1822dd970f17aa13d8129bd2ba450338eb84edbdcfd02cc71b3bd4d15dc27ebd

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe
Size

63KB
MD5

51a7ccbb2905e41ddd013009145230c0
SHA1

f0d1e2a64593cb8d012c21bf1f276f612cf059b5
SHA256

1822dd970f17aa13d8129bd2ba450338eb84edbdcfd02cc71b3bd4d15dc27ebd
SHA512

6834d9c3cfe0ae154a7cbace1816c35abdb0faf311267556875d93f8358833eab13b72bc80bf56792fe376ed7752f81042ebf7fed71b425364baca26406c1df6
SSDEEP

1536:I7ZaHPTLGaSQEMnvlzpcLiecE6TCOjLY02GYLnJbH1juIZo:ItOLCaREMnvlzpcxcE62OjLY1JbH1ju3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakikoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmepam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahippdbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmepam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdgged32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkkik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibhkfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidphgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Badanigc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddjpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kncaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbalopbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjblje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipgkjlmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clgbmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdnbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckclhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbalopbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahippdbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjmni32.exe

Executes dropped EXE 64 IoCs

pid	Process
1632	Ojgjndno.exe
1172	Qmepam32.exe
4100	Qmhlgmmm.exe
968	Aamknj32.exe
3908	Ahippdbe.exe
3816	Badanigc.exe
4912	Bddjpd32.exe
4940	Bdgged32.exe
3716	Ckclhn32.exe
4336	Ckeimm32.exe
1936	Clgbmp32.exe
4952	Cljobphg.exe
724	Dokgdkeh.exe
540	Dijbno32.exe
232	Ekkkoj32.exe
4420	Ekmhejao.exe
1264	Eifaim32.exe
5080	Flfkkhid.exe
4092	Fligqhga.exe
2456	Fiodpl32.exe
3408	Fpkibf32.exe
3988	Gfhndpol.exe
4572	Gbnoiqdq.exe
4488	Gbalopbn.exe
2032	Gpelhd32.exe
1720	Hipmfjee.exe
2500	Hbhboolf.exe
4068	Hffken32.exe
1128	Hblkjo32.exe
4636	Hpqldc32.exe
4016	Ifmqfm32.exe
380	Ibcaknbi.exe
4468	Iedjmioj.exe
2128	Ibhkfm32.exe
1560	Iidphgcn.exe
3804	Jiglnf32.exe
4736	Jgkmgk32.exe
4172	Jgmjmjnb.exe
2836	Jpenfp32.exe
1976	Jllokajf.exe
1236	Jlolpq32.exe
920	Kjblje32.exe
4476	Klcekpdo.exe
732	Kncaec32.exe
1964	Kpcjgnhb.exe
408	Kjlopc32.exe
4972	Lmaamn32.exe
1428	Lmdnbn32.exe
4540	Mcpcdg32.exe
1968	Mmhgmmbf.exe
872	Mjlhgaqp.exe
4284	Mjodla32.exe
4204	Mjaabq32.exe
3584	Mfhbga32.exe
3624	Opnbae32.exe
3792	Oanokhdb.exe
3104	Ojfcdnjc.exe
2904	Paiogf32.exe
4384	Qdoacabq.exe
1056	Ahmjjoig.exe
5048	Aknbkjfh.exe
4580	Amnlme32.exe
208	Bdmmeo32.exe
4472	Bnlhncgi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lobpkihi.dll	Hipmfjee.exe
File created	C:\Windows\SysWOW64\Mjlhgaqp.exe	Mmhgmmbf.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Lhnoigkk.dll	Opbean32.exe
File created	C:\Windows\SysWOW64\Pmcckk32.dll	Jiglnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Hipmfjee.exe	Gpelhd32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Figgdg32.exe	Eiekog32.exe
File created	C:\Windows\SysWOW64\Ojgjndno.exe	51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Badanigc.exe	Ahippdbe.exe
File created	C:\Windows\SysWOW64\Bmgagk32.dll	Lmdnbn32.exe
File created	C:\Windows\SysWOW64\Ookoaokf.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Iedjmioj.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Nndbpeal.dll	Gbnhoj32.exe
File created	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lebijnak.exe
File created	C:\Windows\SysWOW64\Hbldphde.exe	Hbihjifh.exe
File opened for modification	C:\Windows\SysWOW64\Bdgged32.exe	Bddjpd32.exe
File opened for modification	C:\Windows\SysWOW64\Iefphb32.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Ahippdbe.exe	Aamknj32.exe
File created	C:\Windows\SysWOW64\Galdglpd.dll	Gbnoiqdq.exe
File created	C:\Windows\SysWOW64\Kjblje32.exe	Jlolpq32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Mpkcqhdh.dll	Dhdbhifj.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Nijqcf32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Mnpofk32.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Lpefcn32.dll	Iidphgcn.exe
File created	C:\Windows\SysWOW64\Hnlodjpa.exe	Hbenoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckclhn32.exe	Bdgged32.exe
File created	C:\Windows\SysWOW64\Jlgfga32.dll	Khbiello.exe
File created	C:\Windows\SysWOW64\Dkjfaikb.dll	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Gfhndpol.exe	Fpkibf32.exe
File created	C:\Windows\SysWOW64\Hbhboolf.exe	Hipmfjee.exe
File created	C:\Windows\SysWOW64\Pjdhbppo.dll	Jgkmgk32.exe
File opened for modification	C:\Windows\SysWOW64\Oifppdpd.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Ccegpn32.dll	Ekajec32.exe
File created	C:\Windows\SysWOW64\Ihjoke32.dll	Iefphb32.exe
File opened for modification	C:\Windows\SysWOW64\Gpelhd32.exe	Gbalopbn.exe
File created	C:\Windows\SysWOW64\Pplhhm32.exe	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Dfoomidj.dll	Ojgjndno.exe
File created	C:\Windows\SysWOW64\Jomnmjjb.dll	Ahippdbe.exe
File created	C:\Windows\SysWOW64\Jllokajf.exe	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Bddjpd32.exe	Badanigc.exe
File created	C:\Windows\SysWOW64\Qmfqknfm.dll	Lmaamn32.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Mbibfm32.exe	Mbgeqmjp.exe
File created	C:\Windows\SysWOW64\Llqjbhdc.exe	Lomjicei.exe
File created	C:\Windows\SysWOW64\Hilpobpd.dll	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Ppgomnai.exe
File opened for modification	C:\Windows\SysWOW64\Dhdbhifj.exe	Dakikoom.exe
File created	C:\Windows\SysWOW64\Fpkibf32.exe	Fiodpl32.exe
File created	C:\Windows\SysWOW64\Ckjinf32.dll	Gfhndpol.exe
File created	C:\Windows\SysWOW64\Lcccepbd.dll	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Bpemfc32.dll	Lebijnak.exe
File created	C:\Windows\SysWOW64\Chnidloo.dll	Bdgged32.exe
File created	C:\Windows\SysWOW64\Jiejjepo.dll	Hffken32.exe
File opened for modification	C:\Windows\SysWOW64\Jgkmgk32.exe	Jiglnf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6468	6320	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekmhejao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkcqhdh.dll"	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll"	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hblkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll"	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidphgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll"	Dokgdkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll"	Mcaipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll"	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noblkqca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkkik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Badanigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibingd32.dll"	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahippdbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegpn32.dll"	Ekajec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibhkfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbenoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldbgic.dll"	Mmhgmmbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaklmfn.dll"	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdnbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekbjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll"	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll"	Kjblje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgjndno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fligqhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll"	Galoohke.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 1632	656	51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe	92
PID 656 wrote to memory of 1632	656	51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe	92
PID 656 wrote to memory of 1632	656	51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe	92
PID 1632 wrote to memory of 1172	1632	Ojgjndno.exe	93
PID 1632 wrote to memory of 1172	1632	Ojgjndno.exe	93
PID 1632 wrote to memory of 1172	1632	Ojgjndno.exe	93
PID 1172 wrote to memory of 4100	1172	Qmepam32.exe	94
PID 1172 wrote to memory of 4100	1172	Qmepam32.exe	94
PID 1172 wrote to memory of 4100	1172	Qmepam32.exe	94
PID 4100 wrote to memory of 968	4100	Qmhlgmmm.exe	95
PID 4100 wrote to memory of 968	4100	Qmhlgmmm.exe	95
PID 4100 wrote to memory of 968	4100	Qmhlgmmm.exe	95
PID 968 wrote to memory of 3908	968	Aamknj32.exe	96
PID 968 wrote to memory of 3908	968	Aamknj32.exe	96
PID 968 wrote to memory of 3908	968	Aamknj32.exe	96
PID 3908 wrote to memory of 3816	3908	Ahippdbe.exe	97
PID 3908 wrote to memory of 3816	3908	Ahippdbe.exe	97
PID 3908 wrote to memory of 3816	3908	Ahippdbe.exe	97
PID 3816 wrote to memory of 4912	3816	Badanigc.exe	98
PID 3816 wrote to memory of 4912	3816	Badanigc.exe	98
PID 3816 wrote to memory of 4912	3816	Badanigc.exe	98
PID 4912 wrote to memory of 4940	4912	Bddjpd32.exe	99
PID 4912 wrote to memory of 4940	4912	Bddjpd32.exe	99
PID 4912 wrote to memory of 4940	4912	Bddjpd32.exe	99
PID 4940 wrote to memory of 3716	4940	Bdgged32.exe	100
PID 4940 wrote to memory of 3716	4940	Bdgged32.exe	100
PID 4940 wrote to memory of 3716	4940	Bdgged32.exe	100
PID 3716 wrote to memory of 4336	3716	Ckclhn32.exe	101
PID 3716 wrote to memory of 4336	3716	Ckclhn32.exe	101
PID 3716 wrote to memory of 4336	3716	Ckclhn32.exe	101
PID 4336 wrote to memory of 1936	4336	Ckeimm32.exe	102
PID 4336 wrote to memory of 1936	4336	Ckeimm32.exe	102
PID 4336 wrote to memory of 1936	4336	Ckeimm32.exe	102
PID 1936 wrote to memory of 4952	1936	Clgbmp32.exe	103
PID 1936 wrote to memory of 4952	1936	Clgbmp32.exe	103
PID 1936 wrote to memory of 4952	1936	Clgbmp32.exe	103
PID 4952 wrote to memory of 724	4952	Cljobphg.exe	104
PID 4952 wrote to memory of 724	4952	Cljobphg.exe	104
PID 4952 wrote to memory of 724	4952	Cljobphg.exe	104
PID 724 wrote to memory of 540	724	Dokgdkeh.exe	105
PID 724 wrote to memory of 540	724	Dokgdkeh.exe	105
PID 724 wrote to memory of 540	724	Dokgdkeh.exe	105
PID 540 wrote to memory of 232	540	Dijbno32.exe	106
PID 540 wrote to memory of 232	540	Dijbno32.exe	106
PID 540 wrote to memory of 232	540	Dijbno32.exe	106
PID 232 wrote to memory of 4420	232	Ekkkoj32.exe	107
PID 232 wrote to memory of 4420	232	Ekkkoj32.exe	107
PID 232 wrote to memory of 4420	232	Ekkkoj32.exe	107
PID 4420 wrote to memory of 1264	4420	Ekmhejao.exe	108
PID 4420 wrote to memory of 1264	4420	Ekmhejao.exe	108
PID 4420 wrote to memory of 1264	4420	Ekmhejao.exe	108
PID 1264 wrote to memory of 5080	1264	Eifaim32.exe	109
PID 1264 wrote to memory of 5080	1264	Eifaim32.exe	109
PID 1264 wrote to memory of 5080	1264	Eifaim32.exe	109
PID 5080 wrote to memory of 4092	5080	Flfkkhid.exe	110
PID 5080 wrote to memory of 4092	5080	Flfkkhid.exe	110
PID 5080 wrote to memory of 4092	5080	Flfkkhid.exe	110
PID 4092 wrote to memory of 2456	4092	Fligqhga.exe	111
PID 4092 wrote to memory of 2456	4092	Fligqhga.exe	111
PID 4092 wrote to memory of 2456	4092	Fligqhga.exe	111
PID 2456 wrote to memory of 3408	2456	Fiodpl32.exe	112
PID 2456 wrote to memory of 3408	2456	Fiodpl32.exe	112
PID 2456 wrote to memory of 3408	2456	Fiodpl32.exe	112
PID 3408 wrote to memory of 3988	3408	Fpkibf32.exe	113

C:\Users\Admin\AppData\Local\Temp\51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51a7ccbb2905e41ddd013009145230c0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\Ojgjndno.exe
  C:\Windows\system32\Ojgjndno.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\Qmepam32.exe
    C:\Windows\system32\Qmepam32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\Qmhlgmmm.exe
      C:\Windows\system32\Qmhlgmmm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\Aamknj32.exe
        
        C:\Windows\system32\Aamknj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\SysWOW64\Ahippdbe.exe
        
        C:\Windows\system32\Ahippdbe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Badanigc.exe
        
        C:\Windows\system32\Badanigc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Bdgged32.exe
        
        C:\Windows\system32\Bdgged32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        31⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        39⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        44⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        46⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        52⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        55⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        64⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        65⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        66⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        67⤵
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        74⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Ekajec32.exe
        
        C:\Windows\system32\Ekajec32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Figgdg32.exe
        
        C:\Windows\system32\Figgdg32.exe
        77⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        78⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        79⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Finnef32.exe
        
        C:\Windows\system32\Finnef32.exe
        80⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        85⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        87⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        89⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        90⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        95⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        97⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3192
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        103⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        105⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        106⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        108⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        110⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        111⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        116⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        119⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4704
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        123⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        128⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        129⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        131⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6320 -s 432
        132⤵
        Program crash
        
        PID:6468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6320 -ip 6320
1⤵
PID:6416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3836 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:6820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aamknj32.exe

Filesize
63KB

MD5
ef52f84b461989319cedae5a65587148

SHA1
5d0dab2d623e4cdd1e847a81475ead7142af0251

SHA256
3613c58ccd8801ba913451d0f4431102aaea89afe324ae92a52b2a7a21696396

SHA512
5ca05c498e3cd4a0553a77b7e1a9a3fb81de1cfc39f310f5ece8afdcea9c3da2d55dbf4f55a009f22246370eeeed983de822973fca5c9e1dd791dce74ca81098

Download Submit
C:\Windows\SysWOW64\Ahippdbe.exe

Filesize
63KB

MD5
8028eeb17990980532e7805e7673c1ea

SHA1
4e434f8867587ce434111c62a7e248517ed29bc0

SHA256
801193f6e5eecb111a3fa386988aebda3d904ae32a659368d316b3f50772bb92

SHA512
449a97c72059d3a16e5e1c0a440937ffb7087c18a1e99f67e94e1376b647be9d3220cf86e0f63cf0374c0b815f2f5ce2b9d1924f09f6948d2b7b374422e9a8be

Download Submit
C:\Windows\SysWOW64\Badanigc.exe

Filesize
63KB

MD5
1786f9945ced642c8d25fd896e605986

SHA1
1fc4b50f46ab53dc548614e46e084097d0960857

SHA256
bb8b17171037e4721ee881c1e70237e82b6e450253d814fd09fa042174aee7b4

SHA512
2ff3f912854647e4f7e712ddc00b1bef5ae33f46e9c6a82fb0bf7ffdefb6769b2414685858ea7486359b2b679e823205d75c1e415338b428ed36bc1df50c6685

Download Submit
C:\Windows\SysWOW64\Bddjpd32.exe

Filesize
63KB

MD5
56880e71e557b829893fda8478623221

SHA1
1b3ebd291bb4a6d953dc1193691278084352346e

SHA256
0e388a4591498b081ef4e7cc177e4fb87be359dc48611c2b2bec805774e08bb4

SHA512
819266d2b6067d6adf122b6399f93a1a862f41da3d511afbd1bea408bfcc48fa818a03f1baa596cf8422e32e6b372564c885eb008a547789b8ee375c32358080

Download Submit
C:\Windows\SysWOW64\Bdgged32.exe

Filesize
63KB

MD5
c76c301e6aee1eceebbefa115f8672d9

SHA1
47c0037431af155e7d078d4165aaa43632e285e4

SHA256
1e3adf3f015c76d923f71d5c70d6e1e737412fbcd16449e9637367b8bd6d9177

SHA512
cd643d6ec96b2c328b4ae9e8cf09208904bcc845c95d5cd41cfc97e13f83d414e418fdb5682f2f9d9f0d93afe19382af610060f504cae8f08a5834a000e9afaf

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
63KB

MD5
a669efbdcc315321a966c06192017e1c

SHA1
de35f10ba7a4fc2c167e350d30cf441c9d3e2c68

SHA256
2870d0741e5d34ac0e2f55015a3fe1944e08943b5c6060ad65fbc6dd690e162e

SHA512
87bbb3e28e7578347c94eb6a621210b945f474e23586713e2e2ccf1a35887984e6e9e3fa7880d5464ddafd75eb7c144680f8d4500dbaf226ba0c7ebe27380fe6

Download Submit
C:\Windows\SysWOW64\Ckclhn32.exe

Filesize
63KB

MD5
ffe16929b19f5fb5af81f1cfcb194c5f

SHA1
a4ec425782e0ee5de1c8856d1ffcae380c56c194

SHA256
eda75c00e6b312deee3710202697b68c4ef40e245fa57a99a8ae139442231952

SHA512
d55b3debcf99d7edef312982ec9eba679fe16fa9e3f09831a39d435d4e907a9f14b0b8bbe0c17e32a07d1b56dd444925ac4dc74e879d681c3aed2c00121bc38a

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
63KB

MD5
d8dbae4411fd5791ddd2cd7e6506a9a0

SHA1
c3412761e847e77cd4c7fbf616198eb20ae01fb6

SHA256
5c9e3ae0cbd64fa52d28054fe3d12e6124f40b74d407e6367b294fd2baee96bf

SHA512
d35358b5bfffe9b8b37510b639b1bc0514aaa01e679309b4ea42d74941e1d3e8685a023fe86913a0fa13bf759dfd110643953e62fea61fecd9e41fa743b983b9

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
63KB

MD5
6ca0329ec54d68c1d4400a1ee939c513

SHA1
809c8cb817695dce43fb82cef7a02f0a6e3ceb26

SHA256
1725f9359d4ec72141ae0d6358965cda166c2ac3ca7a1c2ba9d807573537e385

SHA512
30ce262f99e4c102cc3bc2888afb6003ae64f66d1d1fbe546fc8ef2aef6e4d29b5260ea2e5c74aca54ea8c59e80be8664f2bf7d76bb528bd48e8edd4e7d36343

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
63KB

MD5
54550e5746b321e70b65ec59f714e91a

SHA1
cdfc1cba9d6947244859dc579cb1cfa8a2fc5196

SHA256
8517fdec107d5e8496d679d86f42fdb7a8a0ca349db92e8b0aa33cd5b0c51cb0

SHA512
6d4da4021ec70bb28a02c046369ab30e478932aee3ff1e271a5030ee38456228a3a78eee92754b9a20a433cbf73956e345370cd67ca1364ac3427ad9a0b1669f

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
63KB

MD5
47171138e83e17c9a223a2142837321d

SHA1
e5ab65e3cb28fe7aa73e24f292117535b35ddf11

SHA256
9e1ef570d4e914eb305f0f63f2c64b791de288dea00ef39a07e5b090241ae0b0

SHA512
8a9edcda2c40bb23936d598ac724ffd2bbe04a1052af9bef17cd3d1bcbf52d73d0f7fbe092cb22489bf4070e6ba7955a9470960c93dc618750762bd22a48892d

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
63KB

MD5
e51c4adf8249f45fbbe12558f6a42e57

SHA1
63129923ad32347e87705c19d387a8e24cbc6c7c

SHA256
7f1ba719e4f07fc76030c52573e0c4c82ccbed922bd4d2624e9a3e726001f230

SHA512
e7608a6d441e95a276e521930147d4f9e498e7258ef7144ed3c2189c15f4d8586ddc090d7e4731f121b152b4c5d78bf37c6760a202c7d00a4cc2c5f6eb600a11

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
63KB

MD5
2b2b2a39eaf5b4d18b1f0f2dc8623f0c

SHA1
01be6f106111ecc78a05a1403edec4940f642db4

SHA256
2550890f10e6df0a23365eacec7259b876dde5978564c355bce6b94ac222f109

SHA512
3551eaeea9cb36d882c8ea7da6d42e0002cf38eb1007495776bea22e772406ba120dc2aa7e885e620977eed886244cf9666775bec0fccbf8b4fa5b541bb79771

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
63KB

MD5
9eb4b5e90c3fc1db385da912a7a5a63f

SHA1
ad3f2107cd927553bd92330d2086fec62dce989c

SHA256
d6af88d8191d9b46e182547a833c9b35fbcf0253fd68407f1713b49423af25a7

SHA512
3472c89eb2dfa02316949c028b4053d868c45e350158961f3be1bacf870f2a82bced578cc75fd954283a3389279a91c0e088673ce6d79c1cd5c9aa1eb9ed498f

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
63KB

MD5
b66fda99d8f777e38ff88f80665e8517

SHA1
9abc68f3b791c0ffc8c65374c226de0db3e2ffae

SHA256
94c7478ef6586526422fc553ed272b746e47ce8c03f57419b391e5d49fc620df

SHA512
922ffd716de7b3270a9bef779c4bce2968d9b8c36f90d60f3e303fa261c17abaa8ea5bc3ee67c04503276e65ef3d53097804bf6d42764e0afb7a3895f86e5629

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
63KB

MD5
85e490728d24d895aa2236c9a8e45c63

SHA1
1cd0cec086ecc5efd8429704ec3431136c54f407

SHA256
29612d5fa93c2da649924dd664fa709777b030a3dc7dcdd014ac390943e54869

SHA512
44405ab39783d3329570f8caa7c10a6e515215fea580e0f15b2a0ad083cf17480fda2fcc873f59656ce65624532ffa6a09ab1195312bd85825b4a500d342397c

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
63KB

MD5
402ddfeed8e2afa72a982ffe739090d0

SHA1
31fbb7ae63cd4bf83f646518067d87ad80cc30ff

SHA256
a3de5c2280c52233f6cdf890d09dac89293ff15ea82475e6fbfddd4f66d2fce0

SHA512
ea58d45004fdf4b806e6974a671c53b3831dabcf639f7cc3315829022dfd1834daca03e2543fb481fc97af2940a9b132043d58ed47b59438f23dd5280119e55c

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
63KB

MD5
f7ccc857664ee1444162c447c75e3e6e

SHA1
d8c0a47ec2552574edef52afd5c6b2fe5d58c2c8

SHA256
da8097b926255a8d177885a562d859fa7bfd66d1680b9493d1b82555943d6021

SHA512
62b09322e0ed08579edb6d94944077aa2fb226272562a144c527cf7dd810ab278095573b2f0638b796fcd2e73eea43cbd8e5aceda331e836e6db37b15fe80efb

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
63KB

MD5
831f6c4e1baa6c75fcd50084baa9da49

SHA1
9aa201f9e82c474370b78030b7c9ed36928820d6

SHA256
8e659b35f8d25d889a6ca7065d967db1a1594cb91d84669ae8cb87d71e09c7f6

SHA512
4ea1393437777f4750295df7d2c4a892db1d62c1f8b41b5e22a4723616d66e8eba91736bfdf24e9b7b0cdd828d1057f74d3efb3f81ee857bc203704486deef8d

Download Submit
C:\Windows\SysWOW64\Fligqhga.exe

Filesize
63KB

MD5
9c3753daea3eba9448ad9743390f048b

SHA1
876e400c847267d76ec98118ea372a22238d625d

SHA256
57f55cbd6343a8205f09e05045a1a2839d921b1b2bc68a813d6de3747360c81c

SHA512
d9192792b0844150dfaad7354778d377e20825d52f921795f695b0087a5e3b07096c46c9b303daa328027e8850705568c692a16ce36fdfba2f51fa53be795035

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
63KB

MD5
a89db884d489263127f773428df0a97c

SHA1
6466a82ffde51b0750c7992b6f02424280484938

SHA256
0dd993ca154a962b1ad85d858b222ddc61146bdf07ab2277b4418b1a41536348

SHA512
635a81c264b2c7147cf89e3b2d92e4229600fc147dd669361e8826c8187ea04853109bf160cee53b1cfa55e805adc2e2befa25e2f9457e9ff2a6c36b81088391

Download Submit
C:\Windows\SysWOW64\Galoohke.exe

Filesize
63KB

MD5
f79b975bf2e967366b0ba4fc2477c147

SHA1
f04e67c70315bba39f178278222fbc4bfe7a33f1

SHA256
7dde71477ed7dee5a9c9a9f87748a97347178dc25b881079bbf6ed8210649877

SHA512
e9827ffcc9ef0b6190c3022c3152e231e98c4411a6fcc0f1cac81e15df99e59b9b081b370015327cbca550c84324e4f40d47ef5eaabb534e8dc5b1666ef4ab0f

Download Submit
C:\Windows\SysWOW64\Gbalopbn.exe

Filesize
63KB

MD5
0eed86f1843eb572d47718e1705962f3

SHA1
ca466a3863a4194da0dbcede006cf84a57ab4301

SHA256
ef52858f0830a551e217c6863f60f8bce9feff78cf660d6b0cbf80278ff2101f

SHA512
8637b279ade71203a4adac298a92775f5b59408ad95aa53c0706ac4b759e09db82de2f95d1d0df52c1e3adddfd693be55a7fff9c6cc70a604e6f4e12906d6cf0

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
63KB

MD5
808303580389e7a81432f8aaadfb34c5

SHA1
636e90527768cf68f8be27dee70d9678632fb901

SHA256
79e5c6382ae13f02c42ab537aa3e8eb8551b7d45b38f8b84e818864a324dd9fa

SHA512
d8f8e10dfaf99ba9d906083a7166144a17932f3f003de30d38ed23d7848401e4fa0485aacb06df0a61e370ac7fc3324f88a814c14501983e816f1c8f8f12035d

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
63KB

MD5
19f444df1735cc538565dc3b9bfcbd1f

SHA1
e193327469846371353c46e8f88311a898acf759

SHA256
521526e0163ea79f8a2f5263135c71ad9c61e31f321436ed1e2b0a5af6c0e5f8

SHA512
37680339e0ca06bfb6174342c6ef154cc36fd3f0e7e79f233c921e41773cdc08dfaa80e7c153de975e06d171d284c7b9917fc49a4a255b3dcd173aada25fe760

Download Submit
C:\Windows\SysWOW64\Gpelhd32.exe

Filesize
63KB

MD5
4dcb89f148f5fec5ad0d0065c93de8ec

SHA1
6f986ea45762e67bf9785fc4692f64e3674f3b0f

SHA256
4970cb1b8a7568480caddfd9fbac3e1b6d6ce12bacc8a91a03d01b8964ee2dc5

SHA512
aef2b3e20b401d5690962fff27acedba3f34178c4b0df0cbfb85867d50a7ddc7f9c06feef6f58b920d0c2f5c7fd7eadb674efa5d863c5429371ff57ea45bca96

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
63KB

MD5
7a6ee373c61ecc5846ce0cc8e5ff86ea

SHA1
8abd0b55f53c8f5502cfc9fdea727e3b6321b198

SHA256
7b2c3f589ac211359a2af689b7b625e97bb48a73fd0f6b54692609ce41ea014c

SHA512
afa14107b9b487dd6041b9d285c6c43d7928ce44ebf0a6ae8864fdce6e75e6026a416319f886099b0b18f6b561f3284769c6ae34fd5fa8367feec59c624ac7a1

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
63KB

MD5
4ae6f140efcd65d7ec70d01fdf20bc6f

SHA1
5296f117a10be8121b9475531038752c3a139eed

SHA256
9cb58437bf5ceb98d1c5727b26b1f5bb23d4bde8fde185d9b88f4625c6911946

SHA512
1e9f37f919faee09ebbe53c6004bbbba2bf18d20215b5ae947e79791db0cc423e1e443bd11494a33fe6a3ed12ffd6139fb24e96fb37e9da1b9665ca0d63c45e6

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
63KB

MD5
c6bf14bdaec9d4446e10bfe2f5f6ede1

SHA1
da78d44482c62aa0516e4706978249cde70cf2fb

SHA256
6daf539b89c54afc5025abffe00d2498de5a8bc4e141300412d4bafc8a114a50

SHA512
db7e7dc46544e36b11986adae3938993188380884113566fba2115e3bd7d8fc641e0da2a27ca28b30278e9106945cb5017f6134e269b3a83e9c6601b57127c7d

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
63KB

MD5
b66c0a3f783d85e4c77096f0dbdbb3bd

SHA1
d3072757148fe967a20f24b7ef595915080cea20

SHA256
60f48a04d0c60d364d04c840d0ff86b45285d0f0011e4ad0073d50099f8ecfb2

SHA512
44916776af197932c183b269929d82159751ed0169dfe861e26bd21e070864543b0eb8c3859d77d022e37960a1a8545f5ba82f2bd5ff65aa88ba77768fc91f58

Download Submit
C:\Windows\SysWOW64\Hppeim32.exe

Filesize
63KB

MD5
2ae9fecb626735a6a5bd3e639babc7f7

SHA1
f5c13fbff880e1c9b30c785e8287a75b475f752c

SHA256
666897c2f28a11bd907efe9ac15c415be8afa021f8791877669ee78b35fb5ee3

SHA512
cc46457d71ee553ce239f32fd520c5c7cc581335010f40e64e304a31994c445b8c92c4f001a09722c10d03ab663c4805a9ef82ddaf63a05b359ebf67b479d2b2

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
63KB

MD5
49d38ee93a2f287c6420a8d96bccea5e

SHA1
f75ea52159d237f97384a73803fd6896a7abea9f

SHA256
5b412bb74ba224feba0f21e160ec73fae277f8bab20d436ea4048b5cba2f7c8e

SHA512
391647e9b622b9e20a44c30860752d170e3bbfbd81f709d71ed41685eb1e6eb981258d728943624a87428b5b91d7956a1112c419c0cb14b1a736b16a42af8f0d

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
63KB

MD5
7d3babca4357483cef6d49bafd0ce278

SHA1
465d48219816eac8b3fd13b0fbda1e4c4252c76d

SHA256
3c1229444b47d8120f8f310255949408fb351e44d2cabf6f6b5ac65c79b6dede

SHA512
a9bba783911b1684a8ead57e4634725d466be4e2d2dc4ce31bf63c19d8457992843d478eff7fc98a6b65468225fd98ea1c43ace16a553c323f618437692a015c

Download Submit
C:\Windows\SysWOW64\Iefphb32.exe

Filesize
63KB

MD5
4a4aef29e5de015df3195bcde5a66f9c

SHA1
22591c7843675778f4f503c623cbf902319d3cb8

SHA256
7fba30097fa90da7d3b65894b8ae2519f690a1231e33e2fb827c2c8a69673dc8

SHA512
3744b029fd18c33e929b663db4a397e10f86a53be0b32be54aa66176b9926bd8d57bf15ceaaca58390e94b8ebfbfa600e3c7e9ab51ab6a431d925cb144716a3d

Download Submit
C:\Windows\SysWOW64\Ifmqfm32.exe

Filesize
63KB

MD5
2f11c9a67a6bfac5e5b244d84f83c15c

SHA1
28e0dc2c68c8150ff932d1b3a42a2904c2676d2c

SHA256
b6a031c89ed3b6a52df3948a5e97375088359bc40a639f56f5c779e0f856e851

SHA512
ca78764625b3b2bf141f1550385dce2cb18d54683a0be06ef9907714eeafb59df9940f377796fcf61858db5de5eaf6b1e702af023b9ae953601d03d9ee073a34

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
63KB

MD5
78a51ccfd3b19db680328a1aee5fc19f

SHA1
e8d81909ad8e45dbd6864d24c59fd88738eb313b

SHA256
561bb8ae2a35ac8d42e874b7d0fde04108857fcc0aad428e9c5df2b255ba5ad8

SHA512
9214b1a066fc034153702dda2fcd5a944f0133083eb6ce508a0c2068708b010a1638092ba30d603f4c028ab4bdf57de8086508c02e0739e0cdb4e2466575f9f7

Download Submit
C:\Windows\SysWOW64\Jllokajf.exe

Filesize
63KB

MD5
9a82d0869732f3259fab200640cef1de

SHA1
8e93a932dec09580ea0f446cad01e1e4d5284a5c

SHA256
edaebca6731b49430fdd97480d975d7b2e0a2237ef355683544ab9532efc61a2

SHA512
e19161e937873e7304f7bbc93d825334d953fdff55e9bb4df3c7a501033f67f3307d579b3c943cd789d89a767a962615fe6b4bf31d83520a5f2511335a8d7ce7

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
63KB

MD5
b6eef883600c1da70b71134dab83877e

SHA1
80e9e34c8d72f71776a7396a8baaa0128bcc62e2

SHA256
2f116292ccbd182b70e43bd8463762b78c198d476e9cc3e1c813449735b7537b

SHA512
5422ccba6a7d7588c9558436790b2faea0d29ba5bc5b744d9e0fac6a945c2ccc8e980d2ce32b6de1996b51c656fbf86970a094dd7eb832b787db23c64c1742a6

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
63KB

MD5
6ac1503a61082ae8944bc058c59121f2

SHA1
8bc08becad6e3e2e3dcf55871f445f8f60bd34da

SHA256
70d826178cb29b5592c35ceef868ffd4b36eec3c1d821a3858e74044a2379c46

SHA512
349d808fea0d6574091d20db4e09c8f32299885784f887574b271111fe1f88293933ef8ea2f3e3bbe7848cb2f04257c6a79a0cd5f81ee8055e793766b6e5ac27

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
63KB

MD5
f878d391edda2449aa14ca1f9ac9a64b

SHA1
ec4006565685c8a9751af7b91f3d5bcc25bb8df0

SHA256
f5fe394a2d49e21fee4577144e4aaca82231e2b632f78602a149d2434b3edc91

SHA512
095238334faae1ae730844086a12c7a0b648b944d21723233b3f7b78c3b3cd183e1cf7f0bd0a32e0789fd558c6acb8d10f19a108e22b130fad6ec5856375d909

Download Submit
C:\Windows\SysWOW64\Lmaamn32.exe

Filesize
63KB

MD5
479a8bbbf495aa6fb88a194497f6f31a

SHA1
b5877bb4955deb3a94330fe7428f8396fe98c190

SHA256
aa1532c9670cf7e2121942a46bf3f2ca6e34dadb6c4c6515c9bb445f14fc968f

SHA512
1382ffa84e851986d6285d58b047992bd29b20df19e11167b0fa1cfead6173dd2113c3cabd620599e315842bd6f16379ca071cc504a61687087dc6b72b2151c6

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
63KB

MD5
4537dccc0f7625431b8c389e8793cf24

SHA1
2d269ca7a3a9fc404e8b5c0dd3d87be470dab8ab

SHA256
944137db10b561ad048a4e545a1a0a93ecde29a415ef1f5d0e5b3984f334f620

SHA512
c9a204acd66010ac61860323b527f70fad6a58eb1c43a47381c9861d3634dd5792c4c8d6dd396e7a0a0feba2b6f86c68600d388649c7861050347c7a9da7862d

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
63KB

MD5
217e792d2013c598db71d827bc47a1c8

SHA1
86d3a6b72f92fdbaf051b983a30d16f72df04aa5

SHA256
9c91fe739570cb1796a81432094740cf6ce78ce6a79750aae7b355a8ef2c3f49

SHA512
d9bba72ef11c18659b2f269a52ab4417e2693da4dd2604f12c0b30b255d9ab765e2e7ae2e92aeae1b1581de9a1a212d60ebb2dbf902dfcde6102b2020d24b47b

Download Submit
C:\Windows\SysWOW64\Mbgeqmjp.exe

Filesize
63KB

MD5
bd97a4a835943676c480768b7d8a1667

SHA1
aa0c3a6b1a5f9f683351af16e624de28cf028d53

SHA256
1f944760116916d3f211f9bbdc0168c4122d5cea9920d7802ddf94517d1c0808

SHA512
37e93026e22237f854706a13483a783729e42795f685c2fcd983a3908abb48e7db07ea589390044d810c611a4231f519b37206a9413fda04d2066f53a6cf54eb

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
63KB

MD5
4f2d7e4b84a4d3ba3e75f3e7ec564ee5

SHA1
2e0cb5c0793706636b5db09d9ec01135c995588a

SHA256
77edb5d70f388e900c20d42e6946044d996f637cb91b56e5929a5e7840dd1f41

SHA512
2f8ed1963855f200a8fe9b00686db5de4d83fd7d7417d22c13e78725d714b2647d55669870c678b3d04ce9e9a90e628364195368ac2d23819ea307c87201dd91

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
63KB

MD5
dbd9e6dd00eab5e91c5d68612950444d

SHA1
83aa145a8ddac684c7db3af8cf76567bed7ac5ae

SHA256
f62785afb0108c70a7b8c742bce6f43834ac20b395b608560d19f18ed0098105

SHA512
32b34fea375e3821e8691b52c05d9b63ae46bfd0f79d369b777535199d95a6bf9a1c48a5c7f3093cc88537bf36296cd517d5fbb0156cd3ffa088deccf38e3e61

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
63KB

MD5
f1910080cf3f8520d47bbc579097f55b

SHA1
6374b00692cbf0546736f8892739ddce8de148b7

SHA256
da17e8146fe40e70be1eced195ff50c5242d757c4be162c2c879cb94985c6c80

SHA512
6cafba9ec4ab62e8824ac5aa84b0612fca6921bd0d46e74def9098d8a73e1eb2c208cc6da26ca63e30919e86713548141737dc60b45299f872487762c1e4e2a3

Download Submit
C:\Windows\SysWOW64\Ojgjndno.exe

Filesize
63KB

MD5
5cdd8913a36edd6708a4890814258478

SHA1
6ff7c97885f458a79f73233b6e14f4c0f8ca55b7

SHA256
703769178508cdefa5bb3253c7dbb8e9bd74d8592bca7e6bac3ad68b042feb61

SHA512
7dd0b37808d202c9fa23dbb986b9907358d7fb656507af73a2cc7d963ba7968ef95211d0843084ed3e3fc3b89eeb3f52c95e7b8fe1a31230fa6f67de8a317a0c

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
63KB

MD5
5d0c890de0c346d32516cdcbdc2b9116

SHA1
111f033b10b058b36b04da45770e792d03e1106e

SHA256
324bc5a00748c600924200f35e348a8f85b49dd3922b7cb1e4bb7dfaf6c4ad8e

SHA512
7550c00dbabeb29338f4d9b9c861e8b60b26690e0eef16062534ac291c357d8e5a8ac57478ba9002a9bc76dc1db6464fd1dcb2f646c6341d0fec9126c07c5964

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
63KB

MD5
3f6facfb3af0d81c6b692db02d1b191c

SHA1
8f390b970676663da5304bed61306ca6e299cf22

SHA256
97b4d03c655b7049a993f02a4ec926a470c75c646146be62e8658924e89d3cd2

SHA512
3101b06e462dff460432c1c348bd4086a7e1a89367346c4c791a2e342dd5b4f9fdf29adf4b22fa15d7df69e09f86025c9dd6745dbb2b5177861dbade35c05565

Download Submit
C:\Windows\SysWOW64\Ppgomnai.exe

Filesize
63KB

MD5
7513700916edb0eba0d2cfbb82e4010c

SHA1
974b8b0404af799c3ff8add8beee28d4c7fe02c6

SHA256
1c1c6244e9af3beb7cbd878f072b4ed3f6e50ab9e61e208de0fc68fd56546893

SHA512
a4818d5316193ceb93ab36bf37c2796dcea44f81ab732d45bf43efd9b4aea8aa80ecbe2905c2d91b26fc8055c3c87ef522ee8cf326f8df47019b1a449bb05144

Download Submit
C:\Windows\SysWOW64\Qmepam32.exe

Filesize
63KB

MD5
d1b0f3d9df850dac46935f953714b64e

SHA1
c2e99de7932ab5594363f08c0bd7e295bf06efd0

SHA256
45c9e5981e16be4b4a49abc3543b41b97293e90874e14703408903f0ca9aeed5

SHA512
99744446c8e95c9187edb18c904a68beb2fa82ee8d9a36d2b7139f46cb89cc984c570bbea46a05544f1f56a2d45f5cd31aa84ae046e55b91c7d4e11610fa7c11

Download Submit
C:\Windows\SysWOW64\Qmhlgmmm.exe

Filesize
63KB

MD5
bb2e47a80fc3e015da09fb8045e672ab

SHA1
a84916cee7954bc99d9f6fd262497fd17e4fb333

SHA256
118ff63d8376788d5a19c5c7077df0923c1c4ea9b739dffabe987c1a9fe7fc36

SHA512
3df0a7a1e202108e47cebbb85062720fe63f9f0ab735c0e8aecdf55a2372bb001c294a063245134ce71caf69fb32d865cce0684b7c3adf7072a0fb5472644f2f

Download Submit
memory/208-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/232-517-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/380-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/656-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/772-505-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1056-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-617-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1264-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1264-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1720-596-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1968-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-595-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-499-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-603-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3716-465-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3716-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3792-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3816-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3908-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3908-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-631-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-493-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-610-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4172-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4384-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4468-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4488-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-624-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4736-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5128-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5172-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5216-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5260-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5304-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5352-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5396-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5444-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5488-601-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5536-607-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5584-615-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5628-618-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5680-625-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5724-632-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5776-638-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5816-644-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5856-650-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5896-656-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5944-662-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads