8fc77170fb8d7a0c3656319c10316932a0726c1a706c097296e8d24f101c2b99

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe
Size

120KB
MD5

c4c94e1d2e1d26cdc10d316c5ec74180
SHA1

fcab1dcb1afa1a5ab90823ae5ef5956a16dfef6e
SHA256

8fc77170fb8d7a0c3656319c10316932a0726c1a706c097296e8d24f101c2b99
SHA512

9851aecab18b8d8eddadcef82857428989761c701cdcca74e3a537bfa5b124cf545df5de76f04b2ff523fb15619bc5accc3e833b64a95fc8f38a3719e9202c95
SSDEEP

1536:as5LTi/2Ux6Sr5RecTZu5cSy2W7JV7gckMTpsbdQ43Ct5E1jz0cZ44mjD9r823F4:ashan6Y57u5reZVdX4m59i/mjRrz3C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfjllnnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqhjggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fboecfii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcoccc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejqldci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iahgad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joekag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iacngdgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acccdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhhml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncpeaoih.exe

Executes dropped EXE 64 IoCs

pid	Process
3236	Fnbcgn32.exe
4540	Fniihmpf.exe
4848	Fiqjke32.exe
840	Gpmomo32.exe
4696	Gaqhjggp.exe
2568	Glhimp32.exe
3264	Hpfbcn32.exe
5420	Hlppno32.exe
2224	Hejqldci.exe
5340	Iacngdgj.exe
5324	Iahgad32.exe
2212	Iialhaad.exe
4860	Jpnakk32.exe
5936	Jocnlg32.exe
5928	Joekag32.exe
5992	Jeapcq32.exe
5484	Kedlip32.exe
3308	Kplmliko.exe
5536	Klbnajqc.exe
4812	Kcoccc32.exe
4680	Kadpdp32.exe
1016	Lafmjp32.exe
5800	Laiipofp.exe
5400	Lhgkgijg.exe
4012	Mbdiknlb.exe
2964	Mjnnbk32.exe
4892	Nblolm32.exe
2560	Nbnlaldg.exe
1280	Ncpeaoih.exe
5032	Ocdnln32.exe
3768	Omopjcjp.exe
2008	Oophlo32.exe
5796	Pqbala32.exe
2376	Padnaq32.exe
5196	Pjlcjf32.exe
2344	Piapkbeg.exe
2192	Pbjddh32.exe
5216	Pciqnk32.exe
2884	Qjffpe32.exe
1416	Qfmfefni.exe
5172	Acqgojmb.exe
5056	Acccdj32.exe
1588	Amnebo32.exe
3540	Apnndj32.exe
6008	Bmdkcnie.exe
2592	Bfolacnc.exe
3944	Baepolni.exe
3972	Cienon32.exe
2056	Cgiohbfi.exe
2296	Caqpkjcl.exe
3184	Cdaile32.exe
3204	Dgbanq32.exe
2228	Dkpjdo32.exe
5416	Dckoia32.exe
5428	Dcnlnaom.exe
3376	Dpalgenf.exe
3272	Enemaimp.exe
3496	Egnajocq.exe
5960	Enjfli32.exe
5896	Enlcahgh.exe
4956	Ejccgi32.exe
5500	Fkcpql32.exe
1600	Fqphic32.exe
3284	Fboecfii.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Oijflc32.dll	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Dlqgpnjq.dll	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Iacngdgj.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Mpaifo32.dll	Hbiapb32.exe
File created	C:\Windows\SysWOW64\Jelonkph.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Cbpijjbj.dll	Nhlfoodc.exe
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	Apnndj32.exe
File opened for modification	C:\Windows\SysWOW64\Iacngdgj.exe	Hejqldci.exe
File created	C:\Windows\SysWOW64\Baepolni.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Koimbpbc.exe	Jaemilci.exe
File opened for modification	C:\Windows\SysWOW64\Ofdqcc32.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Mjdmlonn.dll	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Aglafhih.dll	Iahgad32.exe
File opened for modification	C:\Windows\SysWOW64\Glhimp32.exe	Gaqhjggp.exe
File opened for modification	C:\Windows\SysWOW64\Lhgkgijg.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Nmdkcj32.dll	Laiipofp.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Ilnjmilq.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Haidfpki.exe	Gjhfif32.exe
File created	C:\Windows\SysWOW64\Ifkqol32.dll	Jaemilci.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Pmapoggk.dll	Gpmomo32.exe
File created	C:\Windows\SysWOW64\Ffdihjbp.dll	Hejqldci.exe
File opened for modification	C:\Windows\SysWOW64\Kplmliko.exe	Kedlip32.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jehfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mebkge32.exe	Mcabej32.exe
File created	C:\Windows\SysWOW64\Ciknefmk.exe	Cdnelpod.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Jbblob32.dll	Fnbcgn32.exe
File created	C:\Windows\SysWOW64\Hfibjl32.dll	Glhimp32.exe
File created	C:\Windows\SysWOW64\Joekag32.exe	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dckoia32.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Ciknefmk.exe
File opened for modification	C:\Windows\SysWOW64\Iahgad32.exe	Iacngdgj.exe
File opened for modification	C:\Windows\SysWOW64\Apnndj32.exe	Amnebo32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpgmf32.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Klbnajqc.exe	Kplmliko.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Ocdnln32.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Iagpbgig.dll	Lamlphoo.exe
File opened for modification	C:\Windows\SysWOW64\Jeapcq32.exe	Joekag32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Nchhfild.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Ooangh32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Iialhaad.exe	Iahgad32.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Oophlo32.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Mbdiknlb.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fdpnda32.exe
File opened for modification	C:\Windows\SysWOW64\Lamlphoo.exe	Ledoegkm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6768	6644	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdphmfph.dll"	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlppno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaodd32.dll"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgqep32.dll"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhgglaj.dll"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpjea32.dll"	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odedipge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqphic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bikeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfkgg32.dll"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ooangh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpmomo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll"	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijaaij32.dll"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobepglo.dll"	Aeffgkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbnajqc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 3236	2620	c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 3236	2620	c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 3236	2620	c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe	91
PID 3236 wrote to memory of 4540	3236	Fnbcgn32.exe	92
PID 3236 wrote to memory of 4540	3236	Fnbcgn32.exe	92
PID 3236 wrote to memory of 4540	3236	Fnbcgn32.exe	92
PID 4540 wrote to memory of 4848	4540	Fniihmpf.exe	93
PID 4540 wrote to memory of 4848	4540	Fniihmpf.exe	93
PID 4540 wrote to memory of 4848	4540	Fniihmpf.exe	93
PID 4848 wrote to memory of 840	4848	Fiqjke32.exe	94
PID 4848 wrote to memory of 840	4848	Fiqjke32.exe	94
PID 4848 wrote to memory of 840	4848	Fiqjke32.exe	94
PID 840 wrote to memory of 4696	840	Gpmomo32.exe	95
PID 840 wrote to memory of 4696	840	Gpmomo32.exe	95
PID 840 wrote to memory of 4696	840	Gpmomo32.exe	95
PID 4696 wrote to memory of 2568	4696	Gaqhjggp.exe	96
PID 4696 wrote to memory of 2568	4696	Gaqhjggp.exe	96
PID 4696 wrote to memory of 2568	4696	Gaqhjggp.exe	96
PID 2568 wrote to memory of 3264	2568	Glhimp32.exe	97
PID 2568 wrote to memory of 3264	2568	Glhimp32.exe	97
PID 2568 wrote to memory of 3264	2568	Glhimp32.exe	97
PID 3264 wrote to memory of 5420	3264	Hpfbcn32.exe	98
PID 3264 wrote to memory of 5420	3264	Hpfbcn32.exe	98
PID 3264 wrote to memory of 5420	3264	Hpfbcn32.exe	98
PID 5420 wrote to memory of 2224	5420	Hlppno32.exe	99
PID 5420 wrote to memory of 2224	5420	Hlppno32.exe	99
PID 5420 wrote to memory of 2224	5420	Hlppno32.exe	99
PID 2224 wrote to memory of 5340	2224	Hejqldci.exe	100
PID 2224 wrote to memory of 5340	2224	Hejqldci.exe	100
PID 2224 wrote to memory of 5340	2224	Hejqldci.exe	100
PID 5340 wrote to memory of 5324	5340	Iacngdgj.exe	101
PID 5340 wrote to memory of 5324	5340	Iacngdgj.exe	101
PID 5340 wrote to memory of 5324	5340	Iacngdgj.exe	101
PID 5324 wrote to memory of 2212	5324	Iahgad32.exe	102
PID 5324 wrote to memory of 2212	5324	Iahgad32.exe	102
PID 5324 wrote to memory of 2212	5324	Iahgad32.exe	102
PID 2212 wrote to memory of 4860	2212	Iialhaad.exe	103
PID 2212 wrote to memory of 4860	2212	Iialhaad.exe	103
PID 2212 wrote to memory of 4860	2212	Iialhaad.exe	103
PID 4860 wrote to memory of 5936	4860	Jpnakk32.exe	104
PID 4860 wrote to memory of 5936	4860	Jpnakk32.exe	104
PID 4860 wrote to memory of 5936	4860	Jpnakk32.exe	104
PID 5936 wrote to memory of 5928	5936	Jocnlg32.exe	105
PID 5936 wrote to memory of 5928	5936	Jocnlg32.exe	105
PID 5936 wrote to memory of 5928	5936	Jocnlg32.exe	105
PID 5928 wrote to memory of 5992	5928	Joekag32.exe	106
PID 5928 wrote to memory of 5992	5928	Joekag32.exe	106
PID 5928 wrote to memory of 5992	5928	Joekag32.exe	106
PID 5992 wrote to memory of 5484	5992	Jeapcq32.exe	107
PID 5992 wrote to memory of 5484	5992	Jeapcq32.exe	107
PID 5992 wrote to memory of 5484	5992	Jeapcq32.exe	107
PID 5484 wrote to memory of 3308	5484	Kedlip32.exe	108
PID 5484 wrote to memory of 3308	5484	Kedlip32.exe	108
PID 5484 wrote to memory of 3308	5484	Kedlip32.exe	108
PID 3308 wrote to memory of 5536	3308	Kplmliko.exe	109
PID 3308 wrote to memory of 5536	3308	Kplmliko.exe	109
PID 3308 wrote to memory of 5536	3308	Kplmliko.exe	109
PID 5536 wrote to memory of 4812	5536	Klbnajqc.exe	110
PID 5536 wrote to memory of 4812	5536	Klbnajqc.exe	110
PID 5536 wrote to memory of 4812	5536	Klbnajqc.exe	110
PID 4812 wrote to memory of 4680	4812	Kcoccc32.exe	111
PID 4812 wrote to memory of 4680	4812	Kcoccc32.exe	111
PID 4812 wrote to memory of 4680	4812	Kcoccc32.exe	111
PID 4680 wrote to memory of 1016	4680	Kadpdp32.exe	112

C:\Users\Admin\AppData\Local\Temp\c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c4c94e1d2e1d26cdc10d316c5ec74180_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\Fnbcgn32.exe
  C:\Windows\system32\Fnbcgn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\SysWOW64\Fniihmpf.exe
    C:\Windows\system32\Fniihmpf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\Fiqjke32.exe
      C:\Windows\system32\Fiqjke32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\SysWOW64\Gaqhjggp.exe
        
        C:\Windows\system32\Gaqhjggp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5420
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5340
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5324
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5936
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5928
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5992
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5484
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5536
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        35⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        36⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        40⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        49⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4508
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        70⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        73⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        75⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        76⤵
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        77⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        78⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        82⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        87⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        90⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        91⤵
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:340
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        93⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        94⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        95⤵
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        96⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        97⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        102⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        105⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        108⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        109⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        111⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        112⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        113⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        114⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        115⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        118⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        119⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        120⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1056
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        122⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        123⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        124⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        126⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        128⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        129⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        130⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        132⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        133⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        134⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        135⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 412
        136⤵
        Program crash
        
        PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6644 -ip 6644
1⤵
PID:6708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:6976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acccdj32.exe

Filesize
120KB

MD5
e17f4306fb24839b77f543d4df7e41ad

SHA1
f18bbfca9816e55f5da64c3076b70c074e168044

SHA256
275866fc99d373d3cdf99a34d89aba97cf1b9863943b0482d7d75ff00e19c4ca

SHA512
5ed00d1ecd2766b6633bd12b1330226c03a063f51de8604133d8db9eed1223d826929a3c84e83322e79662f1e4c073faa2170a6ea188873e6329a7b3d3bb98a9

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
120KB

MD5
d237a88bb9d7b08de39fb28ed317b1e1

SHA1
a7ee65ea48c5191a77714c2ac715d613e33c031d

SHA256
adc1192c15884c320ffcb523e1f824e0b9acff170562a3d4383fb6c86d26f047

SHA512
783d243fb65b57ac0c560d580b62798e5b3144fbdf068fbcee3493c01650e9a3f7b37afd0d72ba1254a882d026ea617a1c433ad2080304bf2271bcca8082c7d9

Download Submit
C:\Windows\SysWOW64\Bifkcioc.exe

Filesize
120KB

MD5
29489718f2d4f63f44250fcc4dc7e2a8

SHA1
67784add7c3eacf8e74106dc051fbe0d71a5355d

SHA256
3c9ad75b732cfd484a1089d4a4be88a83edf736e2bb7a292da75d9b260807669

SHA512
adc96ba98e7dc69002cf7a409b6b974bb40dbde68b3cac99d7f627053cc292c0875ecba798e2ec5b0233dd7a0861625376e43edb4e9270d2b7850570c4d2adc8

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
120KB

MD5
40c9e861136e3f6bdde01a5b0ce6a63a

SHA1
0341c189768201871ccf02a5804d38e9ebaf7ae3

SHA256
c5bcdb6d45f25a49e093f1cd9f6a85cb40b7a32bd3a7a65d98339ca0f3a21055

SHA512
92ce4f4b69e9eacd5d016a20731ef62229d1ffdcd881f55d060517c88ff64e19439afc6efe26f3ee416fcea92c92dbfa9ff34005ac948ac5af20166568776c68

Download Submit
C:\Windows\SysWOW64\Bpbpecen.exe

Filesize
120KB

MD5
6f2be47b8ca8f0c7d23e52a7f4c2ba95

SHA1
9dc400a784e74d0b0ec9f6138d0d50b55eb27cda

SHA256
126bcc6120018f395c1f4e261c97747724c653b59165b9ecb4ca7ea54ce18b28

SHA512
4037b145a03e3daffd45eed74a9db01877733b645c6f05bcb6e9c8b563adb12f463533fb18b0e4d3aa0531fb8877b63313d4720593bf4f78ded1f56804a350c8

Download Submit
C:\Windows\SysWOW64\Fboecfii.exe

Filesize
120KB

MD5
87db5a2147334e6f06f1624e258c9e7f

SHA1
0c5b3e644b9e2ea5f34310f2d05401898c756484

SHA256
caff6f368f81ea50840fead8ecb4c726fad9d0b55a01ddbe2af250bea194c42e

SHA512
978d36f16ac304f23e0da2825a64556c94660c49d58a835ed14a15e997f7e3705258c8f849e57c8a331a059bf629eb9bad331cbbf3d45a84398aac2dd1920cce

Download Submit
C:\Windows\SysWOW64\Fiqjke32.exe

Filesize
120KB

MD5
9a57db78750c59478f22cdfa480e4c83

SHA1
cac1eb2eec2de0dc484cf3c6191e116039494be1

SHA256
0c597b77fa8aaffef7ae0ce47ea306561960cda7c8b38d759d87dc5e2579b846

SHA512
baa3e71886b75e7ffee38c0604c6183ab4dcc62921471de4a26a96c14adde296cd7056174634c1c334fa5ba0018da1d0ad549239d1c9c7df2c3c335c7afabcbe

Download Submit
C:\Windows\SysWOW64\Fnbcgn32.exe

Filesize
120KB

MD5
fde943591738b3c7fed94f2f9cf03e51

SHA1
cf71634f2657e81cef25510b0527ff3dfb95f2a3

SHA256
0d85f08232a5bfcf0d3a1c8f753b9ed86adb738763223e8440644e0b33968bc0

SHA512
2f1593db3333e3fa5de3274c866ac390b1fa1d6a21c571d7fadd336769d68794c156c384685aa10c8f3c8b07b425361fb1907626405eff59b5384224467e6c1f

Download Submit
C:\Windows\SysWOW64\Fniihmpf.exe

Filesize
120KB

MD5
16caec1373536545b9c18315b900fe2c

SHA1
3f083ab828d11b91ef6f61b1059c6abcc4fd716a

SHA256
a2882c7630de2874556ceaecd257fe1e7edf7ed8814ed0aaf854dbd41792c0c1

SHA512
9c2eaf05c87b1bdef8f4d50974a58f6baafebfebb6543b064712cf25e6b6c51bb38f89c8678a05dae6404c5bae73d07b0ffe444d803acd5cef2fd7e412785272

Download Submit
C:\Windows\SysWOW64\Gaqhjggp.exe

Filesize
120KB

MD5
bb88b653270868abadde673f29b5457b

SHA1
2bcad29fba6f20fdbfa13e383ed32cbce1fb182c

SHA256
922dac13f5a78bb8f60fb7a9f32d28916a9c505601d0dcf1c8cd500cc30e60b5

SHA512
c402b9e9ea1bb9883134ee028a8633a00668e3e2088a64c01b4861ed5e5e997432338e014987112a1d2d85a98f47bb7f644451f3fb28aa5ea070eb2401cd6d39

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
120KB

MD5
2f212fc4d31fba06d52b7695dfb65ed3

SHA1
3425f3156f5ef2ef370d1e1e9be86fb4e07ab2ee

SHA256
4d6d95b4a82459dbf3036455ebcf46a647d7c6f2234036a04b45cdafd57afe10

SHA512
d463087e81e28df16719b27a7675150e077e08c00767a761528f6ccb55dc3349c705b6090def5f47323849ed997b8832fc3ed16c3a80ea4c4c991e5355ad85a2

Download Submit
C:\Windows\SysWOW64\Glhimp32.exe

Filesize
120KB

MD5
e0f49329be07d193c005bfa9b1116274

SHA1
1edd830da32f5c41a78192119375482bdba3be0d

SHA256
799f8985cdc69cc2cf206b42291530483eee0d265652af8f2c0a376c55b03c58

SHA512
6cc691742c39ef530ead4644ef4730d5245da91f6106a78996d9fda640e022eddb915610d3e9e13ee91a1d02b21b03b5d1f40f37952f21e4c9f2e86bcf9e156b

Download Submit
C:\Windows\SysWOW64\Glhimp32.exe

Filesize
120KB

MD5
1affb421b9d24e65f333bca22aafca31

SHA1
0f36045b25cc021a627298416f9a32615722f5a8

SHA256
2be2b182a542d0d971c8a38e9c9995131c8b5b5437a56d293d283f87e3cc984c

SHA512
b7f51768fc4abdbac85d472d9953346c69d3160188ce06beb06b169d818216fbde862859beeebcd23265c1422ccca369aa94251a6a66968ee338412b4a18f41d

Download Submit
C:\Windows\SysWOW64\Gpmomo32.exe

Filesize
120KB

MD5
c40de139dbf45dd086e06e79976aa027

SHA1
f0c80cd6fe655c21c624ddbe81f019b4c2f5cade

SHA256
84c65b3b2bca26599ed594b201f96a1698ea8ce79ed7cd4eb416ef4595cc1453

SHA512
384b70fac0800a1bcb9e3be049f5f23f8fe17e971fd2e4b36e497e53272c98a92ac753aae03d6d2bb3b379d1def488f20ada97afd7b2457e32778ddb1125ea95

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe

Filesize
120KB

MD5
9453e55639465beab23a9fc506dffdd1

SHA1
155a98f3d1238ecbd0eb137f68985325ccb43aaf

SHA256
28f92deb17a35c3c8234bfdfb07278ea50407121442260f974319c9f5962f731

SHA512
ee74079b72960ebf4a821a931c13a1f82ece464c5c17d6d511378641db04a243afc38ac9f983b730be2f5d28e67b339f7ec5d97d2b5c10e8d67237216f64c71b

Download Submit
C:\Windows\SysWOW64\Hlppno32.exe

Filesize
120KB

MD5
c0e4c8f3efa2052265b6ea67afce4f6e

SHA1
abceac8b3b13353b1ba1fc5c6fa0ed5c403498c9

SHA256
82d39909ca0a4eb3093410d7f3110be12fceab33cebd58479e2e59d2fd7343ee

SHA512
f0af68293a56e9e83a7fa538204ef74d152bca1270c7aaec5224affc31d251566eb3bef012767c5d85c411d9ca33b54e612a6e7c66e47d6505aae7793c623f71

Download Submit
C:\Windows\SysWOW64\Hnbnjc32.exe

Filesize
120KB

MD5
ab32ca6ee4c2cd10cc23d6a46406ea10

SHA1
0046967a436766cc1658149a9f4c0562235978e1

SHA256
6758e83f90686fac0bf7f8b290f2a68326f41769456ebb30a11f8edf2598e304

SHA512
7d3ebf17da474a0b4567f3d966459b3e126bfdf765ba474f5f0ef951b672bf4f072e1912d6aabfd0faae2a958fed3b0be3607a120b48c163266484f0fdc21ce9

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
120KB

MD5
c74d70f80a94ee780c21154cbc4509c8

SHA1
fdee68a2c103e0a01bb6740a877fdb163227ef6b

SHA256
c216f41fbbaf7ba64dd6b00709e988d86c183fb4685c810c2871b1ddcf8d1fc1

SHA512
c91d938cf148b70aa277df1b643155c3c99db98fae3d738b66ef0d30fa82eaa680089c12a7f8cd71621420c20ad1cdd24b0baeef38dfb41f2ee2d25345b6ba9b

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe

Filesize
120KB

MD5
0cd93e005e893003e1394afc0839a176

SHA1
e17d40925531db5aaaf442bec07eabf8c7008eff

SHA256
5690061a5ad59f83b5a722ca6eed8faabaa5f28c7de2ff4f48d940dedda8376d

SHA512
6570e12bb3ceff94a6a07aab7fabf95b0bf77004298e8167c0eda27d0964bd5846fec5355b3c44839d6ecb06243e802ad4fe45eb53d37a8ecc4bb94cb1838f08

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe

Filesize
120KB

MD5
8209c62148d959e9f2171cca56d0332e

SHA1
3bfcffcec7319e7b7dff04aafa56adfbd3b130b0

SHA256
8cb42228531bb8f202ee2f5b74f4e73e0a33302b47699e0cc1f48eb4f4d36d33

SHA512
1e7f0e81d802aed019ce7f6664a328e5ebf13ed37337e84eb099dfa4b13b5f6a41ed9a7fce36f2ab444b521d6231a8e70cd763fa9d132b6db76d814ad2ff934f

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
120KB

MD5
30f1cb72abb8f17c01b00152eb9803c9

SHA1
3448df952f2c6da555e4fb400f4a15de0507ad82

SHA256
b64d3dc07618a4e6902b631bc3a6d66e68b38ddf9b0c663880287dd6e40cdd57

SHA512
ff30b85c2af03b521508aa68bb61d141a7c40bbe9917193a2c99b78ba3317d9bc0a21c7d0468a8e38da1cd06139a3dcd69ca22271bb0ded05067104a73de0f23

Download Submit
C:\Windows\SysWOW64\Iahgad32.exe

Filesize
120KB

MD5
30ef1b2cf4e622d1ccebdf566ed5064f

SHA1
e6ba72f62a85f9dad09aa06346f83b805386dd0b

SHA256
6935c572a55d397c5d36887c6d72ec7c2e5d647e3e8a301ec7bb3d5ae8161053

SHA512
1f26137cb76d725e9905006e3c95c57a9756d674391c6af9c58204371b0d343fbdec035aba054aa3fb28bc0b1c8a0dea5750e6754abab093384ff4e5d04b7965

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
120KB

MD5
6e5f74e4e63295a8d85d3a5ea1d8c86c

SHA1
378e3c15ce9394dfab42cf65d39d4146d2b79519

SHA256
a065d585eb66b3f26e488d81b1fa8e8fc6d30b3ff08da9b7dfc9e3167b0c285d

SHA512
28a886eb36a14286a7a6e721340748f6efc2d59745b8849df10b937300b6cef6a2ebbcedecbc7df7a999bcaf2ef96ac79f6dea72144078ee1b98c51a57686db7

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
120KB

MD5
d0d1d877c472f42bbf85b51419b74701

SHA1
77c2fb2c0419faa27cc4fa0d325e81ba07045e2a

SHA256
2dfbeca5f037f6051362811a694d6f79d3a84e315bf134b165397c88cfa3dfc2

SHA512
58e789cdd8aad5f379ca372a16220535fa88a2b088f7f4eec40fc3e0005aa97eb3e7149514cd47711463dfe9383b16bf7a4a5bb0a52412c0baa1f959f5c95a09

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
120KB

MD5
086168a0e201ae7d69feee41080c6db0

SHA1
0efeaa234c69e04d70dcce93b9f4ea8ba23f64a9

SHA256
9a25f5a4467ddd7b4d29e78246f9a48a88f8e554d1bd91a8effdfe544f8e02fd

SHA512
7adb4dc5f6bd6ab2fda7262b89db9f75cd9151eb68fee8cc9e70d952b1a8f820f73fe2a98c327a9441f284b5265a91c3daf0f656f41e8d023a6889308f418dc8

Download Submit
C:\Windows\SysWOW64\Joekag32.exe

Filesize
120KB

MD5
4f833d09cb918e6ba2dbd4c034bc2528

SHA1
a74c9bda11b2ae638e073c7aa8ea4c0a3d0e7e00

SHA256
2150e842b0416dadf55bd8a1636a04dd78e3c7535ef87acd13acee4f503a99b3

SHA512
aa8b70654dccd088f0420ed9c8c7a51c4b746f17831dcaac9a1619989495d87967f21e735599ecdaf6039c3c30b7a4e24884a873a49173fac8a7bd773743b867

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
120KB

MD5
349a013c03c08a237cbd2a1711583ac4

SHA1
e9c65479b002c54eb8e0c011c617110eea62b706

SHA256
f9c2c686505fac76171c58f0dba1cb8c01ab9b6a713369236befc5f68f87c212

SHA512
92cddbb27d3bf379abd2924dae202436dc419385361a840c701b927cdd64e43a191d7f8dbe3ee80fa9880f56c2e2ae8d7102f31e063c413b91f632ea0c249641

Download Submit
C:\Windows\SysWOW64\Kadpdp32.exe

Filesize
120KB

MD5
370bc0f5429709fba7e6f914260dd759

SHA1
fedd272fc04adbfcb8b69f2512d6498397776860

SHA256
3bdb10350f6e6baa55682614594b09bc372fc8b221ca343a4bb81109fe2e6319

SHA512
c9ba184424de5cfe7b3ddc0bf23ed770aecfb0f8e3d8cbcd6441e6d4521df147a6555b03a9f6e0f60c6eae559600e3b7b21b2926613b21304ffeadd2904291f5

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
120KB

MD5
e36cf608aeeafdcc033950e5e8be6f3e

SHA1
198b8410b8a6960fec9bb9f31bf3140aef801e2f

SHA256
124dd5519763df615b4185827e0bb16a5c5ea6a0e25fbe9c89ea6a1c6a2a5084

SHA512
0a77caff127fc98c87320d133daded82bf42481b5864ca2e85764f52c319a1d46aa702d247039a397cef51e3024542889282ac9914cbc1adc272b4ed356a6956

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
120KB

MD5
b54758ca98d69d06a3936fb26d97b0b2

SHA1
b4ca0bac111e29259d6d2ada2168fc1d9ce4a6b3

SHA256
c5dee890c4cdf46f991e14bdaa31941fc3b56ca37b836122c26473b78b3100ce

SHA512
750f4d2c3c6daa405a3dec57203e7a1768af72e6354a9299e00f0222da31b907de0de443af5c2769c620aea51a392f47db673f3845dd1932bb7e06806d40cc5b

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
120KB

MD5
e64729ed61bf949300f5c24cfaca49da

SHA1
864084de833660bc0110b19a9debdb1641af9a3e

SHA256
ef86fa4acbca7e060deaac067003b888591ec173a573288255400b034e4786ce

SHA512
d070ad66141ceebe730b4ff1475d85240d5079c5d31602e385018079d1fcdc483415d71c7e2fb2ab96d9dee4c4d738b64a3087744df7e77407c05c4d95bded5e

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
120KB

MD5
1790c32f9659193ffc7194f171447fb8

SHA1
b0051f3dac21f1ae77fd1876e57baefac75057a7

SHA256
a1f83487f57a37637d7b7ca10460d0394a8d2e55c8679c758fc78ff4dbc1f7df

SHA512
77070ae3b69ad88d62e19500af623d7c45f7c693062173d81785736f2b121b0c41c618d758b215351e8304a8f2d5831451562b9c1e1ff243c164bf11615fbd80

Download Submit
C:\Windows\SysWOW64\Lafmjp32.exe

Filesize
120KB

MD5
715a29c150fb1240cc9eaa2efc749536

SHA1
ff2f248e26b89d6192df362a4cdff79f15fe469e

SHA256
fa5ea4953537bd13769ea98c2b6af0939a6157861f5f031f668eb2c149780381

SHA512
125122c2f7efe417006b819efd20f4d8afb4f7f6021ca39f523b6fe3c90665fe7f1d02638dbe4814ecd7406225adb586c25956391a07687b14e9ac5e01eacd37

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
120KB

MD5
06e5caa91eefd32f1cf68da677c13425

SHA1
45d0848de094d112fc4ca0a35a904883a8a15cdf

SHA256
b33d6b888b22c527ce69331ffd026f23bbd55261a4b539d1e27b5de4ca1ec0a1

SHA512
80ea59c686ff69b713a75c87a096f6d2e8d55390534444fbde406c8db06e38ab1c28a273d07fb94e82f20a4762d9bba1d3045b40ef05f8c418afd788b8b1a178

Download Submit
C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
120KB

MD5
dacdc5e90166bbf1cdd9f07a78b001b4

SHA1
9677545f629e5445d47ffead037c1de3f1c719e2

SHA256
54b39fc487e156359a20e486c7ae5e7ef257e359321a89589a219b108d9fb546

SHA512
b284db4e7de2d000a2362f3c6c5c27e452c1799d9848ca214aacb6fc40af4f59758826598d4ade9566ebaf5d65ce520011556893249c6fce83db6d71a6d6635c

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
120KB

MD5
68f80e37c655fbe54e41d39533972c64

SHA1
26faa3f99bcaad4a96a572a21c07442e68ffc752

SHA256
66f925cb757580f93dcd43ba43e7cfdee03507111b12fb9afaccc1e58310ec41

SHA512
b4d0d85defa78eee04bbd75a813879ad017509a5b0ae8c2f86e5ff70b64af0e87bce1cc4afc3fbc7ab09692877fff6797e90383633b52b251885c9c38e9f11d2

Download Submit
C:\Windows\SysWOW64\Mbdiknlb.exe

Filesize
120KB

MD5
7e004fa277d745ef5a9d3c8f2db7b689

SHA1
6c427a64c17491ec07180e592d0cbd7854e6579a

SHA256
6ec5bd46ede9c22566a6c34307e90ae7be0888715ff6121bff49145271c770e7

SHA512
ad22f48d2b943a5511a7f46a1fa0d0efad9defd1202d64d0d547a2c9d7afc4dcc761cb7fd11b4e810076e763fe404254be408e7f9afd3bf7e40bde053d01114f

Download Submit
C:\Windows\SysWOW64\Mjnnbk32.exe

Filesize
120KB

MD5
450ea4c8566cd6f40b606b525f8e7bb8

SHA1
7ef96a61a43cfb26a85114a8d72a718d37a179c3

SHA256
6de77989eac07865e8d7db0da1a35d2d275407495cf75ca5e32dd5f55937a1f7

SHA512
ef14e964a680a6a0bbfc2b28e75a3a6b0586c32b08503735a0cd7112abf546bfed4ef19b7cb9589684d07702fc3221d65a2f641bceae0f2e8b689d1fd85fcbfb

Download Submit
C:\Windows\SysWOW64\Nblolm32.exe

Filesize
120KB

MD5
91fa51938ce34caa4ace33359ea71434

SHA1
f35d8bc6fc9becc1a53e51869b255d21c4ce426d

SHA256
3d2516443b4c09d7d200c02177160fe112138b4ddd697943aa44b22cbef05d55

SHA512
0969ab5cb443f507ee24fb6fe7a6f215b37ba1d84780cb89b2f83c455aa570073d64e9d50b3b944d7fb9187a65e82d63dd481864828af75d714f8eda5f767dfa

Download Submit
C:\Windows\SysWOW64\Nbnlaldg.exe

Filesize
120KB

MD5
00b23094e660ba7777dbf2b01f9f9e7d

SHA1
58f374839d63723d5f08de73ed6799fc18a9bc1d

SHA256
3bafec0c03cb03bfa922fdea356f6471ad43503d35b9af4f71ccfcfd767988f0

SHA512
214a553e34a5060c792997a0584c9bcb3f53b0897f855655f2a005a178339f4547064f2eba65ad3d4ecb5ad1d24d43edb5ba562c2d9e0e00bbc404c86274d252

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
120KB

MD5
1f3f1dbb0d3b071cdffbd2a766940764

SHA1
cf272b840bbb3c6f74de1f7c41fa85c4ae0c01fa

SHA256
91a064f078126a296750e1ff6d8c61fe146b67fd0380dece69ba2d61c11d6262

SHA512
fea2e25235b4bbe9c3a832598b01f85be3ccb53238e49e86d88345ae673279d220c8135a0cfb67076937b2ceed2f829739cb09a1b4e36b95a9e1f86d17532e77

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
120KB

MD5
69261a5cb042e98b2a0f571e7289f39e

SHA1
1d74e00df7d7a439d5402a174e8478c3fb2305eb

SHA256
5ffa8b6f0e1c421fcdd8d6a914bd99d66fcf6ba99db2a0eb74efb8bdf8e19845

SHA512
79e76d8284fb50c6443a6b2754788d0feece8f790f0827753dfad1bad6d3c8824f4e745d9f4b2d47cf83c61168427b013c1f59c531f42af83fc973df34ccc94c

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
120KB

MD5
cdd7eafe1bdbd484da77eee69f76962b

SHA1
85615074f64f1d0e1c1e611bd25b93a5301dbb29

SHA256
ac1a46b69a186a6a6f5466c028adcad560f9b71e09bb0dc1ab13d59ffe8d6fc1

SHA512
11c4314396780b8d180a2e9fbae116c76f11c593f74ee9820778a20632d5edbe80ec776c12b939314447cd1bf0c48a5d3f3b8b6254ecad1805656901dc9ae570

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
120KB

MD5
a40462ec946c20bd16dcb252d53428b2

SHA1
692f6a1989782621a1d569905468f8742d4afbb3

SHA256
5dd3d1496c079faaa5ed30946ed4b2483f1eafc27bac369937c22ab3a246f22b

SHA512
7aaa2dcdb0f32966c91f01f6d0dc517c9a1e121465af01ef6037901a1ea3e1b6ae0e709a8b3d1f171730edbb7d66f21da7961a20c6d3b8ad1a95c832b4c1e654

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
120KB

MD5
99a3c6375b5ee727d98e11983b403ddc

SHA1
6deabaabfc8a0d1cbe4a09d47221aa09bfbfb3af

SHA256
f368214323216193fa32143c1c386494c9c9ff2fd8fca31f462fd79bbb6e6335

SHA512
e33b66b64c11fe96ba3c4c98b5dc5e4ad4ce58b104e854e5a1160d21f511d0735271601acb31bc92a2bee086f793c66e9730e332d155b184006925b7a37048eb

Download Submit
C:\Windows\SysWOW64\Oophlo32.exe

Filesize
120KB

MD5
914b84c188d2cbbfd5a13a9104e37a9a

SHA1
ca91faa1f7f2c597d508af83baadde51d7299f37

SHA256
4f9b01eb26f53b9eb075eec6e08c71085dd3cb248c3589d6445003a0c6495aa5

SHA512
057cd75c920ef5f4af9b0c6e459d09aef66b0f6439691061ceeb5d19082b7b29878544decc93d3fbe8a74e74fd0219bf235cbc0e07601f95943acc547f6e2199

Download Submit
C:\Windows\SysWOW64\Padnaq32.exe

Filesize
120KB

MD5
17e103f9724ef5a7f91ebbd872c8f906

SHA1
2c325300f8c85e7b9e7ed6a86e5374bc0ac6cb58

SHA256
89d4e44b12a538b5062eeaa57f8b089db08a612eb7b8d024f4c5deac1f0e823c

SHA512
d5dd409bae3258d9f461bebdc683d04a1405a2ff116797ad6ec418fbd0701dc7b9f3f985e8a5e17e0207b9e44db026151930c20779d48e59e3c2bdc062f53c3a

Download Submit
C:\Windows\SysWOW64\Peempn32.exe

Filesize
120KB

MD5
07da2d769eb991701d389f1057bbdc3c

SHA1
1bbca34cf44829771dc430596a6c40590dd72305

SHA256
7d6650e9fe790ddfca637701a072a5656b5c9d730f902a71381e7c5e114155dc

SHA512
8450f023c0d5ac4c36e5af74c9df88bfabed1a74e1120f92783022a8316c07187cf9f0539ef1b5a39869388982ce1c46569a8f4a898c0fc814d5c49d38222f22

Download Submit
C:\Windows\SysWOW64\Pmapoggk.dll

Filesize
7KB

MD5
8ed4c461c6c20049d0011e422b544c8d

SHA1
f892af7f6f21083229aa5168868845010ed4aee7

SHA256
5cec77daed7262e2b54afcf566d282f89d5e9fe56cf9a6d5df98f4c60616fabc

SHA512
c6aa241e00222704702f9225e7ef2b61a7dce6d0e36e6efda3fe969f5fbb4dc9ac68c6014925f2170fb711d76450d4deb346f9a5dae91f05a1e55c1217aa87f7

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
120KB

MD5
fdb58a425908ba11d1c5222dd34d3d5f

SHA1
dfce2358be137f1c99063ec340a46ac7aa12b5c0

SHA256
e21f415afbbc815b8792bb254ba42d717a6c50fe375b2a001d8e68016702548d

SHA512
3985319e4145a0d4302661358a0da2ef1b794ecf858363c4eb5865ea2a330f446ee82d4cebc719e690720243be2ce04d3bc9d7e0a326e7ff738e4caa273b5af5

Download Submit
memory/340-634-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-659-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1752-647-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-660-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-653-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-640-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3236-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-621-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-679-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-613-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-627-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-666-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5168-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5172-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5340-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5340-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5416-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5428-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5484-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5484-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5492-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5500-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5536-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5536-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5608-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5784-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5796-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5800-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5800-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5888-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5896-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5928-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5928-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5936-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5936-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5960-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5992-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5992-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6008-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6036-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6096-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6556-930-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6644-928-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads