
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        71⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        74⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        75⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        76⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        78⤵
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        79⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2308
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        82⤵
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        83⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        89⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        90⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        93⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        97⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        98⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        99⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        102⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        104⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        106⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        109⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        112⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        118⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        120⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        121⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        128⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        130⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 420
        131⤵
        Program crash
        
        PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5276 -ip 5276
1⤵
PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4580 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:5596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkgje32.exe

Filesize
88KB

MD5
d330cc0e93eb68a28a3e7ff95e110654

SHA1
9e2239ed4ec8c4fa92f169f9b96809c7334aa113

SHA256
862f88578b23012f685b6993cf6f88ec025994711684323ccf2b2cd954807009

SHA512
d7b9fb5ce95a91e64caae215288a22cdf816d8d41d5072788248ec11c1abba3f5c9c24900b12a9d25390e7a37bd842fdda16c59b5f140346e41c86127f65cba1

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
88KB

MD5
c00585dec6b67b6ffe2e5487d80eff45

SHA1
a46447c5c7f834cdb92bf5c66fd9ec5bad566ff1

SHA256
b923b0b9aa70339fc064b4be960d4c9811e3f5753e7cd096fc829784e3affb09

SHA512
e4552f1cca6d89bb58b6fb5a00e047b7fed32dd5f94232891ed52760a7da3659dba4d926aa7a01f7cfef7aa2a8f6403696af731f4bc5de257e090a8eb21e63ea

Download Submit
C:\Windows\SysWOW64\Bddjpd32.exe

Filesize
88KB

MD5
626aaa99007aaa699e95497a7239c520

SHA1
dd4a1bbc7040a20908c5b476bc7d0bb8bf08f380

SHA256
7ebc2a5bb9e9b6cb6b7df93b8b271e1aa5ff856c7e6ffae3e3312b90c88ef678

SHA512
becfd929ea17a549032057b157db62a4a234cbddd3f7361a2462c9b0850601ad1c0e29d2989cfea126dbac637f07db54edbb7ace364c8c4c15fe2cb870e17c08

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
88KB

MD5
2acef5b048318e78c00e733e6d3d5c09

SHA1
d2a1d44ffa5a8ba7dd168722e853c6de8e4077d1

SHA256
83e222ab596d9b3637e224ff2f34791590b7bae0f3f2f1aa6cc781f4a19f9d6c

SHA512
5aee410ab20fed12b921dd982e13a2d5acc4e74e595990384311a22748b1190c8aa3bee2a58ece88ea0743a33d35ecc7dfd40b2bedfc583fe32c93f239e4df20

Download Submit
C:\Windows\SysWOW64\Bffcpg32.exe

Filesize
88KB

MD5
01441a0eba6f27fc1a198070c46e210c

SHA1
261cdb407517f822c8630ac3627aa4b345e5958a

SHA256
711cd8f5665207607a48b09b2a18f28e14cdfa89342ab882016f8ca2f04d3ec0

SHA512
46729d09a4ceb915fef39e181892b22b1f8824be04e58dfc7f9c5314435853ab1f90676a5eca336c8bbcfacd812f90720c3e73e3c2ef4873e50dbdc3f2f57352

Download Submit
C:\Windows\SysWOW64\Bhnikc32.exe

Filesize
88KB

MD5
72e78ae5f521601d4a9c271194a8a5fc

SHA1
1173919095addcc4abaaf27104b13e158adb3779

SHA256
06070f2693c9405837894a76aa638b455eaf7e2a0d06bbd1111e9db1f5015e3e

SHA512
5d1694be47a72cce4c0580101d25f7d069bdc0824d7cb090c1436261f7fb76362182857b2852d31e56a01ff36901c20325d99003b63fe9cc3d7e4e01d129bee5

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
88KB

MD5
73bc9ab23a5a507fd2b62b92dbc80deb

SHA1
fc516b85a08ec11e866c9070acde533e77681af5

SHA256
4959c1137b3fe2f958b31f3c38d5341f7ebc5426bfb5c7515bde38f2cc9141db

SHA512
6ee8d2fce378c52a761c0ff3db415a45708547a57c3fca3dd4c19133bf1bd37d4bb11867b7bce99f1e895bee02e80ec9a42c95a97d67b495b076ed1d73767691

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
88KB

MD5
9f13bf5ebd4da7d663c6692db670effb

SHA1
727adaf7d868764fdbd534609f954e8a177fec3d

SHA256
94735dc566d70d05b37d28d395e005a15052245bc3f34527620a92a5ce960ca6

SHA512
b5f8ed14cd8f10447f08f803480ad8a34271fb69b04b93fdd094789bbef639296ee7c0aee7a7563b3f64e6939c9465f2860f4211f4c4b875ce01cac168dee823

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
88KB

MD5
d058fe741faf4555eae008dd4878e146

SHA1
11418e2be4f866e51c0ed961018faeb488bcc3d2

SHA256
d45a9938a44f59d9f2cf1c3e468d3cda7aeb0f8aefece1c1f17798d9c5a3bf30

SHA512
08d3dc7602a0d17eaece0990e559bda88a191e392801e3cc305364b005309b458ed362dc4356d404b1d9746328b9dde32e6a744e09256080833163e425ce79e8

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
88KB

MD5
923e9d1c21b726309cadc05d16b11df1

SHA1
4dbe20c64279d9ffeeb07a40d614d8471ecd9b63

SHA256
8fb6ec87aee09aa2ff2c365f472e3f3d73b8cc497038c349ab6c7f7ba12de2b7

SHA512
5051f6091861969577d3a2a32319ead4df267e2626683350a9b67040d4dff43ff6f16b022422a102e1842bf2fd30afaa13dd8927a78d4f0478d046ddc1ff3075

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
88KB

MD5
834c1675d0fdfe3608a555eb1a0b85ee

SHA1
c47e76ad9b0c2b55c5a477e37801799f86c44f0a

SHA256
997debe282a8b69e1f0e5b51e08a6d230857a77f2cdf672d65c4913ae2191140

SHA512
2659502cc1b1a67c9755149b919f3060729b11898f652cf81ef86296ae56ecc11e2fd84c493f47766ca33364cce35232988b57988398abb36e9d6fc1fb5e7833

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
88KB

MD5
631688d5cfd39b3ca77ecd3f4f32fb2f

SHA1
b54a00d082c9a99187df5b1f83fb9a3de50a65f5

SHA256
656022507af42add4812ad0448236f5ea63eda4f6fda0a7c27f27e200537b4db

SHA512
a66a9d7a30bd6c350b49b2c662326e06238b6980aa655a12be6a0506a4818969c8ef3fb6bd202f78245e79c862fb2260f8a22594aab1916fee5c60eecc6d62e3

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
88KB

MD5
bef75cbcb92c8b302cf991ffdeb530f7

SHA1
291df386cb9f24cb14cf25f3dc980977aee1f20f

SHA256
0517bdc52334072bc09fd62b927091681caadfe2743778d1cc8b5926c6396495

SHA512
8c68b97ff1a28601fe25752dd11e1ba3f3463c4f6aadf66ea4c8e591229ef1ec1b09744edc3d227263281e43731df9329f58b86deaebca3ae3428381cfd8951b

Download Submit
C:\Windows\SysWOW64\Doaneiop.exe

Filesize
88KB

MD5
d520ec7b26be5ba755f636db5ef51ca8

SHA1
415dd5b0b3de32eefb78834517159015cc4ff59b

SHA256
416774fb43068156e7257ff3e48b85193cf869bc49c1528c76cf0bad5a0c9dee

SHA512
a993fd1876ed4831e328bbd4abd5b16c58d61ce93956890e648041018caf1616a5751f7a173ae701268435da5fcc104708d794dbfcd887d96496c1b39859431f

Download Submit
C:\Windows\SysWOW64\Domdjj32.exe

Filesize
88KB

MD5
25d58383d97cf73ed651146a414cb4e5

SHA1
37f464f5a935ffd3a45484e4b854c32b2b8b2864

SHA256
03834631065eca1cef55ab358e03227b8c8e5037be0dd6e875c5de772a97dda7

SHA512
684a443687cd9ff4df1326f48c023444a3accc41837c191ef50eb22d766cb4c2fc4cd117a06f93f91bcffeab8ef0f00b34fbd3a46b8f8eedf5e3954362f512d6

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
88KB

MD5
472292e6eda072e5de89e7cc05cc9797

SHA1
aadbd99059d9d0c3da79097d30e7e4c319b7b180

SHA256
64683f5acf28eb94baaa2af9f458123b00601e64038aa6c50bbf7c8edd4b9b45

SHA512
38e5602be80777b14358895a4d87ceea530212341507aa709126d24a7f343f2a367ee8fe4278ed817be16369848516cdcdb2eceba69e463c0f4728f3d8447dc9

Download Submit
C:\Windows\SysWOW64\Eofgpikj.exe

Filesize
88KB

MD5
361be96f023fcb5e6031fe5352f1bea0

SHA1
c4b5cb3e93cf194297e216522cdc7baed5563871

SHA256
0b0800c817526af8ce65d446cdcefe388f8cbd5ac50ca9d5121a4f834ae91fa0

SHA512
e0621b1977ff90fa86129214298dd8952e8809daaf7bb87c4825cbae77881e585c7b7f7d3a12dbb86ba802c54d3101dbc7c0cec559ad9c6dcbea135fc09e561f

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
88KB

MD5
6dc8899caf8c26fee60fbc21a63159ba

SHA1
991ef014c0492fb8118f8c03822e41e84855018d

SHA256
3825e50db0f363ca7e26239ae4fc33123b494da5ba4772d75a6c59c342f14a91

SHA512
de31c58d03bddc23ec90ca0ed99f4f41e5253ec9d8b21b4f80cdc77d0e02d07ba91effc8588355602c1853efbd4de0ac925e15cfcc0ab093c43d3192aaa273d9

Download Submit
C:\Windows\SysWOW64\Ghdief32.dll

Filesize
7KB

MD5
c9162ea2ce280d4d497f3d5bff3a37bc

SHA1
cae12bd440519bc5a0582d2628517c919c99f702

SHA256
47e3ab4574ff48482303ca01f349ea64c122d04973adb0b0fed55f958c642f79

SHA512
60793af73882ab08b23d64e39115fd2322d64e1a5030d17441892539b49229653aa06746a591775c6fe92d055a9c128bede53396f26a8e78d636f5dda0e57b20

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
88KB

MD5
bf86178ed01f3a1d9be85932efe73cd7

SHA1
7a504c7bf3755ace14109be1d65371185999ab1c

SHA256
f0ede0eb4ffea0f463dcc5ba58eae885a4ca62667156793a45934b9cf5f9b92e

SHA512
7c11a73b340fecbacd2e6a3835a31868fbbcbd72c2838ae9ec9bc9964feda447e1fb3082a81cd3fe63c3ade7e16d29d53fa58d49c78292b01e628caa496f84fd

Download Submit
C:\Windows\SysWOW64\Hoaojp32.exe

Filesize
88KB

MD5
4f9fa6a991b94f2e43225aa27cf3b821

SHA1
de5f6f3f18e9e7e4db438bf82855ce733df722f5

SHA256
96dac090ee2e7b9efd023d33ce2f62ad1f5e20b2c9db479b17c3043de804e25b

SHA512
48285c0235f9e59e258f5fa3d246d973b553db5c28a0182237b2b028ac9a2ca25f7e62842babd3731340deccdcb28bb94d7fe61b7535b7a146e1c67f5b86daeb

Download Submit
C:\Windows\SysWOW64\Ibhkfm32.exe

Filesize
88KB

MD5
9c4f24660a11f087803fa249f4d90238

SHA1
2286450e1591327b7adbedb3dfb2a377d6c5b982

SHA256
84d23b8c5a8aec088e173578b9632e008d6359688b37cfe55cb60a1feb8c5844

SHA512
e958550d5519d74773de111b40c54fe1bafce3fe21f32792bd737122d5e954873ff4a52d3940008c44c8e451c9f445f78fbaca38bf7c4021b7626c62743078f3

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
88KB

MD5
faac79723571652f25243b8aee141057

SHA1
7ac5ae1fbf74d201d2a699d06bdd6b68d10171fc

SHA256
40b7f44bb607d8e9a40a5fead8b01fa53d98e08161b595dae774a0cfb04fbc83

SHA512
8e6ea122ae13fc2c29036907c95e4bf8c9bf8304b96421afbc254339002b8465362eb9e3dec60fc78083feae4ef91405d7b46af1851ccd0009eb488b5523e9b4

Download Submit
C:\Windows\SysWOW64\Jniood32.exe

Filesize
88KB

MD5
b78619cf0a4f74dcb9fa8c96926c7624

SHA1
ac24ba4a348cf3cfca6d717ff48ecf4e7dc99c64

SHA256
14aa494aaa5975b84a260bada351f887757d0c400d4f3c402c07c9a60b1cc3e6

SHA512
520f346a44c7578f8be43be7191ce82338a1305591791e9d10ae3a6242c2b316bfd8754209f4fd952ae651fe7a73deace442a57c3d9c89b691c61f9d6eab6df0

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
88KB

MD5
07f93b90c6275fae3b33e40a06e8c854

SHA1
1958102749cfc41539f05e7f27efbbf0aba9e2ac

SHA256
659e2454a7531e70e15ed9e15bd03b933b704aba306309614573b427e8dcf84f

SHA512
c42e9c30450c441144124f203c265913d9308c3c18fd58153359d979e08621fd898ee1be7a5ca364e830807cc744ad20eecaa378ed88dec84f4f31882bd63d9c

Download Submit
C:\Windows\SysWOW64\Knnhjcog.exe

Filesize
88KB

MD5
d78f06137959a18d8dacbbdbe605006a

SHA1
4fa4d791f3cad79cbc19765c09c3bed668b2d895

SHA256
d74e28e09b37774e2d94dc0cb1df594d414f8d32eca21f22c3863504a969d571

SHA512
3ccbe36ec84cc23adabb54dc8b8f06e292d968490cb9b9b5f7bb84ddf1a7e7072f398f92560e3b7a880ae2f4e6f1625c238c222b8d3a0c3f58ce859b29088611

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
88KB

MD5
2e2e9cc703690ab7d8186d8c118b2bba

SHA1
8dac8f58c6f933553a911c72684080028e586743

SHA256
e05049bb56928f4e622b40989769f7c5a25a5ecd585801dc9bf136acc671e6f1

SHA512
80b1e7e123d698b2fc411836b826afdec36f2e86a090f4b4ff0008004f89747aa897cfc480724cae27eeae2b3ce92b5cc10ec380e4a962da76abaef318748fa3

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
88KB

MD5
8a635e4443c1d6852f8db19f780a189c

SHA1
2b523bf8925de4f8d06e9860c00e5f80c328b66d

SHA256
774730da7791c43a8cdcb17a0a30b7f0c8aaf73ac0c5eb433bd010b04655562e

SHA512
8c867b94973bd8e9f53844d646d61ef0283fac89ef5721d3577c9f29c132adf6f73488ef8a87b9658b9bb61604a454982e9e23fef9e9f21fdac7e7bf501f7fe1

Download Submit
C:\Windows\SysWOW64\Ljfhqh32.exe

Filesize
88KB

MD5
093783ee2da7dad9c54630760f0a7a57

SHA1
939072ad2c9054e710b700979f8173243bafe987

SHA256
904ef0dae4d9d13d84bc1c0446310d3e9988bfeb8ddad27182ccd803144d9d0c

SHA512
87b136bfb41978ead28b3993209bf9b87d3963ef7f52a8995b2b70540cc2e592f037eb3f6468a6c9fe6134c304ee73069aa25d7b49a4927d7450c44618d8b829

Download Submit
C:\Windows\SysWOW64\Lklbdm32.exe

Filesize
88KB

MD5
9b13fc8e329379c855054b548ded7f2d

SHA1
361ebbbf1ad3e5798b048ca2e1b5d2c18de07fe3

SHA256
1dc7b088a94917387ab6ade0b196b0e79c95b307d95c158f2c4e7dcce8ec4bc3

SHA512
ca059cabd9a5ce13b87eb6aa18d557f31d25b4632e825dff2378dd8b9162ddc1b4917db4b941b1d388a6e8604d7e1269ffbaeb4b30fd5775ca2e7c7b58e65bd9

Download Submit
C:\Windows\SysWOW64\Lndagg32.exe

Filesize
88KB

MD5
662d69e28aceb86122ae468202a7b157

SHA1
2671269b1b524782f6b9216a5d906c4812af58d8

SHA256
a848ee05bf8efe8b909ebf6590a4b564cb4fd118905781712879d47ea9cd6b86

SHA512
4df8f019e4a84bd17bd8dfcc498e418809774ad86137c40198679a996c58dbd635e929b54bfb1607daa31401c11523989ee4896b11325183628107aa2a8f45d0

Download Submit
C:\Windows\SysWOW64\Lnmkfh32.exe

Filesize
88KB

MD5
e9cb2c1a38a87c4c2405e07b006ed457

SHA1
37777b806dcb915f4b410ad55587ce1541c94f40

SHA256
5d3e7ec9844e6567244f65115c95626fb10bdd0e27cd37ad6c8687cfc3bdbf57

SHA512
229399aacebc13a798fb006dc9034d0ba44eb90654205843688ccf37cc86a3f525a7eb2cf4a6233843408c41d6fefbeb2737510940be400f09a572b674305bb0

Download Submit
C:\Windows\SysWOW64\Lnohlgep.exe

Filesize
88KB

MD5
2f81ef53084489ec472188a26f06424b

SHA1
e552484bb8a4374043718361f66b2dec92f8a1e7

SHA256
09d3bba9ec4662b6daf970be4086b400b855738fe688985d971eab2e03c309fb

SHA512
c98564166b712d10567fc1cb678a678a30f2844daa8cec36e02a37ae4537319280c07e6bbdd183afe4caae5ceb4d8e257894e7d3321a9ab01220bdaf1104e5d3

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
88KB

MD5
99fb7bed583dad679b0b33d097362aff

SHA1
24e2aa7a25e51cd560a95360f2c396179fc67aca

SHA256
aadd5825de50a81fd35a62df52f942275ef33cc181f63352b643d5c1a4c9c08c

SHA512
251c58a9b2957c4da6846fe556577cd8d45f8ea0d34d7e7f51e04230889ac3ebfec92ce711740a0873913ed5f6c0d8a03ea00aecadecf483f58882521ef72978

Download Submit
C:\Windows\SysWOW64\Maggnali.exe

Filesize
88KB

MD5
c5994ec84a61e0077b3497e21b2603c9

SHA1
3d868cbf1b598c181df84004dd94f2b9054e82ef

SHA256
a30eb8ccd2bc1d99d19adebaf2783393c7bf1fb3b65938d4d61671b9dde0bac6

SHA512
5ba3cd9ff5db3b4d0326633467bb6c088f90d0c068426ccce9d0abbc7cf9beca2220d85cdc8879eed767dc37a665c28c3f5620617f1b4f406cc6b654da2bbb9c

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
88KB

MD5
53751e3d605f4e232409620044312c35

SHA1
0b219927a7a367cd5ea6ebe747bea7fc714c3741

SHA256
ab57b63ce9291bd24601d109f268fe5a20061b5e629c18db5108e9ffd441060c

SHA512
e72be29d4512b46d2262c6b39b4b652ffa8e82e339dc51146b40837d8a0a2aecc6bd7b7888a8cbcd9e837067474e7e612f038702699bc9192725bad79e92b298

Download Submit
C:\Windows\SysWOW64\Mjahlgpf.exe

Filesize
88KB

MD5
a9f3e11590d5bd54ede8b2d2d52f08cb

SHA1
3decf7ec8752e26f007b9010556f24724b2cd90c

SHA256
833bcefe0d0c74fc6fcd8a1c5a1c8efdded0d5ae021fa71a0d17a6391750e3e1

SHA512
ff017ef619ba5efbe7c7d34b7062a0c2f546a444b09e7f63bbf6d98677bed3023bdb7ad196fa1e1dce7568cc987e81841683afb258f8931798e5e17a26004f4c

Download Submit
C:\Windows\SysWOW64\Mkadfj32.exe

Filesize
88KB

MD5
e6582cc77ffabd930874f3c73d84dc86

SHA1
5d345b4a31a6ad652c3994d2b63a1db74c909faa

SHA256
6c1a88bfdd69157b90b1660854c0a520a97799b0882a5460fad6e9c84eca2a99

SHA512
70e67d5bce7cfa32eb6807edde47f4c4321f84a01f32196a91e4153c1bc73f9ca7f9e2187f7dfb7776731363764a53f96d93002a5759a77ea1986d676f5f18b0

Download Submit
C:\Windows\SysWOW64\Mmnhcb32.exe

Filesize
88KB

MD5
41bbbcfc6206f297f7cdd91b1bd7792b

SHA1
c60484bf7cf7fdf82b38e70e494c0bc060cb1139

SHA256
4ada5cfaf4206d7936e5fbac1246638e056646ac5f8ec2392b91e3e036cc653d

SHA512
50cb1a752e45e1287cbe76d29c48048d8d096311abf4f2104ed70b4f01e1c25846740c9e3964dd6ae57fa8707b57533811bb009d02119538c12c0f3c602b226b

Download Submit
C:\Windows\SysWOW64\Mnfnlf32.exe

Filesize
88KB

MD5
2c62ecd2eda3465e80c14e784d13c1d5

SHA1
50bef214e42e3df8229a6b2c8ccb7ead55976237

SHA256
126aee360db121d3652b2821ce670bbfb7f08328504e64ab4ec001331e5721a8

SHA512
cbaaedb505a6a2badb3d50d8363697d3c3e41394cc5dbe3c9f8cd166ee0edec0b99c861300e50cc1ff31f05599679eb7bd79e86a56c0f9cd6790f0cf9b2331f6

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
88KB

MD5
ec3a1579b55037133aa77db7e396cf58

SHA1
25222af69953ea4bc457116feabb7c953cfda80e

SHA256
8ae2261b3ceb1b0a07c17c8b22a3d4a88d7d368fa4e56b621ddfc062487dfa87

SHA512
5882ba030a29a033a6d4315ef776fbb6c6b3624e7b5b4ae8b333cc8a69b170faf0ec31c5b6b7578dd00be5b99123e937fd54ef29f5671520196b134db5a47ad0

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
88KB

MD5
699b5b724f76d015e9b9f3c04c626f63

SHA1
98a929105c74cae0f56ad6bb90a6e52bd1a2c30a

SHA256
5b510beb26061640249a45575c7a86fb95a7448df928d9094b073e5f508ddb18

SHA512
1f151afc8eaf4ff26b0a42974062aeb684ba62075bcea60d170a6361d4ad66687c9010e20f4bd9ed625ba8e31f8c568b1b4596480dbca1f8b942dc7fafc04857

Download Submit
C:\Windows\SysWOW64\Najmjokc.exe

Filesize
88KB

MD5
7cedd233eb3100577373a6d452863109

SHA1
c165d0a16aef5e02ce8c01e6f13e834440d83b85

SHA256
c31083752e757e1d875b4c6d02d10a0bec8e638a498202897ba9b2e3fe3a2136

SHA512
990c06e7e1f968b041b9590ba089c5bf11fe20f5be08f0ea67d402b8b79d38601c64ef6cd1de5276dbcc4274ffa776645622b0834af265708de3497aa0b56316

Download Submit
C:\Windows\SysWOW64\Ndflak32.exe

Filesize
88KB

MD5
74a29ca16ebcc57473538c9db8e50711

SHA1
4c96cee634d7d5efc3a2c78cf38ff166f267077d

SHA256
a82940283239d92cec552203dc86715b965be65210888f88377085acdeef6c00

SHA512
6043b052a724da08e8255b7cc5448ae15a50fab72879d69f8e6ade50b42d3e9d849b86ec17efd995e8e488f058fd92a1872fec9b85c14e7f2e6ce8ecd5bf9043

Download Submit
C:\Windows\SysWOW64\Nghekkmn.exe

Filesize
88KB

MD5
7afe12632a891196dbb39c88524ad2c4

SHA1
f8743034daf9834140e735f2adf09724c2420eed

SHA256
cd34810a94ccc627a2503c9727e747c5f37052a2d7a9cfab2f41dd3ad2a8dea7

SHA512
60200cdf3abb6ca7ce450a45e3a900d35a79021138beac1f3be143bd6a4bff73659f8cc75f14e866643329e8a531de7c94252004fe7c38c88ce5bfdf97c586c8

Download Submit
C:\Windows\SysWOW64\Ngjbaj32.exe

Filesize
88KB

MD5
2322cbc4f94dc969b15f24c70c7798cb

SHA1
21162f5f028284a594e83e1009ff6c40d16a5311

SHA256
c5a757ed87599889d20e81efbc195980db21164951cc596e97b2ecd783f49e95

SHA512
68d9e0b0bac31f2309e093a5e5f0a18de0d424a76d5451d77e295aa99b985135de63047cb1f2450fcdb1c4b3faad407086f68a1f16336abfd879544b029cb0fb

Download Submit
C:\Windows\SysWOW64\Nhokljge.exe

Filesize
88KB

MD5
976fd1fef14d0602f51dbf68184ef79c

SHA1
dfa2140a769668b713ebd7d17a028cbf3b22fa6d

SHA256
6852f2a955dbcac6852ed07e4e27b30b7f2775c37af8bb7ed5cbd3060b917985

SHA512
1600fb507740bec8f0b73748737710f7bfdf0cf03493d306618af17461d8429d88b70467ba923dc1dbdc9536a2c1f232949dfc2198450339c06ec54b174d5276

Download Submit
C:\Windows\SysWOW64\Nlhkgi32.exe

Filesize
88KB

MD5
8da1b3458ecbd6a45fe220aee982a6a6

SHA1
bed9bff7515d8a50c445642b90cf86d750cbcf9f

SHA256
7fbb5305d0fc9a3233aa226fd2a296e8a5bf61571aca12a644ca738fb0ce6e6b

SHA512
9e4eda643f044ee47c56ad99c2f61e0d6aa7d594c8cb806a0a42117bfcd3ec9a526ca494d328a9c6d3da1bc02822929f8442e4f8ebb95a6f6d507979674e92d1

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
88KB

MD5
1e72fc65faff64fd0387bc7bf40b9b41

SHA1
3f93d70af14e6f9be40809fd7ef8ac640fc044dc

SHA256
81c45370673e47c0bca52711fabad1d26164c3b0b4899d5a9c8503f5977688ce

SHA512
af63d04e5ae1f87cbffa0faaafb27640b5516d0bb55a2f20be2d42e4c53c58d07143147e04867ff4e0c22a240ff090b14d0000859a51f260a59e21d24e852454

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
88KB

MD5
60bec62434b8f56e5245e4aebbb0958b

SHA1
1f1c212e838ac471c6a4ac116637999d33c3b4f0

SHA256
868547506d110464c70fef349dbb465c9afe703359b5c61e49740bb23d7a6f33

SHA512
0b796ae7ee911bc6f5c5a41aab8ad09f0b05bf2049bd1169b95fe9629640f149fb9936a1e76b39770e76603d00e74226547e051059bc1b378dc4bc57139f7981

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
88KB

MD5
ddadf0ac28d8f3925a9b9e521a10de10

SHA1
332ddd04e35d5fdce6cda53f60fd7ffff53a5a6c

SHA256
2db8a74562ad0db5c6d77cf56bbf96a8effba4f0d57576094d1da83882fb27f0

SHA512
af99b98fa1a26966ed6d95d18f0a18055a11b6cb55bc68478660a92545ced5d6f722fc074d8845ee8c8fb7ac2fe0ef89e15de3814aaca87c3a1db036964bd9bc

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
88KB

MD5
24ffaff13520eb81d0745d58ba9c0d22

SHA1
54ff9820c2154f39df6ce1e723713dcd18a03cb6

SHA256
ce739d6bfb3a530a316d733eed7ae5fefb9b34c353456cbfb9e33cfc6c763ac8

SHA512
e3985ef8cb80887be61b1d4847d814bd0f086b8679a366b135d1c14d129747f751e4b71fc7ad8ffb2dd16c4022958f69b6011365243a7407518ad9631b965ee0

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
88KB

MD5
d2fb6271b7d240f768edf9bac8bbceab

SHA1
1b793b16ef1086235cd074628023067ce494e6cb

SHA256
b14c9d804fdc7be86834facd5664fa42cff4fc73bd4a71660b5ede3901130c2d

SHA512
98608fb17ed2295f226fc6879b707d40354298f750a539b4ccdbf1a405fa9bdcf51864d2b1498c9953f6f40f4e667b65ac73a24b1184812535579376222cd689

Download Submit
memory/212-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/616-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/616-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-615-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-949-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5408-608-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5448-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5476-942-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5492-621-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5532-627-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5572-633-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5612-643-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5652-649-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5696-651-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads