3c55d418e789940277b29ecf4f93f5d123ff4925a357d8bae8bb9418df33cb3d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe
Size

376KB
MD5

428a053fc46855a91c403ffc8f86c500
SHA1

51a3e46ae5837dcd0fd6ddca5fb9efb801d192fc
SHA256

3c55d418e789940277b29ecf4f93f5d123ff4925a357d8bae8bb9418df33cb3d
SHA512

8a1255a89509a50c715c97c451921049913467cea51b8fc679b27b992cc7873dbf18a7fd5fbde27e47649af35228fb894e6bfa618fc16477e7f314b44eba07c6
SSDEEP

6144:9a8GFG6aC7oQ0IV/Atl/AtW1OE43V1+25CzRoQ0Ibl4HdE43V1+2:R050I2mi4lCzb0IF4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbbdholl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe

Executes dropped EXE 64 IoCs

pid	Process
4048	Gmoeoidl.exe
2396	Gcimkc32.exe
1360	Hkdbpe32.exe
1288	Hobkfd32.exe
4028	Hijooifk.exe
1900	Hcpclbfa.exe
1332	Hbbdholl.exe
2848	Hmjdjgjo.exe
4008	Hfcicmqp.exe
3380	Ikpaldog.exe
3532	Icgjmapi.exe
3028	Iejcji32.exe
1036	Ifjodl32.exe
3584	Imdgqfbd.exe
652	Ibqpimpl.exe
5068	Ipdqba32.exe
4268	Jimekgff.exe
2300	Jlkagbej.exe
4068	Jbeidl32.exe
2928	Jlpkba32.exe
3540	Jlbgha32.exe
2316	Jlednamo.exe
1404	Kemhff32.exe
848	Kbaipkbi.exe
2988	Klimip32.exe
2312	Kimnbd32.exe
4664	Kipkhdeq.exe
1276	Kfckahdj.exe
3244	Lffhfh32.exe
3860	Lpnlpnih.exe
3036	Lekehdgp.exe
3904	Lfkaag32.exe
3580	Llgjjnlj.exe
4404	Lgmngglp.exe
3344	Lljfpnjg.exe
4444	Ldanqkki.exe
3880	Lmiciaaj.exe
1080	Medgncoe.exe
792	Mmlpoqpg.exe
2484	Mchhggno.exe
2416	Mmnldp32.exe
2464	Mgfqmfde.exe
4740	Mpoefk32.exe
556	Mcmabg32.exe
4808	Migjoaaf.exe
1032	Mcpnhfhf.exe
2960	Npcoakfp.exe
3412	Nepgjaeg.exe
704	Nngokoej.exe
4892	Ndaggimg.exe
4624	Nnjlpo32.exe
3200	Nphhmj32.exe
396	Nnlhfn32.exe
2128	Ncianepl.exe
1016	Nlaegk32.exe
3304	Nckndeni.exe
5024	Oponmilc.exe
688	Oflgep32.exe
1784	Olfobjbg.exe
3756	Odmgcgbi.exe
3716	Oneklm32.exe
4400	Opdghh32.exe
4352	Oqfdnhfk.exe
2468	Olmeci32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Iejcji32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jbeidl32.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Hmjdjgjo.exe	Hbbdholl.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gmoeoidl.exe	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Hcpclbfa.exe	Hijooifk.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Lffhfh32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hcpclbfa.exe	Hijooifk.exe
File opened for modification	C:\Windows\SysWOW64\Klimip32.exe	Kbaipkbi.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Eheqhpfp.dll	Hfcicmqp.exe
File created	C:\Windows\SysWOW64\Mgdjapoo.dll	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ifmafkkf.dll	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cdcoim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5720	5624	WerFault.exe	205

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjbebh.dll"	Hkdbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeanii32.dll"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jimekgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hijooifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcimkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4048	2808	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe	81
PID 2808 wrote to memory of 4048	2808	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe	81
PID 2808 wrote to memory of 4048	2808	428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe	81
PID 4048 wrote to memory of 2396	4048	Gmoeoidl.exe	82
PID 4048 wrote to memory of 2396	4048	Gmoeoidl.exe	82
PID 4048 wrote to memory of 2396	4048	Gmoeoidl.exe	82
PID 2396 wrote to memory of 1360	2396	Gcimkc32.exe	83
PID 2396 wrote to memory of 1360	2396	Gcimkc32.exe	83
PID 2396 wrote to memory of 1360	2396	Gcimkc32.exe	83
PID 1360 wrote to memory of 1288	1360	Hkdbpe32.exe	84
PID 1360 wrote to memory of 1288	1360	Hkdbpe32.exe	84
PID 1360 wrote to memory of 1288	1360	Hkdbpe32.exe	84
PID 1288 wrote to memory of 4028	1288	Hobkfd32.exe	85
PID 1288 wrote to memory of 4028	1288	Hobkfd32.exe	85
PID 1288 wrote to memory of 4028	1288	Hobkfd32.exe	85
PID 4028 wrote to memory of 1900	4028	Hijooifk.exe	86
PID 4028 wrote to memory of 1900	4028	Hijooifk.exe	86
PID 4028 wrote to memory of 1900	4028	Hijooifk.exe	86
PID 1900 wrote to memory of 1332	1900	Hcpclbfa.exe	89
PID 1900 wrote to memory of 1332	1900	Hcpclbfa.exe	89
PID 1900 wrote to memory of 1332	1900	Hcpclbfa.exe	89
PID 1332 wrote to memory of 2848	1332	Hbbdholl.exe	90
PID 1332 wrote to memory of 2848	1332	Hbbdholl.exe	90
PID 1332 wrote to memory of 2848	1332	Hbbdholl.exe	90
PID 2848 wrote to memory of 4008	2848	Hmjdjgjo.exe	92
PID 2848 wrote to memory of 4008	2848	Hmjdjgjo.exe	92
PID 2848 wrote to memory of 4008	2848	Hmjdjgjo.exe	92
PID 4008 wrote to memory of 3380	4008	Hfcicmqp.exe	93
PID 4008 wrote to memory of 3380	4008	Hfcicmqp.exe	93
PID 4008 wrote to memory of 3380	4008	Hfcicmqp.exe	93
PID 3380 wrote to memory of 3532	3380	Ikpaldog.exe	94
PID 3380 wrote to memory of 3532	3380	Ikpaldog.exe	94
PID 3380 wrote to memory of 3532	3380	Ikpaldog.exe	94
PID 3532 wrote to memory of 3028	3532	Icgjmapi.exe	95
PID 3532 wrote to memory of 3028	3532	Icgjmapi.exe	95
PID 3532 wrote to memory of 3028	3532	Icgjmapi.exe	95
PID 3028 wrote to memory of 1036	3028	Iejcji32.exe	96
PID 3028 wrote to memory of 1036	3028	Iejcji32.exe	96
PID 3028 wrote to memory of 1036	3028	Iejcji32.exe	96
PID 1036 wrote to memory of 3584	1036	Ifjodl32.exe	97
PID 1036 wrote to memory of 3584	1036	Ifjodl32.exe	97
PID 1036 wrote to memory of 3584	1036	Ifjodl32.exe	97
PID 3584 wrote to memory of 652	3584	Imdgqfbd.exe	98
PID 3584 wrote to memory of 652	3584	Imdgqfbd.exe	98
PID 3584 wrote to memory of 652	3584	Imdgqfbd.exe	98
PID 652 wrote to memory of 5068	652	Ibqpimpl.exe	99
PID 652 wrote to memory of 5068	652	Ibqpimpl.exe	99
PID 652 wrote to memory of 5068	652	Ibqpimpl.exe	99
PID 5068 wrote to memory of 4268	5068	Ipdqba32.exe	100
PID 5068 wrote to memory of 4268	5068	Ipdqba32.exe	100
PID 5068 wrote to memory of 4268	5068	Ipdqba32.exe	100
PID 4268 wrote to memory of 2300	4268	Jimekgff.exe	101
PID 4268 wrote to memory of 2300	4268	Jimekgff.exe	101
PID 4268 wrote to memory of 2300	4268	Jimekgff.exe	101
PID 2300 wrote to memory of 4068	2300	Jlkagbej.exe	102
PID 2300 wrote to memory of 4068	2300	Jlkagbej.exe	102
PID 2300 wrote to memory of 4068	2300	Jlkagbej.exe	102
PID 4068 wrote to memory of 2928	4068	Jbeidl32.exe	103
PID 4068 wrote to memory of 2928	4068	Jbeidl32.exe	103
PID 4068 wrote to memory of 2928	4068	Jbeidl32.exe	103
PID 2928 wrote to memory of 3540	2928	Jlpkba32.exe	104
PID 2928 wrote to memory of 3540	2928	Jlpkba32.exe	104
PID 2928 wrote to memory of 3540	2928	Jlpkba32.exe	104
PID 3540 wrote to memory of 2316	3540	Jlbgha32.exe	105

C:\Users\Admin\AppData\Local\Temp\428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\428a053fc46855a91c403ffc8f86c500_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Gmoeoidl.exe
  C:\Windows\system32\Gmoeoidl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\Gcimkc32.exe
    C:\Windows\system32\Gcimkc32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\Hkdbpe32.exe
      C:\Windows\system32\Hkdbpe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
      - C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        23⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        33⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        36⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        41⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        49⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        55⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        65⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2120
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        69⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4880
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2436
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        79⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3736
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        81⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3196
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        83⤵
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        84⤵
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1508
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        86⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        88⤵
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        90⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        93⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        94⤵
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        95⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        98⤵
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5016
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        100⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        102⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        103⤵
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3524
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        107⤵
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        109⤵
        
        PID:424
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        113⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        118⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        122⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        123⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 220
        124⤵
        Program crash
        
        PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5624 -ip 5624
1⤵
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
376KB

MD5
5c17c850e8d439244809b76c3c8c9a2f

SHA1
e9c534e6101af443113b2a69c78cfc75fa21143d

SHA256
194bbf2ee7fc84685e54fab2716a9973a1b5a5261d9e15c93631d287552e4304

SHA512
1165c382b20566ddf002861bfae98f9be6a216a22945a630d3d74775a0afc287015360fd07140ba31807f358ff58e4f3cedc6c6fa9ee297668f9d033a46b7f0f

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
376KB

MD5
8de56f34f90ddf067aa72e7b5f7184c6

SHA1
ac136ed329bd25c63aa6164e7870cae7fb950b12

SHA256
3cc044eae37a4c855a88cff69e8c7fb9e98ec444cfcbb9b530b6bd8eaf3e2bc8

SHA512
e5aa539e85e07d5f7ea11549c868aa2343e64216b9c3c5af681ff2a2d9a911f66c54da1e41c3cae6b97965afe8122371df992793967110368c3e0ead46211dc9

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
376KB

MD5
a9d90ee3036cea6c80a25eed85ac4d0d

SHA1
64889f19d8b9a1a1682a2ed2d2025dc450dccdd0

SHA256
58e97f19235ecdb0e5cb0ada8be72ef401f4330500e65515d3f18de49e95850a

SHA512
5977aaa1e15455eec21adf1d856ee22da98d473d55d2759682746d87bfebbe4e72a686ce0fc73307d479aba9936fe6ee7810b5cc8997f1042832e57272f1e254

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
376KB

MD5
02e679bbcd5fda50c71432f471536c60

SHA1
e9d2753650d3840d7d264c4a84ee151541189e58

SHA256
5e1fc79e22950ce9439e72cbcb98055f4d55a65bbebead3c32e999dfb29d90bd

SHA512
c20fc9541849befc89e31f982a071a8a712e2c306c8a63cc8ee807696850a637a1d40af033c338a845a3828932e2a5e4368cc2079fb30f3e500e11f0b21f75f9

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
376KB

MD5
b377074f771d15ad5d916e5b42ad2bae

SHA1
9ddfc39a114167d48726a6e73cc3b2984fe0c1b8

SHA256
464591fcf9eb893f9cdbae4a17d6c596f870c82026a357fcffb6889bdc1ecc3d

SHA512
e8c2c290d70d50466c16b5edf362071279346aef42117ae13911fbaa942db4332fd6c870c983cd27af40a210aa35c75aefecb3b56ad302f529d60c5753b59a38

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
376KB

MD5
e75692e12a65261cd54553d28f2b04dc

SHA1
fadeb3f2ae3268f3c7cf46603e354c8d4cdba163

SHA256
2d878193afc57eb392c486357edf9c2182cedd005c53d0fa7fe0d076fd7eb1a9

SHA512
5bdf771edb1aa6dd9df3a3321326a7c16043ee7d870c4de6b8583512a3f1ad732a3a7cebd422a5faf2006baf62b91d1548aa7e209cbbc86a2ea2255c054bc1c5

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
376KB

MD5
287b6214430365b83ab1403d3122a9c0

SHA1
8d7ad0ea3ae23bf33a96e411806572644a94d70e

SHA256
8afc1db7418ee460dd598541f3d21906c1660227fc489d24af3195a6eb429b44

SHA512
3e878562db55458b4c8fac0feb752d07342ee47945fc5332a3e9849f3909f1e4b305cfab16b5470d7d650dbee6c5804e00ee0aae5c27464b1c10e97f20772a93

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
376KB

MD5
790e8bb2137a721a5fc23e59d17b9c86

SHA1
9ba334f05c85332feb4bf467bef4a86e54434dbb

SHA256
16eb5a141605ae38f07a2638135e72062601fe465de4e4ddce657ca6e74706f6

SHA512
1f33dc72ee6a07726fed38ff5f7c7a107aae2682911cb7465e28e66c765508e414839d9dd7298f180b390378e898bc848be31b0d15f861592ff8e4da5234e39d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
376KB

MD5
e9349ab91ba430b6ae34290a3a31af8a

SHA1
2e6dacbbe91fac59b2e1a52ea5de124197b96ab6

SHA256
6cf696eccd0861b50d625e4d129c3c821e3a07d2efd39b94d0a69d1f28a196be

SHA512
690ac430fce5152c638c47b0d39663e95ad6908d414aa94d488491a3dd225d2fe95ee75fed3a9bf684d4bcde474e21fc6297b514577366509c1ab2d72d731167

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
376KB

MD5
cfd30f3e9a383a9f9e0dfc6df0e004b4

SHA1
93bfa377411863fc6c877f0f472917c6768cdb05

SHA256
b874910a78522dbad531e0e3fcf5726db5f66df6af1a7ef2b844697cce29fc83

SHA512
edc993b824192c1b27b7d7aa7c9cfcc3885ab8a2a6dd1b8f6329482fdcf4d0a4387a7f266f8d57d6f2c85aefc624abdfeb67c44c15f14629190da5cb4dc09616

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
376KB

MD5
e861b6da1312cb02ebd582e00112f509

SHA1
b0902fcffe5e78bd2c03e95589ad2aed14074b72

SHA256
3d1183087eebd44150d9e792c0672f6068741e888d6e24728d30cc4204480627

SHA512
25d0467849295b04bf0892405f927875d2bbef864e2e9c9717a2c7caaeaeb770c9ac5687331bf1ad5fd317342626e7d6a25903b44353a4c1d771c9bc69ec4ff3

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
376KB

MD5
8229fb7ae99337876f84e340d9bfe19a

SHA1
fe362c94e4e72236a4ad34ac5c1b36ca0b79b07c

SHA256
eaad60a69515e6b233468e17534413453e0bdc4ef7017e4642de0dac3e64a8aa

SHA512
06339beb227d515e2cc67ee4943aa94d229449db9697203358b76bc4589e9027f691bd96604858b2c506da2148f52ad8314c3540e1fdd95484a1be9ce72c11dc

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
376KB

MD5
4c728deb90cb5137e4f3a88ab7d123d0

SHA1
8362633d2a87e7ac7c9a1f36b05beda840d1c823

SHA256
dc3b1af71d5261d53febfa442d235a2cca2e8aca9e3f385b6c06d1e702330c0b

SHA512
6cf89ec3e504823ab5299f831201cfb2c083ae526b7de3048df2806d2e04d1073c1e0b1ed73a865865f7bd5e3a2784dc08ab6228e5cece1c5e5ae63f0f38c7ee

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
376KB

MD5
e4a192515c3adb701d387446aca7f571

SHA1
cea5ff8eb732a1ebc231e1d50ba75273d3a234ae

SHA256
5d82319c5c6444c64e8ce3f0983f9c79863bab37e29e87675543d9ed6edd6041

SHA512
a7b9aac1dc465e09034f5ccc927a8e1076aff2264a036ad50c76209a86f32a5b3393951aa6db1770213aeb8ceeb1cda8f96554fd736dac84f20c036aa0092747

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
376KB

MD5
a1b8ff0984253b63f0825f163fa8c577

SHA1
cf253ce8a29b0d54e13f542bafd6f32b78f788af

SHA256
99271bb8819cc0589002150ad576bf2dc10df7e12a4bb93b215cca6756cda66e

SHA512
3faf1a3c30a89424dfc7c9ad433e1d81ab9928cccbbe82fb949829a7b2fb30f4f7bd00be3c8c80323c3d3734ad3256ab9ad850566e438cade773dbcfc320909b

Download Submit
C:\Windows\SysWOW64\Hcpclbfa.exe

Filesize
376KB

MD5
d48679783703162258b7da5201c44ee8

SHA1
7b2955c8e8d066ca655a024c01133834f065c345

SHA256
1abdaec58e00299880eae569fa3d876047d21521c9b82d99d969cf37212ec3cf

SHA512
4a80d4730d579751adf87907dc607d52cabe1244a4ab5da68d7be1eda5c591357f6a4ccf62e5402236edb8c9e5c0dc202754e13584b0f99be3198425207e5358

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
376KB

MD5
44607d212fb40245a0863ba8b711186f

SHA1
6035e773fcb559c959bc308443cc7e20235f24c2

SHA256
da6dd8c3ff5c0a872695bed43f48b4ad0c1af35dd036d3251f4d23ef9677654f

SHA512
4feba79dd9e0582890558186cf804205bbcc2ab0cbeadf2f9a4cbc972b772d4805046d7497b584e5bcd6c9932fb7a1a9aa7f5d66e355e55f0910be991c189de8

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
376KB

MD5
7c46d108b15c54f2f2e85d6b9d1eb94d

SHA1
7ae0a3184d7757f850cab72051e605ea1e960a5d

SHA256
88e9dff35fa4778b113496b619d8e3bb73b7cf418d354005c7e9a8dedbf5b80a

SHA512
3ed2e854999cc74344e552a58e3cccfa287cbc2e1b6299dfd000559c8cb721c58ee0908297570287a7e37a0bcdcb9e1e6a66244965151b1690462ecaa7a364b7

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
376KB

MD5
f4713fa9c703cbb4ca55dd8f16430ab6

SHA1
bfc11bb996b7cdb3cdbc8fddea65ebeb3c7303a6

SHA256
718a43515bb738ef7ecc63a9e45914b1218b18002f808bf0c9e14db1e0ca16f8

SHA512
0ade40b64d751b5b2ba6d49727935b52981daff84e557bb00b73ccb39008f70f9a1214a21fe7b520a49079c3a263f820e2faa147af9f431c28e6c2aa24ec80ab

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
64KB

MD5
cd4b3a7965de5926abd1c2973448db13

SHA1
0c2c6bf2ce0b3975202c0c6f3918cd439c3dd718

SHA256
ca0eb681e89824eb9121fe384a3e0ea1464ddab995d813a54d8ad1dfea7fa704

SHA512
9c7ed6e0c0b04bc973bfd3d4645ed2d46a31afb66fabb8110d1a4bf9628baca67413f797790b8fc7ade5bc6aeb3326ffb9912fe99ce5d872dfa01b3822c46aa8

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
376KB

MD5
5d274287e73dcc83279e3c828b54044c

SHA1
a0d30ac65ca33ecf92ffe38511c070c97449900d

SHA256
c90ce772c6de9d3b31f6c73931ae9490224961382ed78821b165e6cc4f0b18e1

SHA512
59efc707e8ade3272a8a5ebe4edf13a6c3b6d4a712290de8afab9588da4a38fb2fe95ac18e625ca4b87d63050ab8447d412ae74c39223225ea015ffc59251d9f

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
376KB

MD5
be4ef04eead36b5bac3fc9a61be55b94

SHA1
f465dbd4650c2ec158c91ada292a82acad84336f

SHA256
7082e4a4f023bbeac292a48b95fd15c9f61aa8cd6a4bd9c5aca76eb8d2239b2d

SHA512
e1e50f61ab18bc605625ff58af13346ac9ec9f5d8f70887dd3fd2050df94fdbc6b07d3cda13c4fd52c6d29f0e82dcd583583ceae7bf9f5fa941cf8117abc2c6d

Download Submit
C:\Windows\SysWOW64\Ibqpimpl.exe

Filesize
376KB

MD5
4fff92b739e904531762eea1b36cb750

SHA1
4a65388fd1d83aa97f1e400abe9533a39c8f0511

SHA256
73e69f66ef89ec1acf1c1506d89b96c066114d284bddaf54621ba9928467aeac

SHA512
0ec5c3a1a8372cc02a53974d3650eabd5d8937ad8d24f5b2b0e29461823a13d72e373b93a707c21e82ebc0596068e8cb10a330d7b0120ddcd1e3c4a493f58ed2

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
376KB

MD5
79d2639b56a6a502dece0ac861af266a

SHA1
2a4fbc0d01c90abdd329d462dc841878e665f550

SHA256
6c87687f7f3dea06e27880a549ca068d715552019614af3b4c6b2c65092d0473

SHA512
72cf33129a3e3d35c8fca81422bb2218734fee4e78984d4a9e0bcd944b029824a7fda323fa0e26fef497f7df88a1c510b84e72b5d164d97ac313fce5bfcb5d5b

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
376KB

MD5
e8ca2d7043cbe7becc78cf5a27b892da

SHA1
db3a625224247a3bc7f8315a538e9fb1a2baae3a

SHA256
e2486d0f946633c67ef13b6d4815afcb93be86fd8c826cbaa9c40fc615c3f92f

SHA512
6a0efaea5a7c39837c499c5d93987904bd7a99556cf79ca1b6ddd852d77f0602e3b3358bbc744a66da431500e9c7e8dc7002779e47c3408d920d65a5c9568e98

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
376KB

MD5
4222051faaba9b6beb2825fa38638dc0

SHA1
e6f444339ccabde3f7e19d605838866101a6535f

SHA256
89dca7d551838230c51cd6e0b75b15ccfd1dd32631e54a102c04ab8996b917af

SHA512
b60c6d3b34cd5329e02d6bd3123df0ddfcf66372d8e45bcb93fa31a18ea665e796307360da677ca4d57a61fe5b6d048ece5ac83ffa76d79910293495d90a9006

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
376KB

MD5
d0b2005d841127de3b76d16aac58b9fd

SHA1
946fbec43f56d98ef7038f065aeb63c846291af4

SHA256
e6abe0463af736ee5bcb0f50db861cf4f4dd53097d250b7b366172a7fb13b568

SHA512
89f75c654d473f27830359020065230e735aad5f98f6795b26515bc82005a2ef40a09481abe4e205d6fd3a9e456ede95f003c854a47b1d8cd9d8a07e3bc0c362

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
376KB

MD5
2aa43d4e252940308388bec3fb5f6a27

SHA1
23014755e12c000bc69f2d9cd12f8f3c647b9821

SHA256
d16e3e88ce3d18f96922da9a7400562f23701ec6306cf1ede1439bbec4de45ac

SHA512
9aea787730855890318af06517f60f2f4d0ad5d506bd36697bdf6761c5d5618e64091535a37180c7cba4d098ca961769e8e91916ddc3f5009efa6663c91ebd4e

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
376KB

MD5
67dc1109912a22ef7faf65eb1f1c61ea

SHA1
5d40f2744863dbee5be69c8f55c691f76d105b57

SHA256
bd22a2445e7562a0d4f2a06a78e5d6e143efe1e85f13e815d41637b67ede927a

SHA512
4afd4a35bad5ccbfea125881d2fe367a5a4a5b9b967bbc105edc259ff90e4048beaa5db3df2eaec7169caa8a79e5a9ec1531eaf7bfcfac65f1b82c7d56b185a3

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
376KB

MD5
c0e8799b99b74aa37e15b2bc2ac71276

SHA1
408c9562b9c3b32ffd03c8efc08c31563b12c061

SHA256
d7d205bd29bdfd3e7f556f648ae92d73520ce48058316c6e96ffb3868425c035

SHA512
75ca7eece5bfb095396f98bad70b2b970be1a6fab8d88cfa3e0861ef40d6a7b7be7f7850dd15c3c1a47c773e87553c1c7bdba6f93731f03851828dc18678fccb

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
376KB

MD5
ecdfde33f4e4ef96f09262472eabfab3

SHA1
c244dbfd01ce1379b5cbbee3c806d796a8ae97f3

SHA256
16734fb2480a7f1851aef8a13b9f738de4f1014897e3c22ef6aa30182f6a8d7b

SHA512
ccde37d43180678fe83d08468bb9f9cba7c190981c0532e1633f4fc5168eaa8dc5c85c3b0df16ee8127ffec68687a3754e0424ce6249b6f6f9575ba83d5774bc

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
376KB

MD5
501e5194d44bf8f6c238b29f25a8f88a

SHA1
c50a63f4086484a2227fb6adf6b4db24dafb6fcd

SHA256
db9f4f09d62619957625bbb7855353f96f2ed7c268558b5890528c803aa08ecb

SHA512
58ea4c3e1fcecc60f11955f1cfdd5328165705f87d0d56e1a53fbf2aa31cc1f05475a2e908022c22a79079aec9a5e03209db5e8650a9c84b29d0ff92f0a2f813

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
376KB

MD5
5df1c73e228b5b893deb80d0afabb13c

SHA1
082be6e7b3402e4d4147111adb38f141beb850a2

SHA256
abd465cad24cc693ac83b7b8503e58211e70b22af2bf740c2cc2febd0945b0e5

SHA512
4c0e714fc38457849b1f85296f98027997ad3ebaae8fbcbfc669586c11d774b268d8d5f99a31581aeeb77e2d965e9d6085ef215cf5f6f801af550cc43782b165

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
376KB

MD5
ef6f75178004562e906a173b54296d1d

SHA1
dadb55cd34a6c780e433c7dde477c73f20ee9e56

SHA256
d45a3f0240d69809a8a8d3ad4af1f1d65d7f542566e408ec5e2ed9bf6ad38d35

SHA512
27aed408772e54e0294dfd7b0b6b8bedd3813021319e5b577305fea508604dffb06dc3cb2e9fcdece6b506d38e8de71a4cf66aa11efd4a620c64078db8c7280b

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
376KB

MD5
2b98eb445357550a782bf00fed09a8ec

SHA1
8dc0f15435c220e180164b8e74120ab8d59703da

SHA256
0051d75fa01f29c089131e132ca08320541b408489980abc9ff84bd042e1fa81

SHA512
7e176db64c3e5874eb8ce50b9931979d3235221ebe3f71bf1d92208db692d0f3693a99ddbc021c820bf4201280b77c15d7a0a880a746735f9beb1568dc879dcb

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
376KB

MD5
a45190e05a54e8e64d36aa827544328e

SHA1
32030a4327e49093c596ae9d7632ae2b07098f66

SHA256
0977e6cee9c0f6eee2deb882f97f37e49cda17778e0285a4b0b39f6ae695843c

SHA512
4f47cdd6847491a781191b8d96e187fb41eb647e39ed88f935bc63b8d4f80082a73447da050be53cc93edb313b022f70e17dad38c391618b6c683525843e6c1e

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
376KB

MD5
665d52973458327de6ec0da9d31e0422

SHA1
00b87dc9bf37832d4c95ba59ca1b4ad3b006cf34

SHA256
33aaa007adb2a58bbb73f5d1eb9d9f08d662c2ba6be7631be1779dd24fddf4f0

SHA512
fff2835c519e0bfb64190c85fcfff22b958e0bfc5a3b7c1e40d553f5fb8f4e7d00d1e0178b2a373e9523e8fc69874f1890cba01c4e9fa238b2d347ed74a4c562

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
376KB

MD5
092ccd9868a4a38b8eb12a976a0a337a

SHA1
75b966182105246d95470a79ce292d95d7217b4a

SHA256
8b727c0d18ca4f0c2b2b675e1cdded78afe431e669d66f8b7d05a4e811abebc0

SHA512
0cb8fe430fa902b9eea70bc641a0a4ede8430c5692eaa2ae1cca91ff24d4f29d18c65c0a2c034a251658e9f76dc4dd94e05403316ea466914f39922ef282a8a8

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
376KB

MD5
4b7f4489b4c3c459b7a7dd654bd23dda

SHA1
c3031d9b2e8abc30b7a6da328c00875188c43dec

SHA256
1e7aea5716a6e8d9d4275a3edf520debd4301e25441d5dee805e76425b8f94ac

SHA512
79e8a82a96be675a7b258f929985627e8c00c548af0e7f40566ec2a2c358164b35fc4b6563af69f229def254ddd2074e5331df0254bf653921d7123eac209808

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
376KB

MD5
97be01983483aae9cca2a313e9e0ac92

SHA1
d8c53c619ba7291df843cac5f3440287099b80b4

SHA256
d683e1ef7ade1447eb21b1dd5db8ac4f98e4d8c1bd582668c0eb32ec7f4ea4b6

SHA512
66e90fb904a07a57825af745b9da1d174e9774ff0eb192de35ad284b77d5d620b754ce9c9297454bc77218454b603c89f78c5f5715cafdbe58b4925342eb4151

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
376KB

MD5
3a8d369e8f5d27aea55a1d9f7f04a79e

SHA1
8ce09490e1ea52a6628c34f72287ff54a9fa70cd

SHA256
9e1a565234a1058d2f4bf309bdd5fe9494de83eb2da4e1a1a8bb9dc57f3775eb

SHA512
b21af05833f7e1aeca2dea3fe30690148a05f9a360eccba2d7e69908c0f163ccad2cd6444b7d155ee1bc15fe5b0e4d3691c468488abfe8ee59a751aa9effa8d7

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
376KB

MD5
f7a2f46cc84d2693477d28b938f1562f

SHA1
905e918421cb8f15aa18473bb89f6c7ae4b61583

SHA256
b1f137322e4240169c7458ffad1a1c4e569111410649a6f47d42139c49bd2fe1

SHA512
050fdad18102d7c950f7a0a62acd1d1fd656ddfe3b23ead27306e022441eda9e97fdce6973e3145b82d37f1d7cefbb2f60ddfd521c135d6ae2d67a95971f5595

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
376KB

MD5
7c44db4f3a5a860f8bb5311dbd11f824

SHA1
496ec500b9a0bfd7d708c3728e77764d963a8da5

SHA256
3822d2123787cf0113300d5ba693d730b1af8fc06d771bf29ba437234bbb0372

SHA512
cb019c45c158c3cf1ab6d6915951ddf786a5f5b43ef66716d0503ebaec9093c69dbae91c2652beb3b5129dbc1ea2416debbd92d1cc946e66a5de4ace08f0681e

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
376KB

MD5
99b586683a1f73dba0f5bd18f1526dbb

SHA1
c3cd2c8abc6c9cd35a6d2d4b643efc3f9039fbe7

SHA256
5f27d9aa294e08a19a3987b9a4446e47c26c9a68ee46b14997056701308f20e6

SHA512
d1625f8fda2357f42c81e63474b986f220441f3cee51e4b3c564c404fb0a9649941909795d79a43c2f30e1bff4a38e7f7e04ca9f64a6e5abdf93c567b2afc304

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
376KB

MD5
b94921db1cf612f32076fcabfa7fd010

SHA1
9be2bdc56ebd9ed9670a306056d371b0c85b7ee1

SHA256
4ac506c1e888b51ce2145ee4e3ed11b0bda1d3125e2fcdd6b800bd95437ae54f

SHA512
aede98cae330e39ba23b6306a9aa75078fe74b06ca79267e5a1b08418c2a205096d5d14dadc392e6a5abed138b6dfb02a1b5a7324ced82c6941c84f294433a53

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
376KB

MD5
77398f29c67c4e60b05173a9c6dc341f

SHA1
db24f911374e864a33c187ce5df71e3f5d65ae3e

SHA256
dfec0da3cec23b61bdf01fd5d3c6ffaf383cbea2d98f5ac0db1449f3ebd4fcdc

SHA512
d836fd24be1467a177cd9dc8cfbf4cc25deda4cb2eb33657da9478b9882db9b1d4381fc40070327bbd65d1ab43d93984f9100fe057c41dbd8dd06edfdfee656b

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
376KB

MD5
994a6b89f7dd79eaf13f42c0fd01d746

SHA1
c8bb2e37b76f5f170a1880dec03485cbf5db6893

SHA256
07b5ae400cb29c59aebef3b3e14504c3612d0325a725d34058602febe9fe626f

SHA512
3f46deaa97523ae4d80fd9e6c0ee1f89aa4ecf256e4e45b0a0603237cfc58a575c4e1dc718deb36cd8ab39cc1dd312da1aa623394599cf33476e1054ca362b33

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
376KB

MD5
5592e13e786b14a7a3796b0dc3c96761

SHA1
b052bfbdefcdb413e6241a951a0aebfe0a2b1f71

SHA256
bc778004f029f2fcf927262956088721f755dd5f26eaa051fc0ba0b350229b73

SHA512
10c03fbc44773f981179a698ba4879bfb66f7c1ad291cd11e97ba017d708954ab7fb68caf6239faf341c1f9d4d44a5b32182358e18aac773efc97417b79d8201

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
376KB

MD5
b71eb70feb25202dd9c083bc5b907c78

SHA1
1e64a0dd2cc91a9d64bd02692c6de41c6e52d549

SHA256
fd7e2503ebad06fd2828cbaa392dc67650fe701c38676407e838e3b5ca27b7fc

SHA512
bdcf9667be3121f6ec84d58be9ac3d6333dbf0f66accb3b225ad7018ae2108a6c1058a0786de668600f35b8a207f369f861828fd2c6a6cec04d0a9877d6bcc42

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
376KB

MD5
90bb6b24246c65d2c17eba6a5ee7db1f

SHA1
5a189209669a3933d8217737c77cea6eb86b6ae4

SHA256
b7e5f44b8a52bb08800c51c7737c0c6109e042e2a66e05b91d5b9f0c5f859001

SHA512
afb64898453f8223a0aacb2adddba9b83bb910babaefeb9bcfe8996aaec54c6280a24c95cb253be5490a142ac8a4fd6071dffdd1fa12a4365dec854e1b5bd1de

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
376KB

MD5
21c79dac562f6e9cc8fec33866832326

SHA1
3a0a445e8ec45704588636499ab6f8964016beb3

SHA256
173218757a486d725f5b98100cf960e8a164d14ac7583cb3bd94bf552b3e084d

SHA512
f85bb187dd842da2bb9cdbaa980c7bdddf9f4cadb6d90449c9cb93a171b0b29bde4bd82ab02285295b1e75af78bc7dc57d6f41a5bf2cd7d8687a9a0d074575bd

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
376KB

MD5
5a77881f54955e84471e331cba9e2082

SHA1
ac1fe0a17b29f7d1f65113737ee4dee96db26b1e

SHA256
cba68573b0c457d0178f7f3f935ec0cdb5e75565d9d2db894ccce099c661d46b

SHA512
32e8679a6deb2fabe18f13cd6b12fedc5011ab4673f8301aa16a6a3a4f98030df43a8d03e5504535d118acfe8bb63f3378335db14fb8ff5d9ec3230936581bfb

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
376KB

MD5
ba429917c40c3398d214e9a10d540179

SHA1
cca4a1cc58119e00f71a5a759e2f4c57fc8b1216

SHA256
0424524cc9410286e5e4cdd2b4cb92ad78cdc4762dd40dd4984bda056996843e

SHA512
6c89ecad3d6189c228562db530a4ff05a678aa4f63eb3b22d1cbc972ae9f2d81aabf75c101f1c2b94ed4b4e8251e83959db99364bbadae92ec29db3b0b4c28fb

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
376KB

MD5
eee5c18cac4f9c90ba54fb75caa812d3

SHA1
7fb5f0e6972192fc1e84e290b40a68f0d21a7376

SHA256
a6c0eb058e4f1970840aed11e1f1546125da2709f8aea91999099e5879161395

SHA512
a4b1bba9f3cc316c42a8d638aab2faceb8f054ef5c2b1aa6f9393b1b978f6d09768129f414c52af562a591b41efefd34100eb389c51aa8a195585ae5b4fd04b6

Download Submit
memory/396-380-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/556-327-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/640-890-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/652-122-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/704-356-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/792-297-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/848-191-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1016-396-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1032-339-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1036-105-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1048-515-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1080-291-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1276-224-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1288-33-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1288-567-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1332-587-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1332-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1360-25-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1360-560-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1404-184-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1508-568-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1620-873-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1780-463-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1784-419-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1876-595-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1900-51-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1900-580-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2120-928-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2120-457-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2128-386-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2276-528-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2300-1025-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2300-144-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2312-207-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2316-175-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2396-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2396-553-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2416-979-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2416-309-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2464-315-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2468-445-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2484-303-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2604-561-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2808-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2808-534-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2808-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2848-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2848-594-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2928-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2960-345-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2980-487-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2988-200-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3028-96-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3036-247-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3196-551-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3200-374-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3232-517-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3244-231-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3304-398-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3344-273-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3380-607-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3380-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3524-850-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3532-613-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3532-89-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3540-168-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3580-261-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3628-481-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3716-427-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3736-539-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3756-421-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3828-588-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3832-475-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3848-469-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3860-1001-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3880-285-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3904-255-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3964-888-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3964-581-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3980-614-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4008-601-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4008-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4028-1051-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4028-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4028-574-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4048-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4048-546-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4068-1022-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4068-152-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4268-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4284-451-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4352-439-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4400-433-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4404-267-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4444-279-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4464-499-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4516-554-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4624-368-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4664-216-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4740-325-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4808-333-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4880-916-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4880-493-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4892-362-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4972-505-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5024-405-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5068-128-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5212-837-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads