604dc14ce1a8bb3cde06474690e56fe6cc168fc190cdc17dfec8659810f421d7

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe
Size

128KB
MD5

1f7b08f6398ca4810570914891611450
SHA1

0600c8e580557af183be5d60b2865510c712f0fe
SHA256

604dc14ce1a8bb3cde06474690e56fe6cc168fc190cdc17dfec8659810f421d7
SHA512

71c53c612db132b1426557a271ad7a7908f617bde9b7dd329586ccd582a8793adde16d527e183b5a0c7de737636fc277be880cc1ce9a68407209c89018fce28f
SSDEEP

3072:2SNREWG85uHxMQH2qC7ZQOlzSLUK6MwGsGnDc9nhViX:2bFHxMQWfdQOhwJ6MwGsy

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbiockdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpffeaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enbjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebkbbmqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnphoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggejg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnlecmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkkik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnbakghm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiekog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhfpbpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enbjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkkjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fefedmil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jojdlfeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nciopppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hldiinke.exe

Executes dropped EXE 64 IoCs

pid	Process
1600	Ahgcjddh.exe
4652	Bkobmnka.exe
2320	Bhbcfbjk.exe
3840	Bffcpg32.exe
3108	Cdlqqcnl.exe
3564	Ckeimm32.exe
2608	Ckjbhmad.exe
812	Cfpffeaj.exe
3992	Cnkkjh32.exe
4952	Dnbakghm.exe
4356	Dflfac32.exe
2376	Dmennnni.exe
4128	Eecphp32.exe
1460	Enkdaepb.exe
4992	Eeelnp32.exe
4864	Enbjad32.exe
2112	Fbelcblk.exe
1288	Fefedmil.exe
3924	Gblbca32.exe
4872	Geaepk32.exe
1940	Hoobdp32.exe
216	Hblkjo32.exe
4300	Ilnbicff.exe
224	Ioolkncg.exe
1836	Jleijb32.exe
2056	Jpcapp32.exe
3324	Jepjhg32.exe
3344	Jinboekc.exe
4196	Jlolpq32.exe
2572	Keimof32.exe
5088	Kncaec32.exe
3556	Ljnlecmp.exe
2688	Lmaamn32.exe
4996	Lggejg32.exe
4076	Mgloefco.exe
2232	Mjlhgaqp.exe
2404	Mfchlbfd.exe
2636	Mnmmboed.exe
1840	Njfkmphe.exe
3436	Nqbpojnp.exe
1692	Njmqnobn.exe
836	Oaifpi32.exe
1344	Panhbfep.exe
5108	Qfkqjmdg.exe
1052	Qhjmdp32.exe
3596	Qacameaj.exe
1556	Amjbbfgo.exe
4824	Aagkhd32.exe
2012	Ahaceo32.exe
4632	Amnlme32.exe
1516	Aggpfkjj.exe
4332	Adkqoohc.exe
3424	Aopemh32.exe
1800	Bhhiemoj.exe
3916	Bgnffj32.exe
1464	Bpfkpp32.exe
1596	Baegibae.exe
4328	Bhpofl32.exe
4868	Bhblllfo.exe
4416	Bajqda32.exe
4500	Ckebcg32.exe
2524	Caojpaij.exe
1996	Cnfkdb32.exe
3824	Coegoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgloefco.exe	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Njfkmphe.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Iahgad32.exe	Iafkld32.exe
File created	C:\Windows\SysWOW64\Jepjhg32.exe	Jpcapp32.exe
File created	C:\Windows\SysWOW64\Ondhkbee.dll	Ekjded32.exe
File opened for modification	C:\Windows\SysWOW64\Hnnljj32.exe	Gbpedjnb.exe
File opened for modification	C:\Windows\SysWOW64\Jbagbebm.exe	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Nqaiecjd.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Hpceplkl.dll	Hldiinke.exe
File created	C:\Windows\SysWOW64\Nfenigce.dll	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Fdnhih32.exe	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Kefiopki.exe	Khbiello.exe
File created	C:\Windows\SysWOW64\Fefedmil.exe	Fbelcblk.exe
File opened for modification	C:\Windows\SysWOW64\Keimof32.exe	Jlolpq32.exe
File opened for modification	C:\Windows\SysWOW64\Nqbpojnp.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Qbdadm32.dll	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Lllagh32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Gceegdko.dll	Bffcpg32.exe
File created	C:\Windows\SysWOW64\Peaggfjj.dll	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Ipaooi32.dll	Dnajppda.exe
File created	C:\Windows\SysWOW64\Kofljo32.dll	Noppeaed.exe
File created	C:\Windows\SysWOW64\Pfepdg32.exe	Piapkbeg.exe
File created	C:\Windows\SysWOW64\Akhkncql.dll	Dflfac32.exe
File created	C:\Windows\SysWOW64\Mlljnf32.exe	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Fbelcblk.exe	Enbjad32.exe
File created	C:\Windows\SysWOW64\Jinboekc.exe	Jepjhg32.exe
File opened for modification	C:\Windows\SysWOW64\Aagkhd32.exe	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hnphoj32.exe	Hhfpbpdo.exe
File opened for modification	C:\Windows\SysWOW64\Njmqnobn.exe	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Bhbcfbjk.exe	Bkobmnka.exe
File created	C:\Windows\SysWOW64\Iijfhbhl.exe	Ibqnkh32.exe
File opened for modification	C:\Windows\SysWOW64\Hldiinke.exe	Hnphoj32.exe
File created	C:\Windows\SysWOW64\Dagdgfkf.dll	Iafkld32.exe
File opened for modification	C:\Windows\SysWOW64\Piapkbeg.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Mpiedk32.dll	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Ckjbhmad.exe	Ckeimm32.exe
File created	C:\Windows\SysWOW64\Olieecnn.dll	Jepjhg32.exe
File created	C:\Windows\SysWOW64\Lpcncmnn.dll	Hblkjo32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Ghehjh32.dll	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Iamamcop.exe
File created	C:\Windows\SysWOW64\Edhjghdk.dll	Cdlqqcnl.exe
File created	C:\Windows\SysWOW64\Fiboaq32.dll	Cnkkjh32.exe
File created	C:\Windows\SysWOW64\Jleijb32.exe	Ioolkncg.exe
File opened for modification	C:\Windows\SysWOW64\Nqaiecjd.exe	Nijqcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pidlqb32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Bgicnp32.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Kdding32.dll	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Joqafgni.exe	Iamamcop.exe
File created	C:\Windows\SysWOW64\Nknjec32.dll	Kiikpnmj.exe
File created	C:\Windows\SysWOW64\Nqobhgmh.dll	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmennnni.exe	Dflfac32.exe
File opened for modification	C:\Windows\SysWOW64\Hblkjo32.exe	Hoobdp32.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qhjmdp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7052	6792	WerFault.exe	241

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdcakkc.dll"	Feenjgfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhbcfbjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll"	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhegobpi.dll"	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebdlangb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iefphb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhfpbpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpemq32.dll"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejqcdo.dll"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieicjl32.dll"	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll"	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkakfla.dll"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkkik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll"	Dmennnni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll"	Gblbca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhemohm.dll"	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhfpbpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldbgic.dll"	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll"	Jpcapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegpn32.dll"	Ebkbbmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdding32.dll"	Fnbcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkkjh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1600	2512	1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe	91
PID 2512 wrote to memory of 1600	2512	1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe	91
PID 2512 wrote to memory of 1600	2512	1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe	91
PID 1600 wrote to memory of 4652	1600	Ahgcjddh.exe	92
PID 1600 wrote to memory of 4652	1600	Ahgcjddh.exe	92
PID 1600 wrote to memory of 4652	1600	Ahgcjddh.exe	92
PID 4652 wrote to memory of 2320	4652	Bkobmnka.exe	93
PID 4652 wrote to memory of 2320	4652	Bkobmnka.exe	93
PID 4652 wrote to memory of 2320	4652	Bkobmnka.exe	93
PID 2320 wrote to memory of 3840	2320	Bhbcfbjk.exe	94
PID 2320 wrote to memory of 3840	2320	Bhbcfbjk.exe	94
PID 2320 wrote to memory of 3840	2320	Bhbcfbjk.exe	94
PID 3840 wrote to memory of 3108	3840	Bffcpg32.exe	95
PID 3840 wrote to memory of 3108	3840	Bffcpg32.exe	95
PID 3840 wrote to memory of 3108	3840	Bffcpg32.exe	95
PID 3108 wrote to memory of 3564	3108	Cdlqqcnl.exe	96
PID 3108 wrote to memory of 3564	3108	Cdlqqcnl.exe	96
PID 3108 wrote to memory of 3564	3108	Cdlqqcnl.exe	96
PID 3564 wrote to memory of 2608	3564	Ckeimm32.exe	97
PID 3564 wrote to memory of 2608	3564	Ckeimm32.exe	97
PID 3564 wrote to memory of 2608	3564	Ckeimm32.exe	97
PID 2608 wrote to memory of 812	2608	Ckjbhmad.exe	98
PID 2608 wrote to memory of 812	2608	Ckjbhmad.exe	98
PID 2608 wrote to memory of 812	2608	Ckjbhmad.exe	98
PID 812 wrote to memory of 3992	812	Cfpffeaj.exe	99
PID 812 wrote to memory of 3992	812	Cfpffeaj.exe	99
PID 812 wrote to memory of 3992	812	Cfpffeaj.exe	99
PID 3992 wrote to memory of 4952	3992	Cnkkjh32.exe	100
PID 3992 wrote to memory of 4952	3992	Cnkkjh32.exe	100
PID 3992 wrote to memory of 4952	3992	Cnkkjh32.exe	100
PID 4952 wrote to memory of 4356	4952	Dnbakghm.exe	101
PID 4952 wrote to memory of 4356	4952	Dnbakghm.exe	101
PID 4952 wrote to memory of 4356	4952	Dnbakghm.exe	101
PID 4356 wrote to memory of 2376	4356	Dflfac32.exe	102
PID 4356 wrote to memory of 2376	4356	Dflfac32.exe	102
PID 4356 wrote to memory of 2376	4356	Dflfac32.exe	102
PID 2376 wrote to memory of 4128	2376	Dmennnni.exe	103
PID 2376 wrote to memory of 4128	2376	Dmennnni.exe	103
PID 2376 wrote to memory of 4128	2376	Dmennnni.exe	103
PID 4128 wrote to memory of 1460	4128	Eecphp32.exe	104
PID 4128 wrote to memory of 1460	4128	Eecphp32.exe	104
PID 4128 wrote to memory of 1460	4128	Eecphp32.exe	104
PID 1460 wrote to memory of 4992	1460	Enkdaepb.exe	105
PID 1460 wrote to memory of 4992	1460	Enkdaepb.exe	105
PID 1460 wrote to memory of 4992	1460	Enkdaepb.exe	105
PID 4992 wrote to memory of 4864	4992	Eeelnp32.exe	106
PID 4992 wrote to memory of 4864	4992	Eeelnp32.exe	106
PID 4992 wrote to memory of 4864	4992	Eeelnp32.exe	106
PID 4864 wrote to memory of 2112	4864	Enbjad32.exe	107
PID 4864 wrote to memory of 2112	4864	Enbjad32.exe	107
PID 4864 wrote to memory of 2112	4864	Enbjad32.exe	107
PID 2112 wrote to memory of 1288	2112	Fbelcblk.exe	108
PID 2112 wrote to memory of 1288	2112	Fbelcblk.exe	108
PID 2112 wrote to memory of 1288	2112	Fbelcblk.exe	108
PID 1288 wrote to memory of 3924	1288	Fefedmil.exe	109
PID 1288 wrote to memory of 3924	1288	Fefedmil.exe	109
PID 1288 wrote to memory of 3924	1288	Fefedmil.exe	109
PID 3924 wrote to memory of 4872	3924	Gblbca32.exe	110
PID 3924 wrote to memory of 4872	3924	Gblbca32.exe	110
PID 3924 wrote to memory of 4872	3924	Gblbca32.exe	110
PID 4872 wrote to memory of 1940	4872	Geaepk32.exe	111
PID 4872 wrote to memory of 1940	4872	Geaepk32.exe	111
PID 4872 wrote to memory of 1940	4872	Geaepk32.exe	111
PID 1940 wrote to memory of 216	1940	Hoobdp32.exe	112

C:\Users\Admin\AppData\Local\Temp\1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f7b08f6398ca4810570914891611450_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\Ahgcjddh.exe
  C:\Windows\system32\Ahgcjddh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\Bkobmnka.exe
    C:\Windows\system32\Bkobmnka.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\SysWOW64\Bhbcfbjk.exe
      C:\Windows\system32\Bhbcfbjk.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\SysWOW64\Bffcpg32.exe
        
        C:\Windows\system32\Bffcpg32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3840
      - C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Cfpffeaj.exe
        
        C:\Windows\system32\Cfpffeaj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Cnkkjh32.exe
        
        C:\Windows\system32\Cnkkjh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Eeelnp32.exe
        
        C:\Windows\system32\Eeelnp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        26⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        29⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        43⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        45⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        60⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        61⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        62⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        66⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        67⤵
        Drops file in System32 directory
        
        PID:720
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        69⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        71⤵
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:960
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        73⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Fnbcgn32.exe
        
        C:\Windows\system32\Fnbcgn32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        77⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        78⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        79⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        80⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Feenjgfq.exe
        
        C:\Windows\system32\Feenjgfq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        83⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Giecfejd.exe
        
        C:\Windows\system32\Giecfejd.exe
        85⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        86⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        87⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        88⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        89⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        94⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        97⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        98⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        100⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        101⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        103⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        105⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        109⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        111⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        114⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        115⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        116⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        117⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        118⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        119⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        121⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        123⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        130⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        131⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6168
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        133⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        138⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        139⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        140⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        145⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        146⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 400
        147⤵
        Program crash
        
        PID:7052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6792 -ip 6792
1⤵
PID:6856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:7100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
128KB

MD5
a48911c45b93d253a07159a05f349e51

SHA1
16ce73db59eb2f0124995716cfc94391bff8d6b0

SHA256
ab0597d84561114a724cdffc4ee6122b4368227b367384a34e12281f83bcb4f5

SHA512
8d7df253d800a3e60f983afb5034514e6e32305f16dcf1f040ea3b468ca2d4d75ba293b8d1b63cdf201f3e332d081d817035ec328d59b8dfa760b1c8bb072a46

Download Submit
C:\Windows\SysWOW64\Ahgcjddh.exe

Filesize
128KB

MD5
772992f259798ec1c3f2249552954ed8

SHA1
aa8711253340bebb727e91b760ced167153e33ef

SHA256
e0344dd99525326401aef67124722d8aedfd8c5f55a732f9ea9f3b4d31e5f17b

SHA512
242c6f41444162fd38000f3a860d3328991e8d6c7a1c291ec610754fc9b0a2165d70ed792519eeabffb2649392814cece950c1e062fcf80ea65a3fa97a1c2fd7

Download Submit
C:\Windows\SysWOW64\Bffcpg32.exe

Filesize
128KB

MD5
57f7594cdf7b1b8dc1a9be6d36c0d02e

SHA1
e9241b1a18d71ec091572cae952661ea593c365b

SHA256
f6e9c0160ca8ee1baa12a1006acbae8b20ee4f3803e686ca1ab89dac5b9d1359

SHA512
b63f154f07c49f4c730a3456bd569c6e55067e6490e41f5eed7360a76ec5900098736220d3c950ced515fbfbf66af55c24900c0407e687085c8c147ca065eb2f

Download Submit
C:\Windows\SysWOW64\Bhbcfbjk.exe

Filesize
128KB

MD5
0399f319f0507174510e587f5b24f9e1

SHA1
53713cd751bc7271f96b55924c8016a2ef49afc0

SHA256
cbf7c9f3629bdafb78d35fb9a59825a99388cd760e551138ac24ca58855a2c1d

SHA512
de396546b1e3055b5c240f868536cc2008a6ce75b5fde0fffe59c12faac7fb0fa9a82b90703c9a98ac4203bff445ede1ef103bcddcfc8a86a937d7bec0e2dbee

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
128KB

MD5
3037b8bf41c0239a587995ddfef8b77b

SHA1
fe787ab5d3dd6f521d79e7d2bc4c9c2968b5fe2f

SHA256
3eb1406b9482e562390d6f7cfadb1119fd751a5e38fadaa8f425a2e2c4ce33a0

SHA512
224f20f5ff528f7f76e96d853196ce73b3d13727ee9929738c21a3ed7780e9a115d8c3a7837ac6bf1c61c86a3098eadbf373aea1170f670110d595fb3e03a327

Download Submit
C:\Windows\SysWOW64\Bkobmnka.exe

Filesize
128KB

MD5
1e3d45e737fc94d25ea90cf792f3a417

SHA1
09fa8573727137fcfceb7647262552a580b2f955

SHA256
fc72fbf4efc1a476d8d56c2264cdb8e9c041c1a313511f3e8ef25d58f52ccb81

SHA512
96e69518b8e9c6bfb1400e00bc51fbce90043134f5e0069477c7a3bc0ad97aab12b117e75b0ef3f89c3d7ed3a8c9c981ba36fa8e10b9620472ffe6819b83b106

Download Submit
C:\Windows\SysWOW64\Cdlqqcnl.exe

Filesize
128KB

MD5
6b509dd759a51cc0036f5bcafddf9bc8

SHA1
3c42615f9f3ead6d117e75c503485a1ea73783a9

SHA256
42e9fa31bfab216eb814af9db2b980cb26183e7019f346a79573338480ceabf7

SHA512
2dda63f3c4859ccc69f11c7472be3c8ed4f7e1a4d3318404180eef78c33be0fbaa9cfbb5c1842e43940b1b566880f29c616fb9a53168e157bfa72f925107d1e6

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
128KB

MD5
7cb295d1d361133fda157833e2a9c954

SHA1
88545bb9cf36edbba738462572138acfb1b4e125

SHA256
d724bef0975b63df33dd43b7f3a0e07f38ddd6f843a59b0a56ac50389ca09937

SHA512
33469391c9e6717e88e2d3665bafd50431368d128aa076e52bff67206e0bc050e65573d568c93b863a17ce72b9d736dbfa073f59f5212e8da66d54894a859821

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
128KB

MD5
80682119638d7773cdc902f2f49be53d

SHA1
074eb71ce1bbd77c78203659be747b4ab06df503

SHA256
b0cfdfb9ba5f23aa2b0a781d6530af53d0646d9d1368570d2e0c3bbef13e788b

SHA512
427bf33871a799ed04b526cdacae43a38026e3a78fdbc4512ad7de63a43d6b6f8b32436dac107d3cd2f2cf55d3ad9ad1f4794adad280d95ec5bef82a61fb1081

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
128KB

MD5
34a800ad1495bb55c70cbcca424d8318

SHA1
dfd9c08a345fd8ecf2295702f54f73d83dc1ef2c

SHA256
cb385e95f847ed99c1d20397e0a857c01a4a0b38f723c5c3ee63f4e07fa00ba8

SHA512
d1be9692d55ea25e706275f216d905c3adf158e4a1b564886c8b8d25094e55ed19cb2d29023cb4fb6cfc5ddfed6b3665ea9a9331d1c12ecaf73821202b5943ca

Download Submit
C:\Windows\SysWOW64\Ckjbhmad.exe

Filesize
128KB

MD5
d9beb66028be2afc539e7afa5d27192b

SHA1
2b63739aa1ba4a7de2ca64681e42e435cc750651

SHA256
f7920ee1ea8896452446ee87b0faabd03fbc9d0a6c914ce7be746034246e2602

SHA512
4019331a31e7b3b703c0e9f582cdad854407b5105363975d76b382df9bcf4f0e6e67a46c209119c55bc90a96bd078c405e84a0584d06724cc21657fbeaa9ab3a

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
128KB

MD5
4c732c05a7d36c5bb6ece79bfb243c26

SHA1
05a0a6af9f658a940b82506b4d581c2192611291

SHA256
4228995423e2c54b0b38c86bdf404dd675407b21cba401b3658fd5151127c61a

SHA512
8f11eb6429bfeebcd4be51b972ac94341d2200abe5f597284dd9e429f64d702c1a198f567de3785ba63081cc0dc00b13a4269a39531f53101ad984e522796aa3

Download Submit
C:\Windows\SysWOW64\Cnkkjh32.exe

Filesize
128KB

MD5
b69e537e1e39c4b67c722c18dd88161a

SHA1
af6421b67227b68b7b4209ed4850fca36534abfd

SHA256
40d780c507ae9cf8ef882897bb0986d8afe21c031ce1983bc4be3b09e8fdaddd

SHA512
62b37f2dec1b409a5d66594b27c5cd8f90b71a41c10413bd0ab084134070f44c9fc60975fbe7e27234c1bf5e962cc1c2c8d9f6b625d77259811007ca07f7e87b

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
128KB

MD5
861a76bd418a90b93e9f2fe00ab7ec2c

SHA1
3f3f161ce2716a86d7ba1667a04518bcea9d686b

SHA256
8e3a353d5ee42af4f55c78581fd0a133dae190eb42efa305e86eb8dfe875d355

SHA512
25895f35fc1d552209422194e298939861fde4eeab673d6190d4ed8949277403c2ec119146f68a904383e0390b47c460eb48bd573e01f575925e917f3aa9f324

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
128KB

MD5
d754e2057cbee6524733a2a1a539a4ab

SHA1
db7750fa1060eecafadf8cf2510605b00a950237

SHA256
1086ba292382387f535a8c5a72a1e2a3727b7e15e7036b65f17723aa8ec6ce8f

SHA512
5dfaa4ed6104187504cd092991406e7ccdb4627794c1cca819cc50c6a0db0d225225c99f1ea9f1b84094d326875becc825992b0e8617bec8b1018927039629d7

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
128KB

MD5
1f56469eabedc684f751a85cf31bf0a8

SHA1
1d7044e3a540eb1780671840b9dedf66dc44f0e8

SHA256
bff738e0341f0769801ad97f256863e800e1658c4368f441a40548293a9cbf94

SHA512
28589d26093643bc67094d838c480a35d945159d270b5f8c59e1e1c8d04bd00f457f58c18fb77cc83e1e33fa6ef00a21c326fbb82af21a4d23c18d57e8d7b498

Download Submit
C:\Windows\SysWOW64\Ebdlangb.exe

Filesize
128KB

MD5
be82878df8c290f6fb082c5d030c7672

SHA1
ee5ab4852fa268d5703dfa68982129c6dbd2b1c1

SHA256
af8c7544bb13342638c834f19982234b4feff98309d96d27dcc5df9f085ac432

SHA512
ab0217b2176e202f5957a1ae0e31dab47bdcbb9f5fcdb001c59f166f35caa07b34f5a207519401660a63b12a62b6d017f9ae66cf4a5df9a46180d20a12a06082

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
128KB

MD5
bf625a8882e834dbc187d847b6e4e11e

SHA1
c5ab097acb93e47e6182768728c6c21c10a7de8a

SHA256
682f6c902789387e6245dddfd020f19636608a7675ea192af39c4561be5c2436

SHA512
2f098b8c24fcf17d067a694dd1a9d7e43ce8f0011bb788b564723ad6b37634e214aad26f16b06abb96658d4be57a8a36988a99de9f5bcfc65b1f7e09eac99e78

Download Submit
C:\Windows\SysWOW64\Eeelnp32.exe

Filesize
128KB

MD5
69ce3f03c5cf95512d18179bc5af63b7

SHA1
7821c11c5cdd7d1616f3e9b5e1ab9ab4eae9b45b

SHA256
3b222b0d54388341d80329ee26f9fd7304f390bd2f1b74652ab0b15baa7c9f03

SHA512
5b852319057972fb033d7f84ba9af3dc0c0b20d07e554e5991d0fb92e55083a6c611d10faf7ff419450d849944da50f46a5ef81a76165f7ac6550879537d872b

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
128KB

MD5
372cb81567d0e0c532d3d6034b26520b

SHA1
358d6f9349138138de708a63c3c23ac0122c15e1

SHA256
4bceb6de9006e46c3cc2e59de349808d071d8eb688713ac51e3858f2ad390476

SHA512
0bf0b307e8c792ba97e77793a6a55715a18dc26f64f363d8993537ca018600083023ece55c2f61c69600cac776379df7a3ebd0042ab4e900bce7bb27ce65d280

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
128KB

MD5
83e8211473fe7bc02f3a1b5ee72de893

SHA1
6c6e123a887d56b07b9da253a990486eca7e0ebd

SHA256
2fb95ef861526caa58788768c49ae5903aaa403ec302f5872f9fcf8452ef86b1

SHA512
80019d7bcda121696d0ee88bf0ba94acef2244b16cdf91365260a7de3dc3d3671008f25a9cc2d7bb8e0470881e44048603285acb811f54056816b31422747440

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
128KB

MD5
66d49cd8fc4fc6e82f736df203811c81

SHA1
e1a78b83dbcab19fca5f5c89922c74a3d8f7bf29

SHA256
1cbfe24fa5fafbe4a77a4f9d53fd06f8211a6861e9c69992d2861bdc4aae0677

SHA512
96bf41dca21160c6c8a8dd3c7121a0b20144ffb3b8e1219e256694c3b7273dc56701cfba3551d495be0b7489de5bb164d6c690b0d05f24c4ea689b57ac0b632d

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
128KB

MD5
a0c46f58f1cb5d2f97dc0da33c73884c

SHA1
e4e27f237e4d2135a0988c169a2b1979afc608e3

SHA256
13aca62aa5f4b4d9c1bd03586f2f825c8a5ecbae9e7959866fa60530301c13ad

SHA512
e56798b1aa3517a9ca0b496d4da99f8c4e4b9cc8c5d312edc08e769db3f508dc78dc7bb0d8a23eb2209756fd8878af3bc82c36dd4efede1d3bce4447a3d1728a

Download Submit
C:\Windows\SysWOW64\Fbelcblk.exe

Filesize
128KB

MD5
b67eb3582822462e9c6e70bd5ac685b9

SHA1
ceda6918b9420289c554435b939c498083fd4286

SHA256
521a764e408565d7e2d4b0e6d578800632068a2b25ac492770d2b4e240ade737

SHA512
8dadad10918da6db6c18a6f60f1054b973aaae6125b2f7e06f2a39a7939e9e10e0cffa7530abe626329eed0bea1fc514e85d81a614ffd5a055fe96ca8b37184c

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
128KB

MD5
6cbaf2123647dad9b186dbdab2b84dab

SHA1
4269b1540a5ec401d5f3a72e5a6d86380b07abb2

SHA256
e963e3027ddf6289b927cb4b286a901a86c12e829168aff2e2b4e236b19ab7e5

SHA512
130abf4b6a8b4919c296794f2c88b3791f6f85839d542b8cd7b0e8e2849610a08e220ee61a55b91072fed80e790eea14267946a0d53bde6c27debf0074b7f032

Download Submit
C:\Windows\SysWOW64\Fkjmlaac.exe

Filesize
128KB

MD5
42d4383b4e62367892727c7340bc4489

SHA1
193d7d01b197700284f9a0af3062fbc20f6c3363

SHA256
82ea1e2e8178b03bcd5dea5bd17eca773ae9ccac1c4a2f1145917618895f5b79

SHA512
fec09089c75bef4337e0acde3dd773c46e35679eb28267852d7e7721ad42ed05b2a72a99654a409f67e9a553c8625b6b2fc7668f3bc6ccd3fd4e1c7436c35475

Download Submit
C:\Windows\SysWOW64\Gblbca32.exe

Filesize
128KB

MD5
106b89554ec4bb911d970797199e3d0e

SHA1
a62eea6ea031289e97dfa1c91d1d50082bfe9a01

SHA256
34db7028174eb2f11a26723c6db265520772285a0bc858e2a74f319e810e61c5

SHA512
37a4e86996c3489a59e5a93872aed95f7fa1b7a49629038662b08446b4cfd5fd079a8981772798337cbb00ecdfbb81de615206ed7d9aa5469ad413805ed11b54

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
128KB

MD5
2c423beebc3e2d94d86183f548a1aea4

SHA1
27a32abe4f3f30b4531d2668b7af99fcaabf079b

SHA256
c1560ebce8e748458752ed62f9801a0f6395fd1e017adb0bf34132e4a728c559

SHA512
d0f8983ba9875a0a15b3a9cb899ded950b71698b512976aba17ece2aaad2833a78e35f21310d805d77d7042bb447773862317e57bb14f45579057bf4c08b5361

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
128KB

MD5
d6e75f5cd4d8fe766145a603cc5965b1

SHA1
0dd889d0461ef431ed241c51857b71a1fe81c5da

SHA256
0eb611487e24931a02ea2fee6772b220ef827e8f70c9773e53d3b79e4f216cc1

SHA512
1e828be07165b45665cb4098eff6bf14d2f7f079e9303a79dd195383e377823b2df3756d510346e8cf9134a3b9dd24973ab16ae75dbe11de6274621d275849f9

Download Submit
C:\Windows\SysWOW64\Hhfpbpdo.exe

Filesize
128KB

MD5
66f442d76e8838e06842647be74e7dca

SHA1
c60970414edfa1f7ba60cfb01df9b5e8f6297109

SHA256
dd3cec5fec601507acda4117f7caf5e8faa00761323c993c08723e5c21ac5a9c

SHA512
07d19e1ba8fe26361f17b8ca1b5cc53076a08e3fe9bbab71bdf0f65be73d5c9ee74064704bc7f8c06c223140a5405bbc8e340782ab71ab8bebddb07a1cdeeb3a

Download Submit
C:\Windows\SysWOW64\Hoobdp32.exe

Filesize
128KB

MD5
6aa408cb9daedd1bc1ed1b655ab7fd40

SHA1
3663b478111cfd72e337f8c40133ad9b42014e70

SHA256
e7ff11ae711b3b30b1a6209b9257e5abfe87452d992d5c81b4053451a0a170fd

SHA512
0876d22177300e808aa9845cd24e4785faaf0a15025bf0bf94e6ee86a58c592b4d77ceb15cfca502d9c10f80d43b6d2d24906fe11c324afc9ab6cb0ef403120c

Download Submit
C:\Windows\SysWOW64\Iefphb32.exe

Filesize
128KB

MD5
b483d4aa3ba00768b8ccb853912f1b25

SHA1
0f306a078f147c4bf9ba46eb1ff5d20b343f584e

SHA256
55e38a39056a18611e65037995dd3b89da59187f94f531f39f9067a811357d60

SHA512
646d241cf75cc919c7befe2439fc39f212405b112c23c7ad2bd93c8ab11b0d1a6aae18657ec0c682989dc47e8e99b0657ddd6c3ddd3f96af11d73d488c98d7cb

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
128KB

MD5
0b5a93b833500ed0eab2bd531379428f

SHA1
cd09d16063d4aab99ab65a854b6bd5d1c5109e17

SHA256
4d730b560322a987cdfc5197f2416293614df1121a73c0ab49fc58c09fdbeeaf

SHA512
e38ccd689c1f8ed3847d8bdb995d91d54e1cbcaef79bccb5d90facc869fdbc843f388e15aed37d31e3f8c74b8a8985c158c3996362316de7736ea94ae8dd2ac2

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
128KB

MD5
05942e1f61ede7f233dd765c79055b46

SHA1
ac2b388030722e106d459bb4d4130b5eb5f217ba

SHA256
d49bd7d872766b595049ecc31466255e5c8603b1d06b5d248b8608be881ec520

SHA512
28a72825012deac007b2a0965692f9e3e651d3dbb7ffcd65f9d487990a8b749ad2ded7a0b13115ddda4cbf084b683f0cc09e0a88f12e41efd919677f5761d1e3

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
128KB

MD5
039011fc554be2dae131ca029113dde9

SHA1
93698fbff62007806c34f32b40f7076aa2b96509

SHA256
46af2ac5173da6e135b1026dbede87643f5f6fc30cd0f4d377098f56e6f015e7

SHA512
2c57528b5437ceb6987641670b137f0c15b0088ab9c55d87949b22107595907c1745908a6c10a3c6cdc2741cf6412ff9a9b3e780d3b3a84345036c98adeb2e44

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
128KB

MD5
6ee6a8c97b52affc8d8d2db20575d95f

SHA1
6af093114d8e7a63b3b5a6cdfa93f1875ce8973a

SHA256
8114717fe7c8ef75d338214b65cb5aec5a1745dd668d4244b50017bf5db03f49

SHA512
6dec955ae28c06fa6ac9d24d8b748c57ada228243bd25aa80628a9f3309c8a7b7d7e44a2992fd680fe15a8e92b5b83beffa92e672a57c04393975fe196fb42d9

Download Submit
C:\Windows\SysWOW64\Jinboekc.exe

Filesize
128KB

MD5
95a152350311c811bf469e4baeacbe91

SHA1
cbe6c57abe962416126bca6a475b4c99c154cd38

SHA256
1b1f85227227c10ca1f0bd9d66c36c678d73303edadbd5b51eab8b3646650fda

SHA512
7cedd2b03515b483ed1414098a765af181418e02731862ae20fd631cb72eaaa0afe78f890731eb5bc5ffec2400279b48cd15e14ab4c9e476f1438e1ad92a5baa

Download Submit
C:\Windows\SysWOW64\Jleijb32.exe

Filesize
128KB

MD5
ea0b37bec01e8a9bd7c8a0717687b8bb

SHA1
d512dc32d04488f7f1672177690e843ba61e0306

SHA256
ef186385475691bb794c3f8d128ddac353107fea2df495b809ea9fcadb13e9e5

SHA512
289693872c2883efcf3a8b5db70cbff524be252343e6b6be9b138f7a331f52bff285939a10abfbe86c2c398d1fd36971028fe080163b10ca571144ddcfd7440d

Download Submit
C:\Windows\SysWOW64\Jlolpq32.exe

Filesize
128KB

MD5
de8c917c68b4c4946c587ed519d1ca0e

SHA1
ce111338c692bba517d98db3f4b80a93b74a61f5

SHA256
182dd2b72cbb645eb98ce343def83ede6e421dfcd6c35b78b37507f1a1917636

SHA512
4afe413a2e41b4aa83681990b5e6d3bbabb2d7485cf5e8d2876fce4b0cb7cba1b4915f3f7a82612c7730a8cf2e38c254cea625265ea185009352b1fb7e5ddeb7

Download Submit
C:\Windows\SysWOW64\Jpcapp32.exe

Filesize
128KB

MD5
e53ccf58583d6881a0e5d25a1d596ff6

SHA1
5580326fbca9cbdd356935937f69b86d5dc7ff93

SHA256
2c30f2a120807139c1e28f089538bac5c9adfe14edaa220095e209ccce448dd1

SHA512
6f4b6a70fb807c4b666d8337fb06884b998c40ce9d0662b58a29a97d379cb781a9d17a72330dbb8daef8decd5eee4bd26a13a10749215e2ba682c68b2dd122dd

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
128KB

MD5
20b80c2de9fa1d0fe7abf51f565872e2

SHA1
17070e9068430d5c0cc063a63c5139da049d4a06

SHA256
eefdb2ae8d74790a59970b16c981e69f57330a9e49772819790bd3a7337b34b7

SHA512
5335fe1ac1ce6c097733fdc09c1185b1eafebb56fcb3eabaeb9f6f24f3a9733f7f25336e1c3cda604488b5ec8c963b2238dc13f7fdbc8a71ec48838ae90575db

Download Submit
C:\Windows\SysWOW64\Kncaec32.exe

Filesize
128KB

MD5
06e2bdb33635423f631f16f844b920a1

SHA1
fa7cc2d80e71bbacdfc810b125354c4f2d81c3b1

SHA256
76f6f0d221018f8b90e77096b907a85756d884c289bdf2d635db71e720d3a73b

SHA512
3db230e876ad222207b9c4482cefe95e040a219eea86f60e5fa6f387d439125f666e3b2dc9934adaff5c0e155481e1fed08f1cde926c172689b3071d74403849

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
128KB

MD5
7443860e78af3dca9d29362ca70acd4d

SHA1
454ecd33892e469f4d67712395749dc872b797c6

SHA256
f77e2ec0423a11b3823ce19e70994849cbc98684882a1e5a2bb098e1472bad1b

SHA512
9867cbf96d5c80d4ae4271b370af9e88c155446722f6dd91f6e9940ffc6be7cbdda0b60009ab5fc9ca5a79d83824f86ef07f27ffbd86da722f29c387c28ee3a2

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
128KB

MD5
0153d174f1127469e4c98b099e50f012

SHA1
d44669c4e01e2cfe72def948a3e58a413b17a0a9

SHA256
aed155410834a04309f1ea2115c34b78ed6015da54866b98915f4ba87795f70e

SHA512
d3234d153879a3e57bf6473a8eccf29b940d8b159160672598dd1c9b131ed1675becb21960ddafde0a6085d98880336385e7a3706261d24aced90605104eb3c5

Download Submit
C:\Windows\SysWOW64\Lljdai32.exe

Filesize
128KB

MD5
37fc3e5c679f40814b02fe57c977ef69

SHA1
4658e122ebd216b2883dedbe67e4f9cee85e7613

SHA256
bd9ea5a08c58080eb2ec058afa5024c5caf957bb6166812ab21d0c0141febe06

SHA512
cdb923d49ddffb0bb052476430692a02bd3e3380d75dff5406c679122054d78f50708e1ae864a7e6908d196e176bd1a8bd69a9a802a152e1ef3c3327f74f1534

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
128KB

MD5
9fa19a3f874daef541d80ee0c7d554a6

SHA1
674f1cd832587ccc46950ea15583aa2c42c94629

SHA256
aeaa213bb526f361baa4e26bcde2707c80137071927b9369dc2e23d22aa9b000

SHA512
395c8617adbdb4cf7ae7abe12284c0e0add4adbb900e3fc7150aeb38005ce6ffd1d19d9fb521b3dd3b10067b75522003f26f7205e9470c9f4e91d0d2004d4b58

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
128KB

MD5
b9e7c5604dff57e95c5323f867b1628e

SHA1
70859d5004944bafa342baea84c48ffed768582e

SHA256
2b2f62b55a3f921d64c9950362718f9b57c6f35c04ad226f6d75837c1ef265ee

SHA512
08bf3a00259faf9512138a3691daa2358286de1a42cde362908e843d10e12cf775e1164c18ee0f28d4e480395cdcd24f955e853f7c7fa20483c8f343eb475260

Download Submit
C:\Windows\SysWOW64\Pcegclgp.exe

Filesize
128KB

MD5
58c50919d38cf1b4818a2a2dd8ef49f4

SHA1
13fa7871d837622c0eccfe61f8790249b2d19e45

SHA256
1235a094e2b0f55ab41c6c5043224b07d4c9401768b76b7c8b8aeecfed5b3ac8

SHA512
0d0485abb7878092ebde194052f04162b4cf4ebbff36ca139783e57c0a25cb0d0f9f913bb9eea60e9ab88662e87222df61c6892e4962a082b9837db73be14bb7

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
128KB

MD5
c3fd8affe19b456cf8c928b7a26e3336

SHA1
90495d3e508411c306210bd1e4ab18cf31946289

SHA256
5d233a04fefa40e362d29c72024edaae88e3b18bce1c540075b36103e1dc3fb6

SHA512
c63c47e5c86613dde9a8c902daceeccb3aaf4b92d3bcb9d1a0d0a0ed7877e55aa49ea5e304819d987ee1ef62ac706c6ec148140b55c7e82bea2eeaae62285ab9

Download Submit
memory/216-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/224-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1556-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1836-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1836-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1840-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2012-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2320-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2320-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2512-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2512-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2512-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2572-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2572-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3324-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3324-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3436-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3436-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3596-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-34-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4824-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4864-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5108-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads