b6123f66e74e026a7f753671e7cc5c5177a9d2344aa7ea70fbcd15aff4ca7ed4

Analysis

max time kernel
140s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9562ad4c56a27a6c3ce68097d855a2b0_NeikiAnalytics.exe
Size

422KB
MD5

9562ad4c56a27a6c3ce68097d855a2b0
SHA1

e8b65cb0dce9c63036ae331574f09d882dd2402e
SHA256

b6123f66e74e026a7f753671e7cc5c5177a9d2344aa7ea70fbcd15aff4ca7ed4
SHA512

96fe5786306e30d0c00509ca036aa098b37150b76556b0ec6a3fa91d7cb89bff43ab5161df816bc8d219e6daf7979e3a3f24f83bf7d38f58b49ce96f7dd59adb
SSDEEP

6144:2Xdyftk8FFebabO6FSPnvZU1AF+6FSPnvZhDYsKKo6FSPnvZU1AF+6FSPnvZq:2YPQGaXgA4XfczXgA4XA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kikame32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe

Executes dropped EXE 64 IoCs

pid	Process
4136	Jpijnqkp.exe
1268	Jfcbjk32.exe
4896	Jianff32.exe
4756	Jmmjgejj.exe
3888	Jplfcpin.exe
3936	Jblpek32.exe
728	Jifhaenk.exe
2196	Jpppnp32.exe
1992	Kiidgeki.exe
4300	Kpbmco32.exe
1284	Kfmepi32.exe
3128	Kikame32.exe
4240	Klimip32.exe
2712	Kimnbd32.exe
2492	Kbfbkj32.exe
4516	Kipkhdeq.exe
3252	Kfckahdj.exe
1060	Kibgmdcn.exe
3344	Lffhfh32.exe
5076	Lpnlpnih.exe
4168	Lbmhlihl.exe
1872	Ligqhc32.exe
2476	Lboeaifi.exe
4320	Lmdina32.exe
2588	Lpcfkm32.exe
2532	Likjcbkc.exe
4412	Lpebpm32.exe
5052	Lgokmgjm.exe
1852	Lingibiq.exe
2136	Mdckfk32.exe
4164	Medgncoe.exe
4360	Megdccmb.exe
2704	Mlampmdo.exe
2368	Mckemg32.exe
2036	Meiaib32.exe
2844	Mmpijp32.exe
5000	Mpoefk32.exe
2972	Mcmabg32.exe
1016	Melnob32.exe
1340	Mlefklpj.exe
4396	Mdmnlj32.exe
3260	Menjdbgj.exe
3436	Mnebeogl.exe
1580	Ndokbi32.exe
2796	Ngmgne32.exe
2316	Nilcjp32.exe
2664	Nljofl32.exe
4376	Npfkgjdn.exe
1040	Ngpccdlj.exe
368	Njnpppkn.exe
220	Nphhmj32.exe
4304	Ncfdie32.exe
3932	Njqmepik.exe
4692	Npjebj32.exe
428	Ncianepl.exe
3444	Njciko32.exe
1456	Nlaegk32.exe
1372	Ndhmhh32.exe
3904	Nckndeni.exe
3324	Nfjjppmm.exe
4912	Njefqo32.exe
4464	Oponmilc.exe
4432	Ocnjidkf.exe
1896	Oflgep32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kpbmco32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Fbnkjc32.dll	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kpbmco32.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Kiidgeki.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6444	6240	WerFault.exe	256

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jblpek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 4136	708	9562ad4c56a27a6c3ce68097d855a2b0_NeikiAnalytics.exe	87
PID 708 wrote to memory of 4136	708	9562ad4c56a27a6c3ce68097d855a2b0_NeikiAnalytics.exe	87
PID 708 wrote to memory of 4136	708	9562ad4c56a27a6c3ce68097d855a2b0_NeikiAnalytics.exe	87
PID 4136 wrote to memory of 1268	4136	Jpijnqkp.exe	88
PID 4136 wrote to memory of 1268	4136	Jpijnqkp.exe	88
PID 4136 wrote to memory of 1268	4136	Jpijnqkp.exe	88
PID 1268 wrote to memory of 4896	1268	Jfcbjk32.exe	89
PID 1268 wrote to memory of 4896	1268	Jfcbjk32.exe	89
PID 1268 wrote to memory of 4896	1268	Jfcbjk32.exe	89
PID 4896 wrote to memory of 4756	4896	Jianff32.exe	90
PID 4896 wrote to memory of 4756	4896	Jianff32.exe	90
PID 4896 wrote to memory of 4756	4896	Jianff32.exe	90
PID 4756 wrote to memory of 3888	4756	Jmmjgejj.exe	91
PID 4756 wrote to memory of 3888	4756	Jmmjgejj.exe	91
PID 4756 wrote to memory of 3888	4756	Jmmjgejj.exe	91
PID 3888 wrote to memory of 3936	3888	Jplfcpin.exe	92
PID 3888 wrote to memory of 3936	3888	Jplfcpin.exe	92
PID 3888 wrote to memory of 3936	3888	Jplfcpin.exe	92
PID 3936 wrote to memory of 728	3936	Jblpek32.exe	93
PID 3936 wrote to memory of 728	3936	Jblpek32.exe	93
PID 3936 wrote to memory of 728	3936	Jblpek32.exe	93
PID 728 wrote to memory of 2196	728	Jifhaenk.exe	94
PID 728 wrote to memory of 2196	728	Jifhaenk.exe	94
PID 728 wrote to memory of 2196	728	Jifhaenk.exe	94
PID 2196 wrote to memory of 1992	2196	Jpppnp32.exe	95
PID 2196 wrote to memory of 1992	2196	Jpppnp32.exe	95
PID 2196 wrote to memory of 1992	2196	Jpppnp32.exe	95
PID 1992 wrote to memory of 4300	1992	Kiidgeki.exe	96
PID 1992 wrote to memory of 4300	1992	Kiidgeki.exe	96
PID 1992 wrote to memory of 4300	1992	Kiidgeki.exe	96
PID 4300 wrote to memory of 1284	4300	Kpbmco32.exe	97
PID 4300 wrote to memory of 1284	4300	Kpbmco32.exe	97
PID 4300 wrote to memory of 1284	4300	Kpbmco32.exe	97
PID 1284 wrote to memory of 3128	1284	Kfmepi32.exe	98
PID 1284 wrote to memory of 3128	1284	Kfmepi32.exe	98
PID 1284 wrote to memory of 3128	1284	Kfmepi32.exe	98
PID 3128 wrote to memory of 4240	3128	Kikame32.exe	100
PID 3128 wrote to memory of 4240	3128	Kikame32.exe	100
PID 3128 wrote to memory of 4240	3128	Kikame32.exe	100
PID 4240 wrote to memory of 2712	4240	Klimip32.exe	101
PID 4240 wrote to memory of 2712	4240	Klimip32.exe	101
PID 4240 wrote to memory of 2712	4240	Klimip32.exe	101
PID 2712 wrote to memory of 2492	2712	Kimnbd32.exe	102
PID 2712 wrote to memory of 2492	2712	Kimnbd32.exe	102
PID 2712 wrote to memory of 2492	2712	Kimnbd32.exe	102
PID 2492 wrote to memory of 4516	2492	Kbfbkj32.exe	103
PID 2492 wrote to memory of 4516	2492	Kbfbkj32.exe	103
PID 2492 wrote to memory of 4516	2492	Kbfbkj32.exe	103
PID 4516 wrote to memory of 3252	4516	Kipkhdeq.exe	105
PID 4516 wrote to memory of 3252	4516	Kipkhdeq.exe	105
PID 4516 wrote to memory of 3252	4516	Kipkhdeq.exe	105
PID 3252 wrote to memory of 1060	3252	Kfckahdj.exe	106
PID 3252 wrote to memory of 1060	3252	Kfckahdj.exe	106
PID 3252 wrote to memory of 1060	3252	Kfckahdj.exe	106
PID 1060 wrote to memory of 3344	1060	Kibgmdcn.exe	107
PID 1060 wrote to memory of 3344	1060	Kibgmdcn.exe	107
PID 1060 wrote to memory of 3344	1060	Kibgmdcn.exe	107
PID 3344 wrote to memory of 5076	3344	Lffhfh32.exe	108
PID 3344 wrote to memory of 5076	3344	Lffhfh32.exe	108
PID 3344 wrote to memory of 5076	3344	Lffhfh32.exe	108
PID 5076 wrote to memory of 4168	5076	Lpnlpnih.exe	109
PID 5076 wrote to memory of 4168	5076	Lpnlpnih.exe	109
PID 5076 wrote to memory of 4168	5076	Lpnlpnih.exe	109
PID 4168 wrote to memory of 1872	4168	Lbmhlihl.exe	111

C:\Users\Admin\AppData\Local\Temp\9562ad4c56a27a6c3ce68097d855a2b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9562ad4c56a27a6c3ce68097d855a2b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\SysWOW64\Jpijnqkp.exe
  C:\Windows\system32\Jpijnqkp.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\Jfcbjk32.exe
    C:\Windows\system32\Jfcbjk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\Jianff32.exe
      C:\Windows\system32\Jianff32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        29⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        30⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        31⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        37⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        40⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        41⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        50⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        53⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        57⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        58⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        66⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        67⤵
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3912
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        69⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        70⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        72⤵
        
        PID:424
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2220
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        74⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        75⤵
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        79⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1180
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        81⤵
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4624
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        84⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        85⤵
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        86⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        87⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        90⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        93⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        95⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        96⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        97⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        101⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        103⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        107⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        110⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        117⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        120⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        121⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        122⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        128⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        129⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        130⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        131⤵
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        133⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        136⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        137⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        138⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        143⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        144⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        146⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        147⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        149⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        150⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6700
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        154⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        155⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        157⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        160⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        161⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        162⤵
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        164⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 396
        165⤵
        Program crash
        
        PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6240 -ip 6240
1⤵
PID:6412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
422KB

MD5
32e02e4c88f9429f5262f39c47e6f09d

SHA1
11de9da07e818ed94b0c4ddb5ccc36f530c342e9

SHA256
552a362d98b7f53efe71e13aa5985732940daec0474bd1ba7d92fa7ffe5b8cc5

SHA512
84816dab94256e118c9040b64d88c92d59c36ee522336219600a75d38ebe2f86a57b4c3cd5b6fefa5a6c7a4da7c6dda022962a015f6659feded7eee6d5568426

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
422KB

MD5
228caaca39374f25cb7fd46eb7c00d74

SHA1
ff89777132fd5957452db11f50af25fa23457d9d

SHA256
d0b7d8394e9a105e15ae2f23938535fa2c1c7df2761a25a947dbf1aaa406d7ee

SHA512
b7d8564c9b23fa85fa2ca2c49fcdc40d5436a153fa83a142fc1832c7bf6c62b3603994b84026f74576bf811ebcff16a78ca8836897196bf1cb29941a754d901d

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
422KB

MD5
535ae33cc781b6cd3805d2239943fe06

SHA1
f319661b442ee56458317a8c0474f90916358665

SHA256
505d54b15d1c1e075ac7f74480e94c4f6ab3cd5d914a2e8e5e1719496011db48

SHA512
c92bbe244b45941fd0afd00ab430858e2259480348ff63b4b4306a5d890613f80c51595d11fe6529b932a20d619e338d67d7398f4865f898ea83378ee49f6014

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
422KB

MD5
77c3c067ad07af54a1feee7a8cd27efe

SHA1
ba6c8e9b5a4de174e24450f4d536ed4ecc769280

SHA256
aefb9a2b3b7673f09f6a85e8bb3b89e13cabd709534692f91220ad574eead6bb

SHA512
9fcd72db476ff63c47685b2894b1ac39178f92525021a862d3c5c29b3e20e7ceeae951e286a52f8d61584f6cbcf1d3e8958568661e49565376592a58f75a73f7

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
422KB

MD5
8bcd08fe2a58ae0e865846481c160ee0

SHA1
3a5729088ac5be37219da15841bc03eff168f1df

SHA256
6f309ad7fd84994da4258f7884418578e68935b74b2917e01e85c2d02d332fdf

SHA512
24954b6ae29fe7816f1683dbb7cf1c77d51a45cbedf4219f7d05f2b771efc8624076b928a8b463b5d3f64d9aeab2cf4492ba577dc75ff4d0df12e5ea599d89d6

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
422KB

MD5
3243369096a4a62b6b7e9d023e86d76d

SHA1
a514f25b936062bfe396c6b08f5d2bae12af8c8d

SHA256
38381478b9092e3359059ac27fbb2288b14e45d71474990cd5cb6cb09bcb95fd

SHA512
8299e14b6ead8e37600a2db64bd2c8c7bf5973aa3f27611e8db996ee9bc94cdb92fd96c28bd53020d024db7a58f31b0ad5a93a59e2399cb72aa3e0f8a441a95e

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
422KB

MD5
8b716b79c52ed071d0f2813fd9bd443e

SHA1
f2db18cc47fbde72ec592da1dd815bfcba1e781f

SHA256
dd678a5a4f28e6f3d8c8820a98fbc0da380863ecfd5857fa58fad2534f53cfcd

SHA512
ca614180912f82c67ac1f9913f0d6f5cc3feabbddbb72b953d3ca0e1f2b31ec621f18147dd4e4f831ff4eb528f35023a47ed4c2f6fb520cf8bfeca17617d0257

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
422KB

MD5
0161e3ff8427fcd744d5862e0654e2c8

SHA1
013c72847c9de67856e69dbc6e512ddcbdf489de

SHA256
8399005d885350a32caa48bb430494b2f81e653abd85faf4b809ac606312b28c

SHA512
b58d8d9da049bd0feb772a3d39bc1ecb5c43ee0b6c2ce19e03ae5befef79a85ad73a98c747ace51f9f289aa44d08794adb3566e1a5a6262ba87a719196695eb6

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
422KB

MD5
f415ef0902ebec3b8b8155e9da192a1a

SHA1
9c1e31b14ded2ad655f57e1bca76ca9214d85a11

SHA256
c94b0c02f5d67d7b29ed795f52825e1e45d623c85163f895880664da6f841ba3

SHA512
518256074b7d8ed540212fee1f8e7a4fc7d0254f4e283fa6da05365cf880ece8b75c4c9295e51fda66d7f4a49e6c3b75aea3911d62be3df080055ddae08b53f0

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
64KB

MD5
dd9b608434c1488fcf4368b09decf98f

SHA1
a3aa40db93c72de796479cf94652d71e74f22a22

SHA256
fa352866423a10978b87a550a48dc478763d2a7bbdafb639f0e16e155c4c8fee

SHA512
9e4e23159ee914e46ddf946abea380a2b811b76c947e4ed0fe1081343581dd1875f2b6d184f33359cb30440a83f77a794b1929c276cfeb188fc04cf811cb8bde

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
422KB

MD5
99f933228b39ab6490996005ab23ae2b

SHA1
471668d1832fda29d8743ae327b9a25a755dedec

SHA256
c8b94220368b6e131b3e592ffd665bdd18759275664b2ac1ccccc90018e4d1c6

SHA512
1835b628e516b344e029d1c74d2d696fc13d3957b13be09462f6307aaf6d05c151a3489d17727d4f219ea612846f701545750fa3a2a193160be958ccde0a22a2

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
422KB

MD5
7712a18b8910df2f896ea087c541d29d

SHA1
e88562143128308b22dbed70d8f1845798dc9b91

SHA256
be47082b99dda071c2268086d6c3abcc6b0256e225bebe31f45ec2c7317e390d

SHA512
81c6a8200315a65754dd490a402e5dea195fd9a4d3eeb8e350e8648374e2fbe59f56266bc315f05abdc451eb2e4d3b65c3b7c9f29e828e4c448aab0ae91a82ed

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
422KB

MD5
45268a6bcd4e4d66d44e4846995b6de4

SHA1
dc775bbe606309a555fce081d21e2879b79a4225

SHA256
a08d1a1456a2f7680ecffbbf300c42f89a9af36afa1f4539c0c30fc0f6d14e2e

SHA512
690f11ffab2246a659b0cb6aecc9f45dd1aaec0ebe7de08bef1d278e21c8772d189bc24cf35299c9343d4a6b97f129ab4d2b19cff4bb165c90731783d4048700

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
422KB

MD5
3c3378592dad63258a5ffb37eff97673

SHA1
d83607a1bf975b8a26a02c7bccb4dc265cb8403b

SHA256
df2d339e4d50428ede88012feeb4a29a49eb5b97f7822a40afbc8073bea01cac

SHA512
2194da6f000aa0e72c0745860fd2e7205b9953cf0aaae428f750efc3542d54a05b50bc8cd2aaaa133f66e94b452f780037f71a2771d562d75b8427bf20aac1f3

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
422KB

MD5
875323b4edf5fd5a6cadf9791626df4e

SHA1
9ab735f4fa07530a71a051b8043fa049dc570304

SHA256
bab8b3ffbfda0b8779c99e30b64aff9470455950d7a413bc0706a867a606ea17

SHA512
627573bf2feb027d0d4ead3bb8e549347e934970305840513dc661659dfe19526113f3c0d38e2999188e99b5d8e073d20b74edc8e44db1161cc5bb478ff42248

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
422KB

MD5
78cf18c21ce774c02afa9f8063564ec4

SHA1
cf457730b1ef07359a9bedc281477fa052e33e89

SHA256
394e55b57e069ff9a03b9e911d9ae289bf26fcc4ec2051a00eb2f4c91c19455b

SHA512
a1ca77a3ec5463c0a032e078a0702b51f130cf21ba8e85581010e2d87db8dd1201a05f5c8942ebc7c2781308618d9b4eb012365ef7404121d31367c9adc8d0d9

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
422KB

MD5
ef8b54930cc443ca8cb8fff1bde63156

SHA1
e85fa235218fc449694919d65ee5d522ce5fd702

SHA256
2afbb7882472dba5e03b3b1791e1b3254ebe52ad6b54616b7070bdd14a811bc7

SHA512
a9232b0bd020957a4a535c4ff2a6973d7bf78f8f959fc84bd0d4cdc23f055a79b4c91edefab272d8afebf6c9632521d52dfcc8c3830a281a4ba1479fab0bf2f4

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
422KB

MD5
bd5584de3e4e01fa1797ca82f1434313

SHA1
50d73b39e28cb300b02e5641661b3622590ac0a7

SHA256
b13d38ad1a0b3d06cd15006983a7c189760ddea00ce503e63da04be80b807288

SHA512
33107c53de3ad01c9afef8124d1d9449496716cebbb4f8ad12924eabe88e58554fb5aff014dedb3cb535301145ddb4e8aa180d2d7fd3c7ab0320aef42bc41208

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
422KB

MD5
37f56e8a1cfc34e46deb8526b62e33ce

SHA1
e8aa7a37bdf8921fe83f83143a1c7e6aefc57553

SHA256
f0ce0d66f37ac24a628c027b3b46ab3096ff125cb86a8e22404c32423a1641a7

SHA512
8dc9707abc527d9cabc5cf233e383024eea2909af79d432a1d7c558f76ae990be3e9718b88f8fec47ac108ec268d7db62c30330f57989d9c4abf8dcdbf450ff2

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
422KB

MD5
71c99d668aaa92f9b0207014da111871

SHA1
a8ddb422015754c97c4a80f0b79464263ed08c5c

SHA256
8cf4aa87f1641c12b4f0a1ab4bec152451367b678df397580603895fcce5f57e

SHA512
912a40183a30a66e900b65a53648ad5887fd132ff8eddccaa2d88187256ff8829292e8be317cf09397ef508a997988ecc33ef6e3347c5f07e4f82bc7233f5c8c

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
422KB

MD5
9329c77e9b26d4efa9a714629991ad9d

SHA1
bd9a1429039f279d0847ae6ea3d4e004b5efa08c

SHA256
741f4b2b00a6c0c80d6b034ee2dbc02b619620139145d50882be0fd39e87bc00

SHA512
7efb45777aa938e4e1c34048d040248c9b4782e459828971da65c034a0839ada4a11393de76fd6849bf94ecde8df361133516e1d985b819d37596f9760650825

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
422KB

MD5
19d2d07f7204e007b00f75c5e60baeed

SHA1
37e695c6affea06c035a02a6ff4cc8a4188b06cf

SHA256
837d05ee22ef5c6d28c33cad990dec0bc0b1f2396d99ce4a5c7fb6fb10364e22

SHA512
840196b921938909d3ed97d6e1e25afed7e90bba9bf91e4919287c8dd399d35a0f21d0de4c399f94d81f8ce9ef17df726d436d6a473a079790f2e3f328ca5af5

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
422KB

MD5
16147a64899861da8455c48c4051c764

SHA1
4fb51f1304016a114ab80ea9afd33efe7c839dbe

SHA256
f49a9a5a1b0977f254ed5f705b58af22272ac613ea619d3bfd8fdca9be46190d

SHA512
4de8e83fcec6cb08093146cb6a060eda0994150793437aa1aba9ac3953004fc4c44f5305825ab19d4d458d248b256326e71fe0a8d4c2e0ec5e3ac375c80fc246

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
422KB

MD5
ee8d382b95d39243c874f9fb6300aefe

SHA1
93d7a33ec33d603f2a9fda20699dc81bb25ac7fb

SHA256
0cadf378a70d7c07eb414aa259f11c1fbe5c5ed3d20d24af14e992f2e4565908

SHA512
d61fc38be9682e18f47ec73b7c0bb9ebe8c64e63e1bb05fc884a7efb32ab97da652b3e93372fc9d32fef5f70eaec9a831395a34db1c624291019b8423b30bfc5

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
422KB

MD5
4f6415d6a3f1999dc4d6c1462c44d2e2

SHA1
b9df8350be302823634b0320eff8f9abbf1eff81

SHA256
76ae2e91de99d3c2191fabdfbf39b369180eeb32331b4a96b7a82d030e8653d4

SHA512
33304332adddc1daeb6484b725ee7d067adb879af42da0fb6f257be3d21f0b248f782d6475bed5e80c10c7763f2e426baa32db672d35bf59105bea0b3beddd6d

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
422KB

MD5
afe8f73da86b36cdd61b307e608901dd

SHA1
d4453f590062760a65e95090ecaff78140b13f32

SHA256
bc61150f8334a5502d9f1f37a635a20dd2fdc6a70260eaea816dcbb536a1e4bd

SHA512
29ca1af7433c945e4c21f55427cd2deae65b9ba568efc87a4e151c5286e3611466f7518d3c9ccb78a7d100c61bc4098e396241c2b7c7c7ffa86ee4781ac248a6

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
422KB

MD5
dc1eed985837ca5c7996c5a1c6ba28dc

SHA1
c8b3f37e21ac1094737e2697cf26ba5c3fe821a3

SHA256
31a68f1f408ab7a40de3c0389aa3c44c14a5b9c72b1641f62ce3b87dcc263582

SHA512
2bfc0fd1bd321e268304d86857c5f1272ed6aa89d218f0c8c195fde2297b1b6f19adbc672d92e156279a86410f16975e4eb26cd063b529ab2922968be8cbfb2e

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
422KB

MD5
5321a29aeae1173c7a6de469c2ca40af

SHA1
ebce2a8bd4e2c8666e5143d4d0a7d4429be43b55

SHA256
0b1ec64c0119ea87e88fd3fc8ca6c7c4c7dfd5d2c8bd8348aa392482239d7d45

SHA512
b79ac88f3641edd01eddff521f01292a15e5abce929b2a8fe0a6e2abf894f291c28684a81e63ad174be097c18f1f448c2f039498275a5871a007ea03b6b8b78f

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
422KB

MD5
388df03d29a19d790a7535cfa27f3ef3

SHA1
304cf018b06fe3e94092155e328b80ed8f8329cd

SHA256
f048f46d97e79e99d08b206df8f7a3f5dfbf20721a644985714e7e1bf77ccaba

SHA512
b76322b47ac88d77f1c7fff1cffe0dd3d706698c657512f83713a8c02d5b65acd5aa9584b05957630d8e274ebef47f6d3e3b4836d23f2fe42beaa84b1f360bbc

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
422KB

MD5
60cee301ecdaa70ba8ea9202212a9b97

SHA1
639e25e8bc88759c357dc7f75c3cb505bd4cc56c

SHA256
ee777f152d1a6b595703eb94ce69df332b8add70b86e2c24c5674e659252d40f

SHA512
b7770c54a7fe04dccc0dae8868cff89ac9c1733cea2491b540042afcff949bd30cc2d8be12c689c3b63e33ba7d51bfc35bffa13ef7738f4e732c8b4d3f9adf65

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
422KB

MD5
28b2960864786ccedb2e2d27d7280f27

SHA1
18fb84f703508d9cba0bc5405ecd1107ab688304

SHA256
e3d6dfe34342c056182e20a4b74a1c62190ddf3d194eab46a346de2ddb210e41

SHA512
b857127d9f18d0cf7170727b989e6cf4f5c3d9e8375ac98d1e8c37761403d8527a6e5b10a687772001b48fbb257e6203c91a86057d15423643b696d17c2e83f0

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
422KB

MD5
69584b509d1f6fa4ba9f3d16c5b3ab5d

SHA1
226792ba45c20184609c3bcf64f986c82bbc1df6

SHA256
544d0f73018881e24b9347b279c985ec3ba332ae3f6641684c917027d8c8b788

SHA512
6349c38712f83c99c9782e40d88ee4cfc21ed97c3a00febe3d913f97517dcf15b9d3a2a2a0a07a2bcf808d2a6514f786c235c9566442d1387484951d0d68e672

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
422KB

MD5
98eb1816cd7d567ac01a4d581c01f2a5

SHA1
65f49330cd87feffde7e5583ef8754bfc58b026f

SHA256
4f028348ee96ce7638b9c99dce7c9c574710ab591e77d1fcfdb8978637c797e2

SHA512
236ecdb87681e904400347d86efa8396c1df1995ffcccb771d06db13da4df3f43db347780b17168facb032e593cccbfdba04a37f2e02aeae64f67580f9856c07

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
422KB

MD5
2290d5769c2311b8dfedf645a5da2469

SHA1
37be4ed044b03672cc3026608d33da303add70ae

SHA256
ebd4d8a84e2af465ccc06fc62ba94f83eca92e1215f7a53ea3a865a027a30196

SHA512
c8ed844585793e6d496a3119e87a75aa257df43b165c0959571ad1207f9a6da18ed375b9c67fa304930c5b47b764dba4861fe18be52439e1754a9275de3cfff3

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
422KB

MD5
eb4660ace4f7722a495f381e4326878a

SHA1
1fc18b1f09f882c38cf9cf1245604e394cc105a5

SHA256
a9d5100036912e2790eaff9cb03a8c23fa50947dbb52b2b9cb05dea29c4e2a1e

SHA512
cf0aa597ebfb91d60c9965d929afdec206795bedeb80c5ac41294a683d0b4890a7af81e24f18b6e14d3f9d9d990161fcef8f7300eae70648a62f9450b7b454bd

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
422KB

MD5
0ee7a9004eb11b33365bf14b6da99a54

SHA1
52a5b397beb7e3fcc057aac27f9f972c32932dbc

SHA256
421d05193c02496163d218fef3474005d5c8e40949d2b72783ebc867e358110c

SHA512
78d98915dd946fbb722739770d1163f8124b33ba58f6e9d3f1b96c722957e66768dab504a4cc65bccf92cfd73195ad0cbd0d11d975ed5a3152934c83abdf9ab4

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
422KB

MD5
17a488671f6d6a2f5b28cdd0655a30ed

SHA1
97ba74f738fd1a47324a56650505e95c739673f0

SHA256
6d18f764eee0a335740394237a36990cb17cc208bac61e72e65b1f8f3c99ff98

SHA512
e32d2c7fae733e8624de6a8387ead9e4a079843c12bfa4bc3647786e8057c47cdb86c7e536a228ff1eeddd74a906b5cfb707f58329f08386a6dfb72953f4b86c

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
422KB

MD5
b2efbaadda219c41d03559a2ff30ef76

SHA1
05f651724bd8613a13083e655a5fc1f300876365

SHA256
f36ec4e2a9bf1190c8ad8fe0213522d448a52ee042b8e8c5df3c205e6e4787eb

SHA512
c0ca17373ac70c78525a29ce4bd5229afe8cdcdd7d87eac3418bd3985126b056e484a88f028d3b0bcf5f61db2d08c3fbce5da436cb02ff497a5cbab5232b8689

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
422KB

MD5
957e8fa51965a7daf476d89e77dfd1c3

SHA1
4d6bd279868b80fff1843e405302d116c60b800d

SHA256
ace3a714965145611a40e6aa26117c182ee594b5c1cc46a5f4d8ac3043441108

SHA512
ae16f0abd30e5de4248882574c9f5ae543a55f5a8b5b743901c06b60c2b348ffd31eedb2def77e44695a33782a81cf574f2c808e047b764c786bfd9d8b9cfb30

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
422KB

MD5
eb02b55caf62805092c1973d872b923f

SHA1
80bd7d3a35ed248264b9f6772f9a497595d8f104

SHA256
1a12d26249eeeae47da1e537af90e01466b263cf283b91e1d28211de736d030e

SHA512
b8bce8ca3c6933d50420e2fa4b1878aa8ea5b0b4c152cbb5c7d606df18d2323c08531896b3c0cddcb8a1f8e79cd40ad880ed2cdbc3e0c4683a396c1acd1af3fe

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
422KB

MD5
b3365e21c8f5b515a6b70bb41bd8fa2d

SHA1
2d038859cb6be7ebe1e7c4e81f0f7d141153de4e

SHA256
088cfd6f5d0924b02d0141ea9165430e1fa148d47ba6cab41cb8bbbdd1f895bc

SHA512
d614d2482f602f1b716e57c9fc4d8244ca5303dac061cc9eb5e0b9417e6ac0549514af8fb8bbc9b80c9b9331639740eaacaa878c3fd6f2a7c16fd236eccba53f

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
422KB

MD5
b06858fafb75712740143348cc559e60

SHA1
3a9771639fcef2d9635712b2c78940ed07684f54

SHA256
56563c4edc95333e8bcbb55c1e6ec265939c6c1b75df7fbb9f1163e435579aa1

SHA512
de9c10db552d56136d090dd57928d6f8b8c14caca482e27423414e44ccef0a84f3c7c4acaf243ade66e731f04c33f804f509a934144aa06a81564fb415f6987a

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
384KB

MD5
22ae2d97c31a6c1c2896b622a37c17a8

SHA1
244dae6463957fa8a4d484e045bec3fc00d7090d

SHA256
830b72be2c01408483c6893a78b245056d7cddde8939d13a315696eb8f33fd4f

SHA512
4871e80e3909faf522d3e28d0ee6c67640ea026b152cfe30c39a41ad103cb27028ce4b04a0fc6418c749fbe20edc6055d1ee0bcf6286e6d542aec879443cd5c1

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
422KB

MD5
2bc07c5c33a9c4357ac8933017b7f7c4

SHA1
ad5377ad4102fc76057815e25f321d602e009434

SHA256
81eb7fec3cbc9ca03a47602ed6b8e37360e240dd556c794c21d4c1eedde36702

SHA512
5c4cc16c5177596aa614535792a081c2a2b6aa1def2c373543ea37416649d22f801b2bef808546672d737b879b99542f756aaa93d3ce59baea2da1dde6c3fa80

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
422KB

MD5
17254d09ddb3d3de791a61ea3f2832de

SHA1
8f8613fe0a85bf7f064f61c4ad8b733d127f2ae5

SHA256
96fad5fb9e9ea0738d103525733453cff9463bb4a45dd3ae51c8d4bf852e6036

SHA512
a457bb09a2b3e774158b80c19518a755ef132107fc1767ec7ab1252840d4847bb11e8f79a22e8072326cf3161f378d12803ddfb5ed8e2a78054423e6539ca52b

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
422KB

MD5
fb65d578414ceda1afc68fae83ab7c37

SHA1
3bd8b10f3f566f4bf9c48f58b2207fac586b9072

SHA256
32e653cd98d8c8a261c94f486ae38880b5432dc0b93e2f4a76b641f4b937e22d

SHA512
5fb73ab7b70e34c72433f35bed04642ed09a57811ec8480d25fc54d0223fd4834c9b127b6c405090a7341dc9449714c865cb346c95e8bfc1ed3dfac7d2affbe3

Download Submit
memory/116-499-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/368-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/708-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/708-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/728-577-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/728-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1040-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1060-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1060-650-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-603-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1340-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1372-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1456-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-470-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-480-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1852-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1860-1245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1860-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1872-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2036-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-583-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-629-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-622-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-1368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-493-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-604-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-642-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3324-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3436-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3436-1311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3704-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-564-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-1387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3932-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3936-571-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3936-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4136-543-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4136-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4164-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4168-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-616-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-590-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4376-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4412-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-525-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-635-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5076-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5128-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5240-1152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5292-595-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5340-597-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5424-610-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5504-623-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5504-1209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5588-636-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5652-643-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5732-1163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5796-1143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5800-1196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6348-1106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6528-1101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads