fc59830ce77ee245a556aa9f61ab95336bfe6e8e23db5707338a5988e3039e7a

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe
Size

89KB
MD5

ac9e3c65e9e6a4548e1636101b17b1e0
SHA1

a50b2a2f65fd82deda4b16e1d2ce6db6bc224788
SHA256

fc59830ce77ee245a556aa9f61ab95336bfe6e8e23db5707338a5988e3039e7a
SHA512

5f9fecf3dc3a1aeb13a4b85066ed800d14e45bd485ddfd6106272c2765e8320f1a6c298e28d73d4237a2187eb19e0486c8b008945cde53983874502f7e765232
SSDEEP

1536:k/c8DJJBy9kUA08Ocfa50hFXNCuHcxpc6pxZIbmsCIK282c8CPGCECa9bC7e3iaD:scgfUN8NJrX4uHcc6prIbmhD28Qxnd97

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiopca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgepom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfghg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eppjfgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooclapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaebef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jleijb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlqqcnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbocfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebaplnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcekpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehpadhll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Malpia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfihkqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakikoom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjkaabc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqgedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcekpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefgbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkjnfkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehndnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njinmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnhoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdnid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoknihb.exe

Executes dropped EXE 64 IoCs

pid	Process
5028	Kglmio32.exe
3564	Lddgmbpb.exe
1420	Lgepom32.exe
3664	Lggldm32.exe
4768	Lkeekk32.exe
4928	Mkjnfkma.exe
5100	Mjokgg32.exe
888	Malpia32.exe
1044	Manmoq32.exe
2360	Nmenca32.exe
3032	Njinmf32.exe
3164	Nagpeo32.exe
1560	Oeehkn32.exe
2264	Ojdnid32.exe
4428	Olfghg32.exe
2900	Pmlmkn32.exe
3612	Addaif32.exe
4760	Bnfihkqm.exe
4716	Bnkbcj32.exe
4948	Bnmoijje.exe
2456	Bnoknihb.exe
4000	Ckclhn32.exe
4572	Cdlqqcnl.exe
4488	Cdnmfclj.exe
4344	Cofnik32.exe
2124	Eppjfgcp.exe
3236	Fpdcag32.exe
4084	Fnlmhc32.exe
4016	Gncchb32.exe
2344	Gflhoo32.exe
2140	Gbchdp32.exe
2436	Hedafk32.exe
856	Hlpfhe32.exe
3280	Hfhgkmpj.exe
4996	Iipfmggc.exe
4420	Iefgbh32.exe
212	Ipoheakj.exe
1128	Jleijb32.exe
2616	Jilfifme.exe
3988	Jebfng32.exe
4876	Jedccfqg.exe
3260	Knnhjcog.exe
4476	Klcekpdo.exe
2752	Kcpjnjii.exe
1720	Klhnfo32.exe
4112	Lcdciiec.exe
2116	Ljceqb32.exe
4988	Lopmii32.exe
1624	Lobjni32.exe
540	Mqafhl32.exe
3920	Mjjkaabc.exe
1884	Mfqlfb32.exe
3376	Mjodla32.exe
3340	Mfhbga32.exe
4396	Ncchae32.exe
4944	Ocaebc32.exe
1172	Paeelgnj.exe
2572	Pfdjinjo.exe
5052	Ckebcg32.exe
4088	Dakikoom.exe
3516	Dbocfo32.exe
4076	Ebaplnie.exe
1052	Ehndnh32.exe
3160	Ehpadhll.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qgnnai32.dll	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Gaebef32.exe	Glhimp32.exe
File opened for modification	C:\Windows\SysWOW64\Lddgmbpb.exe	Kglmio32.exe
File opened for modification	C:\Windows\SysWOW64\Lkeekk32.exe	Lggldm32.exe
File created	C:\Windows\SysWOW64\Mjokgg32.exe	Mkjnfkma.exe
File opened for modification	C:\Windows\SysWOW64\Njinmf32.exe	Nmenca32.exe
File created	C:\Windows\SysWOW64\Pmlmkn32.exe	Olfghg32.exe
File opened for modification	C:\Windows\SysWOW64\Jilfifme.exe	Jleijb32.exe
File created	C:\Windows\SysWOW64\Enndkpea.dll	Hnphoj32.exe
File created	C:\Windows\SysWOW64\Oeehkn32.exe	Nagpeo32.exe
File created	C:\Windows\SysWOW64\Akeodedd.dll	Enpfan32.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Fqfojblo.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Hlglnp32.dll	Jhgiim32.exe
File opened for modification	C:\Windows\SysWOW64\Mjlalkmd.exe	Mjggal32.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Gbchdp32.exe	Gflhoo32.exe
File created	C:\Windows\SysWOW64\Hbdmdpjg.dll	Jilfifme.exe
File created	C:\Windows\SysWOW64\Mjodla32.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Imffkelf.dll	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Apjdikqd.exe	Qpbnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Lggldm32.exe	Lgepom32.exe
File created	C:\Windows\SysWOW64\Cdnmfclj.exe	Cdlqqcnl.exe
File created	C:\Windows\SysWOW64\Dnbjkgmg.dll	Jleijb32.exe
File created	C:\Windows\SysWOW64\Klcekpdo.exe	Knnhjcog.exe
File created	C:\Windows\SysWOW64\Lobjni32.exe	Lopmii32.exe
File created	C:\Windows\SysWOW64\Fjohgj32.dll	Kpnjah32.exe
File created	C:\Windows\SysWOW64\Mnhgglaj.dll	Aidehpea.exe
File created	C:\Windows\SysWOW64\Chnidloo.dll	Bnoknihb.exe
File created	C:\Windows\SysWOW64\Hmlephen.dll	Cdlqqcnl.exe
File created	C:\Windows\SysWOW64\Jebfng32.exe	Jilfifme.exe
File opened for modification	C:\Windows\SysWOW64\Ehndnh32.exe	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Ehpadhll.exe	Ehndnh32.exe
File created	C:\Windows\SysWOW64\Apnndj32.exe	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Kglmio32.exe	ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lggldm32.exe	Lgepom32.exe
File opened for modification	C:\Windows\SysWOW64\Hedafk32.exe	Gbchdp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfdjinjo.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Apnndj32.exe	Aidehpea.exe
File created	C:\Windows\SysWOW64\Gejqna32.dll	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Cjibekmc.dll	Manmoq32.exe
File opened for modification	C:\Windows\SysWOW64\Olfghg32.exe	Ojdnid32.exe
File created	C:\Windows\SysWOW64\Bndfbikc.dll	Bnfihkqm.exe
File created	C:\Windows\SysWOW64\Gceegdko.dll	Ckclhn32.exe
File created	C:\Windows\SysWOW64\Fqgedh32.exe	Fdnhih32.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Bcghdkpf.dll	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Amhmnagf.dll	Jlikkkhn.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Klhhpb32.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Kikdcj32.dll	Mjokgg32.exe
File created	C:\Windows\SysWOW64\Bnoknihb.exe	Bnmoijje.exe
File created	C:\Windows\SysWOW64\Ckclhn32.exe	Bnoknihb.exe
File created	C:\Windows\SysWOW64\Fbpcnkaj.dll	Fnlmhc32.exe
File created	C:\Windows\SysWOW64\Accimdgp.dll	Ipoheakj.exe
File created	C:\Windows\SysWOW64\Hnphoj32.exe	Hajkqfoe.exe
File created	C:\Windows\SysWOW64\Mnfgko32.dll	Khlklj32.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Aqhblk32.dll	Olfghg32.exe
File opened for modification	C:\Windows\SysWOW64\Iipfmggc.exe	Hfhgkmpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6212	5676	WerFault.exe	213

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpncq32.dll"	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cofnik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkeekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjaqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlglnp32.dll"	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmoijje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcnkaj.dll"	Fnlmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehndnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhmnagf.dll"	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgjlnfh.dll"	ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdnmfclj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmljnd.dll"	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll"	Oeehkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojdnid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lopmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckclhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll"	Cofnik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqgedh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fkjfakng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kglmio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiopca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflkamml.dll"	Lkeekk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnlmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbfan32.dll"	Mfhbga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njinmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbdnie.dll"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jleijb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdcj32.dll"	Mjokgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpbkngk.dll"	Nagpeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gncchb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oeehkn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 5028	3372	ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe	92
PID 3372 wrote to memory of 5028	3372	ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe	92
PID 3372 wrote to memory of 5028	3372	ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe	92
PID 5028 wrote to memory of 3564	5028	Kglmio32.exe	93
PID 5028 wrote to memory of 3564	5028	Kglmio32.exe	93
PID 5028 wrote to memory of 3564	5028	Kglmio32.exe	93
PID 3564 wrote to memory of 1420	3564	Lddgmbpb.exe	94
PID 3564 wrote to memory of 1420	3564	Lddgmbpb.exe	94
PID 3564 wrote to memory of 1420	3564	Lddgmbpb.exe	94
PID 1420 wrote to memory of 3664	1420	Lgepom32.exe	95
PID 1420 wrote to memory of 3664	1420	Lgepom32.exe	95
PID 1420 wrote to memory of 3664	1420	Lgepom32.exe	95
PID 3664 wrote to memory of 4768	3664	Lggldm32.exe	96
PID 3664 wrote to memory of 4768	3664	Lggldm32.exe	96
PID 3664 wrote to memory of 4768	3664	Lggldm32.exe	96
PID 4768 wrote to memory of 4928	4768	Lkeekk32.exe	97
PID 4768 wrote to memory of 4928	4768	Lkeekk32.exe	97
PID 4768 wrote to memory of 4928	4768	Lkeekk32.exe	97
PID 4928 wrote to memory of 5100	4928	Mkjnfkma.exe	98
PID 4928 wrote to memory of 5100	4928	Mkjnfkma.exe	98
PID 4928 wrote to memory of 5100	4928	Mkjnfkma.exe	98
PID 5100 wrote to memory of 888	5100	Mjokgg32.exe	99
PID 5100 wrote to memory of 888	5100	Mjokgg32.exe	99
PID 5100 wrote to memory of 888	5100	Mjokgg32.exe	99
PID 888 wrote to memory of 1044	888	Malpia32.exe	100
PID 888 wrote to memory of 1044	888	Malpia32.exe	100
PID 888 wrote to memory of 1044	888	Malpia32.exe	100
PID 1044 wrote to memory of 2360	1044	Manmoq32.exe	101
PID 1044 wrote to memory of 2360	1044	Manmoq32.exe	101
PID 1044 wrote to memory of 2360	1044	Manmoq32.exe	101
PID 2360 wrote to memory of 3032	2360	Nmenca32.exe	102
PID 2360 wrote to memory of 3032	2360	Nmenca32.exe	102
PID 2360 wrote to memory of 3032	2360	Nmenca32.exe	102
PID 3032 wrote to memory of 3164	3032	Njinmf32.exe	103
PID 3032 wrote to memory of 3164	3032	Njinmf32.exe	103
PID 3032 wrote to memory of 3164	3032	Njinmf32.exe	103
PID 3164 wrote to memory of 1560	3164	Nagpeo32.exe	104
PID 3164 wrote to memory of 1560	3164	Nagpeo32.exe	104
PID 3164 wrote to memory of 1560	3164	Nagpeo32.exe	104
PID 1560 wrote to memory of 2264	1560	Oeehkn32.exe	105
PID 1560 wrote to memory of 2264	1560	Oeehkn32.exe	105
PID 1560 wrote to memory of 2264	1560	Oeehkn32.exe	105
PID 2264 wrote to memory of 4428	2264	Ojdnid32.exe	106
PID 2264 wrote to memory of 4428	2264	Ojdnid32.exe	106
PID 2264 wrote to memory of 4428	2264	Ojdnid32.exe	106
PID 4428 wrote to memory of 2900	4428	Olfghg32.exe	107
PID 4428 wrote to memory of 2900	4428	Olfghg32.exe	107
PID 4428 wrote to memory of 2900	4428	Olfghg32.exe	107
PID 2900 wrote to memory of 3612	2900	Pmlmkn32.exe	108
PID 2900 wrote to memory of 3612	2900	Pmlmkn32.exe	108
PID 2900 wrote to memory of 3612	2900	Pmlmkn32.exe	108
PID 3612 wrote to memory of 4760	3612	Addaif32.exe	109
PID 3612 wrote to memory of 4760	3612	Addaif32.exe	109
PID 3612 wrote to memory of 4760	3612	Addaif32.exe	109
PID 4760 wrote to memory of 4716	4760	Bnfihkqm.exe	110
PID 4760 wrote to memory of 4716	4760	Bnfihkqm.exe	110
PID 4760 wrote to memory of 4716	4760	Bnfihkqm.exe	110
PID 4716 wrote to memory of 4948	4716	Bnkbcj32.exe	111
PID 4716 wrote to memory of 4948	4716	Bnkbcj32.exe	111
PID 4716 wrote to memory of 4948	4716	Bnkbcj32.exe	111
PID 4948 wrote to memory of 2456	4948	Bnmoijje.exe	112
PID 4948 wrote to memory of 2456	4948	Bnmoijje.exe	112
PID 4948 wrote to memory of 2456	4948	Bnmoijje.exe	112
PID 2456 wrote to memory of 4000	2456	Bnoknihb.exe	113

C:\Users\Admin\AppData\Local\Temp\ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ac9e3c65e9e6a4548e1636101b17b1e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\Kglmio32.exe
  C:\Windows\system32\Kglmio32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\Lddgmbpb.exe
    C:\Windows\system32\Lddgmbpb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\Lgepom32.exe
      C:\Windows\system32\Lgepom32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\SysWOW64\Lggldm32.exe
        
        C:\Windows\system32\Lggldm32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Mkjnfkma.exe
        
        C:\Windows\system32\Mkjnfkma.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Mjokgg32.exe
        
        C:\Windows\system32\Mjokgg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Malpia32.exe
        
        C:\Windows\system32\Malpia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Manmoq32.exe
        
        C:\Windows\system32\Manmoq32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Njinmf32.exe
        
        C:\Windows\system32\Njinmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Nagpeo32.exe
        
        C:\Windows\system32\Nagpeo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ojdnid32.exe
        
        C:\Windows\system32\Ojdnid32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Olfghg32.exe
        
        C:\Windows\system32\Olfghg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Addaif32.exe
        
        C:\Windows\system32\Addaif32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Bnkbcj32.exe
        
        C:\Windows\system32\Bnkbcj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Ckclhn32.exe
        
        C:\Windows\system32\Ckclhn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Cdlqqcnl.exe
        
        C:\Windows\system32\Cdlqqcnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Cdnmfclj.exe
        
        C:\Windows\system32\Cdnmfclj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Cofnik32.exe
        
        C:\Windows\system32\Cofnik32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        28⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Fnlmhc32.exe
        
        C:\Windows\system32\Fnlmhc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        33⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:856
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        36⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        42⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        45⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        46⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        60⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:552
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        70⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4544
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        75⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        77⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        84⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        87⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        90⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        91⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        92⤵
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        93⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        95⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        100⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        102⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        106⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        111⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        115⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 400
        116⤵
        Program crash
        
        PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5676 -ip 5676
1⤵
PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:6604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Addaif32.exe

Filesize
89KB

MD5
b8b5e249e9bc3f3bb0995af19afb7a73

SHA1
d20704154dba366d1934e67ca53f8ae1b9204316

SHA256
5daea70f3cb4001f3571abae5c23c83c3661bc28a28c7ef9bbc3814853eb8e4f

SHA512
f90a82eb55152458383af93521d682794e7f44247107349440763e564ec935caa0959d0faf4347bce9c26720d7d5e58cef2d46ec2c4209f89440786e306db04c

Download Submit
C:\Windows\SysWOW64\Apnndj32.exe

Filesize
89KB

MD5
fe9084f77b9562fbf6981d8adc80fb3a

SHA1
644acfd82959689b39523d4927713678d7da91d9

SHA256
105998434de6710129378d351c8af345b749d516cc9cc309b029d72c2af147b9

SHA512
195dd408bd91c4dc8e0f130e9f37c55d975ed6a721778c69d7caf63ad952c5456f55842bcab91100ce96edcdec49d36031f6003a099a6188060725fecea1403a

Download Submit
C:\Windows\SysWOW64\Bnfihkqm.exe

Filesize
89KB

MD5
b085fcc49af6998343dbb960b15d75cc

SHA1
91a5fa44c7a5cf1a94aa3c171fad6bf846abf549

SHA256
5281748f58a707abe5b41aff77fcd4dddc4dc5e157170e51ece7b2704eac2976

SHA512
93f4297d8a478ccdf7f8d0a3e6372436ddc86b95d026a41c0078cfe5da9a2ae23354f890d44a694f43ba7ac98364e741df8bedab6bb82dbabe2e62fa96b33aec

Download Submit
C:\Windows\SysWOW64\Bnkbcj32.exe

Filesize
89KB

MD5
fee5c24c242651f50fa77d9bc870e76c

SHA1
2d2aff814503727a5af3db197610dca94738d861

SHA256
f76d0672563d6dbe4ef7a4aa26d9f6bde79214af388d6678eda839e3af8c1a52

SHA512
cfb45e818311bfcaf1645842c43d517fbe98cf37554f3a26070182bffcbfb4b0ca5274de118576d2b67efef0abb5a5384f4061fc9f0fe2d85d21ac0d60335213

Download Submit
C:\Windows\SysWOW64\Bnmoijje.exe

Filesize
89KB

MD5
1913b3829b44f1c22d7160b7eecf43db

SHA1
d4ac27dc918adb06905558bad422348bf4d56c1b

SHA256
db457fbd90624e9b91e46badaf26f11902343dec2ec1dc1ce460c4f4b1eab0bc

SHA512
5576b6368e08c648cdbf45e20b272bd20f3006f2fbe04f17a2ddbdfaba6a0752944a1b095b2d7f578e8d927ca29c17a33205db9d1dc0414ed88f051bf194b880

Download Submit
C:\Windows\SysWOW64\Bnoknihb.exe

Filesize
89KB

MD5
540b6cc082899470e2db372e267e535c

SHA1
e093b25fe290b700af5f8c32f85bff89a25b824b

SHA256
a8594f73fc3a21c2683ed6b86029ac78c1dfd3085854db457acb55974614f5ee

SHA512
977fc59b3bdc38caacc91ed0529cf47151d822844bb061fad8538fb036fcd086452816143e7016339b0eb1590e0687722bb1ada1b140b5fdbf087af70bf83a2a

Download Submit
C:\Windows\SysWOW64\Cdlqqcnl.exe

Filesize
89KB

MD5
952b1aa70f21b07b8616081fcbd2f675

SHA1
b134ce785c017d5e24f3fcd9943dfe43993c13eb

SHA256
e2fc2163b29fd49bfb77ec49397131dbf7d14632a75336ed6b51cb9f4e052f6d

SHA512
558bff7cd87c5fd0706628fcf5163bc9063b6b8d62710a3d5796ff3b74e3c51a5a87086b8cc0b13d6687b1b2200040dc22bd1de7f623d1ff2d6e6f86c209f0b1

Download Submit
C:\Windows\SysWOW64\Cdnmfclj.exe

Filesize
89KB

MD5
eb0f3faf67ae983b847f47cec81038bd

SHA1
5d659bcca783d6ce2ec5f613bd048407a379bad0

SHA256
e45c4124c7e0be65629d5a0fd7220e18220b7fbec6b07859b6030c6c3e9ffdd8

SHA512
9fe088da097c8af20e79ed77eec0ffd6baf92ab978f50370b990f51dfca7f199e7100c3fa3db0083aea0ce72c260749712d0cf50e70dd236576556cd6f7e8ced

Download Submit
C:\Windows\SysWOW64\Ckclhn32.exe

Filesize
89KB

MD5
f72bb355739a5bd90d93d5860fba5507

SHA1
9ee2677e71653409a3b22135f249552a9af484f2

SHA256
40d775de6381a057d11cd6c9ac7a6dd7b53bfd3d05aab30be35abfe26c163266

SHA512
03701ca680e2192eb1273ee3671e829c7699cc9adb52d1af299c2adff2a0bfff7b7e8681bf68678da36cb6b4c22df33325a9b77b4145eadd25c3c3b4a8d802ee

Download Submit
C:\Windows\SysWOW64\Cofnik32.exe

Filesize
89KB

MD5
3f5641bd835e189526183278f59f0e42

SHA1
42cc10960b5d1ed9b4e2098a5684dea6f4d8e51b

SHA256
fadbd84edf97dce5fce84f0f40cfa77d39711632190367a758d319f22eb887b8

SHA512
e6e487e5caff457151a32cdce0142f1598b8fc79687ce69f0736241cc393aac5cd7d8397b49c5be938e55fc5b6bf01f595931043a747595cdac63ab255571677

Download Submit
C:\Windows\SysWOW64\Ehndnh32.exe

Filesize
89KB

MD5
75dbeccaf1eda87c390e05cc779f35a7

SHA1
15b192f258bb0450c84669929d5a5332be8d77cc

SHA256
d4e75db4637382dcedfbad7c3de64cc0fb9161a7de38af3d83cd41f6630047e4

SHA512
48f39ff495364d71179b92c1eb3eeb767d5c6cd42f53bf627516f7ca2e9965fe78b4d15c7fadffc01e34bdb84b2fd611220316c130acb3097409544a34af314c

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
89KB

MD5
5a769cd7114b5729932cbf052fb6a4d2

SHA1
a416f090aae2539d74d8a4e7006d745becc816c8

SHA256
b8183ec7b3ea7eedec14feabc3656fa6702231f2247419f9f035086017a4c693

SHA512
ca0439edbf8552d59c2988ca8d10b400b0b97401ef8a95992c71b0b70e1ffcc62a1ce859ca4730d94621465637880716ad91f7092b489a2e418fae6ae877e5a6

Download Submit
C:\Windows\SysWOW64\Fnlmhc32.exe

Filesize
89KB

MD5
4f9d0965f99957d4cce3367f1feecb2b

SHA1
b9697a3d4e5a800e0e26920417370869e05505ba

SHA256
1533e91a7a41f5a673d7c247b19a2a65d6412058ccb62a702420a80561c74709

SHA512
378ca36f6bcfcc9dd5861e333ab285b307b41c4bf093b1679b1b30768342039dbba8c5ca0cba58669ec9068afdd8c8ff73ecd87176a22bf3ecb2acdfe2e511e3

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
89KB

MD5
bd5a8aa09728c32ae63a7d698757d967

SHA1
74c3eaec4747cdb199a1dfe7da5d9f9aac8aa729

SHA256
f059b30870d7ede506d3b5cfb2bab077e55121be0c33fe60b47bd07b1f8b06c3

SHA512
f0121dbd22de56fe88d95873e5e69650132ab0c936238d76969984af62fa7f5669518d2b4f6a851d860d049bb78b38260bd172d80023c93a3f07ab269f17c877

Download Submit
C:\Windows\SysWOW64\Gbchdp32.exe

Filesize
89KB

MD5
50af0f93c68d816e0a863dc4abd4237b

SHA1
bcfed0106c259296d86ec136ba76bbe451392ad9

SHA256
dd207feea24fa97baa027a5fc8d998f5cd2d26e5d3120e94e92136c44028a396

SHA512
bba862cd0dccf970a5a570ce791ab6e56793868420ca9143c8d86332a47f42ec0354974c1829f47f66071c0e8378e7c15afea373a44aa35bdaa2a0f9ba37e1db

Download Submit
C:\Windows\SysWOW64\Gbnhoj32.exe

Filesize
89KB

MD5
661206f89a87d53fc4779fec51f679a7

SHA1
326761965dc8879d79829141e0159522a4326f50

SHA256
3cdf47bb15675e0d94033daaceb97c03dcce4c35bbdae7719365cd343db78cfc

SHA512
7ff76546f2d34613f6eed9b94add93e0b29a32736bfb02fd4fc2815500db3812a73bded9f3ca65e9a2a18ffbae1b32f0a1887fabc0f2b868db22d845da89e7a6

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
89KB

MD5
260019980173a68d4470dd63183ea542

SHA1
96dc9d9be677c7f1f7ec0da856de0c4bb919b261

SHA256
20a3515537ca233cc71dc3b68d79290fbfa078c0a493a23909a4e53aadc98599

SHA512
f9433a3093b6ed11174b13088b6788296a2131075996931b9c0da7751ebb95528425422443d5a3f7b8a6217abaa474be67721b48d6c12ea6a8f5a3f10b1c16e1

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
89KB

MD5
059d4d07c6584d97056b74fdc5455002

SHA1
fd8c03123523a0b609566cc10ae1409a7881d5ba

SHA256
ca74218aedbe55df877ecdd5ece84122dc3492e61266745df53f9278c7376d5f

SHA512
c5316a789c29adc16ca9c51e57e6d480d4229469a9f03d6c1950b2ab622dd314097dbba6f2a8ce20bc1ffc1c79173d79e44546c74ddb9292217564f2a4a1bf65

Download Submit
C:\Windows\SysWOW64\Haaaaeim.exe

Filesize
89KB

MD5
537629f283e1af27a2dd4f0e784ff191

SHA1
6d7a5c3909392f8adf33270d84f435c97e72d747

SHA256
91937ca59e2aaa15ec3a873e368efbfdd3ca1266d5a53a5a7adf6590d5a085b5

SHA512
098cbd3952fb55c69786e46a563cc0e0ad4a728caed3ffc25954523906b34d0fe91d7cbb7c9fefdac9465ec162497ebff23e65627b5098a6f8b62fa4db7ef135

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe

Filesize
89KB

MD5
9c638fb476d0e5f0097ff426cbc2a6f2

SHA1
b37b82dec46a5372f4b21ad4864546a0acb7fd43

SHA256
c5dd07204967daafb81bcc7e7eca51b559ec76dea88a54cec9dd1abed043d0b2

SHA512
3a41b7ee33a6a244deee5bf3be83e7ef80f997331e92511ed8cb91cfafc55ecdb2e861ab2d364f80215363dc234e0581dc9ed6cdcb768c186f34558ff87d146b

Download Submit
C:\Windows\SysWOW64\Hlmchoan.exe

Filesize
89KB

MD5
698a26419553464e69c1873f82fee9f3

SHA1
75a1f88854b1a22723ea46fbec21bf1a1f8b7aaf

SHA256
8a239ce6ed84f4c744e2459f1066d7159c3a4a20175cf3842a502dc34389c402

SHA512
35b341ec5247aad5cbdab3377244ccace090ffaf31d460e870fcc32d598f3fbffef5708c76128da47a8708366c0c6ca17f16e77a85c7ef4b9d21f5df0a5bf543

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
89KB

MD5
8f6c49a326c4ff4d637483ee4f9be0f0

SHA1
54e2b7c3299596a47660980abd0012085bcbbc73

SHA256
c8469599472f1a976e86073fea2b3b27d1529873c92b530aa1fd8d0d7ffd42b7

SHA512
7fb07c583f1adf21ff0bc484276d52d865a1d545a20499069f7695433560c9d0481fe221cd1eecf3ce065c4234d315b0f788889c076f408638755754e96e50ad

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
89KB

MD5
b690b69766edf01f4000b934511833a7

SHA1
bfb445b11e63ec4a48aed7671d8ed50cab725ad7

SHA256
96fe8fe81c5432e58c3937882ee577b8a4b70fd0ce5525f59b94c14026b81fe6

SHA512
b8580b77c057d25d34983e73a2bbf5cc6665926c49e70b214b48b40d72757580a06aa0e9907bbb3cb6172a8aff4492ff4b88e759d120adfa3c6721986ec61862

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
89KB

MD5
b92ce4cbb83046ecdeeeb15d8fa77e8f

SHA1
06e305db5d874ffadb78a6f380e77d207095cdc1

SHA256
0dfc897b458c8318f5eb95ee12939bb2bfcb803a4f7edefdb24d81bb860d988e

SHA512
645e86cf3e52611118cabaf309bca1f43b996aebf571c02f8051a88bc7e3642c3b9433d96f96be965b3387a410965652ed45f8b0e624b25ecef0d2beca8121d2

Download Submit
C:\Windows\SysWOW64\Jleijb32.exe

Filesize
89KB

MD5
7b3b51de9669ae700ef9193063864f6d

SHA1
b73d6b757a825abe99d49bc10c6729c6999f8428

SHA256
38cec59156961bb9e237b15e6d4b0235393c9f7c9f138f0f1db946355e5fdb2b

SHA512
f9c75d8ddf44ce51b236e8d8df794440ea90d87a6a7373cbf3fbdcfd3a52a7767ebf689aad209930027aade71c4932177c2a6ebdc4de117a50167470e409bcd8

Download Submit
C:\Windows\SysWOW64\Kglmio32.exe

Filesize
89KB

MD5
7ca1a69789e74fe87e85cfaa5335ebb5

SHA1
b41f7597da7e936672087e6ddf1507f4b1d2c103

SHA256
4cd60c26e60387cda433f9ba513b036692b7616c322fa59ce93127328465fd4a

SHA512
d3f5be02e927979c02364ed166bfa81839acc7374d6dd920b6d75fb20a5e8ac1e83b7253de87b21ed3260c357809a791a3bc78a36a56263c1425f08d9947e7e8

Download Submit
C:\Windows\SysWOW64\Lcdciiec.exe

Filesize
89KB

MD5
2c3a0e88d6d76083f7e64f8d23064d15

SHA1
c376ecfcee50579285ec9d939d8d0100c49549e1

SHA256
9ed33256a0ba2dc681eac4df251bb6d9302f2b920f94f895b141a9a4411004e5

SHA512
002ce271ee2f0971aa51d0c5cefb3a4030493466b8108a51be0fff68313072ad11f644827be385833b5d0b0f6d39fcd2893ed1a3a11b33f5077112a80cf1f3b3

Download Submit
C:\Windows\SysWOW64\Lddgmbpb.exe

Filesize
89KB

MD5
f194926c2eac80caf5346da3b8f99a8c

SHA1
f769042629e1717fbf90a71d292027bc28878a99

SHA256
0b045eaacba06ce1064b952dd7305950c4e746fc818577fac0b3e85588b4e9f5

SHA512
e67244069bf696ea52f660871b769eb3e5b8330d4e329eac09cbec7160f76c8ad108775c7c61e0e34e4f54afbc00a342c956eadc44d0b6ba33834345f385da2c

Download Submit
C:\Windows\SysWOW64\Lgepom32.exe

Filesize
89KB

MD5
3a6b8dca87473cf9b819a1fef44f3087

SHA1
7fb44fe2e76d219119b01c45b2e69316fca3ae6d

SHA256
f489148ec9a93f96ba9e6952e56c73153b20ad2ad678fd64e772f3fcdaec298f

SHA512
ab4ec19b71b84be4786c35d94c9025f0827e8c2e1c65da961fb25bb46be90a835bb8f96c163413a4c225f4bffd6d05d1041895a55f13b40e5b4e2d405a9e2243

Download Submit
C:\Windows\SysWOW64\Lggldm32.exe

Filesize
89KB

MD5
f7ec765936298101b039adf8b2c15044

SHA1
ea610948d1e30fd7db2992f97e680c31a8144139

SHA256
6ab83823c3ebb98045c05306c9726468cfc5916ee7bd46c04141fa8e31de4e2a

SHA512
2f5dee81b3b71292a74b5faf20b84d4bac607e5bc3bed258d50bdf5b01fe7374dde12538107e72078b2e59e882162cb72c87666bcb4f7a1c04e8e1e83112f439

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
89KB

MD5
f077c96eda1d2b77a9b63c96c0447846

SHA1
e2607a54480b82a02e118b75ea0785be32917861

SHA256
d4825650a6a53c3f5ad53910be6a483cad8744bb59d4198cc3a75cf2a48244b0

SHA512
fc60ffa2cfaace79ed1d5ece21116fd1d84685ba53033e81a0b5d16fa95d5a99d90129e045d56dd10a5c4ee1dea74cded36c2be50ebc5c23c75568266e761c04

Download Submit
C:\Windows\SysWOW64\Lkeekk32.exe

Filesize
89KB

MD5
ec4c5fe743851fac47e74f35a84f6235

SHA1
b5d254c03f285bb1504790535df2be7395a7a54a

SHA256
72fd3b60242a23602739a661955dd31b5bbd20a69a1628955fc89179e2988f6b

SHA512
159809864ae6a473317519ebd9389b5c901414b5220f90840d233751c8afb1d627071b53827b43e50b786323de15bd568bec3503f4c1d399464ced90fbf9e0dc

Download Submit
C:\Windows\SysWOW64\Malpia32.exe

Filesize
89KB

MD5
6b3017f791a2dacf7aaa545342e8758b

SHA1
ac88f7cade9688bc27e233e5dbc789d0f096f41c

SHA256
fa738959b40cb5c9f9347d00c710db86bb2df62e9886ef182cf166c07620e43b

SHA512
f206f516ad02561e049bc219da882310ea79f747e1da097a60dcff176c670d025f1578b73e264af1b3b90d4a89d1ff2a49aeff5fddb6d1b1c243c516edbb8726

Download Submit
C:\Windows\SysWOW64\Manmoq32.exe

Filesize
89KB

MD5
ecb66b6ae4a3c2bbf24eed452f00070f

SHA1
0be4f0d502bef4117097ba6c7b9ad52667a9bd6c

SHA256
c5a487901e3eb322dc347dd0350de80c36fb980f478ad08b6d307487f2056b75

SHA512
37a5ae9520f838f58f644634343d510fc0531ec6d6caa1dfbb27470c5586edb0478ccedac42bda5bc48b74bf5acdaf5311eadbeafa1040f18350c5cd83df40d7

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
89KB

MD5
04034373cb10c1c222f79689da6710a0

SHA1
5ac633e6aab09266d069bbfc03b747917c527d3b

SHA256
7dedf300ff299e20a66aadcb8e62dc2ed723b01df572dfec50078405a79501f6

SHA512
cc15cf4378636078fe54a596e3e916726a73c5130e88d15767842f1bc2915b39259555e59982cc61d194f275b07a3df59bdb6edc6a98f73eb52f5ddb58de8312

Download Submit
C:\Windows\SysWOW64\Mjggal32.exe

Filesize
89KB

MD5
65866e0a94eae1a1226b8c187e08842a

SHA1
16bac548927866400a205caeb61789a54fa60d6d

SHA256
7b1fc5dd57a04977d2d559c8c199a62785c0d23efea445017819a7bd988dc413

SHA512
2cb86207b126c6b954ced3689ad7ca0587c80b71d11712f10fef37ef69545ea4f2d8205707eac333daa67aa6b8a74a1f02857987ba820ce482e86d485fa7a39e

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
89KB

MD5
3769b3595995498eeacdccc6e1aebe11

SHA1
49e8329e14de74bb1c4ef0f3b0fee80cac56c73b

SHA256
fe2cf49f75b7e44cc56f0864f036c67727c26fe0000961d63fe829669ffade8d

SHA512
d39260da0c01cbda64372a41191b19bfcab74650689fce3dee68cf7164e2aa0d38e44871487426e07471e39921287dc2ae54d1ac053daa102fbe7de44f2dc12e

Download Submit
C:\Windows\SysWOW64\Mjokgg32.exe

Filesize
89KB

MD5
153419ba57eefc352aad61e148ac83d0

SHA1
b229663b17e963ae9e7ef8bf07f2b48f2169925d

SHA256
ce769855dfa3a769f5b5031dc93b78494732eabbfa0a12417cb4057d1a93e189

SHA512
ac132fd8a4791c70b6e466066b41e1df2146ceb528d84f2c56388b812a0857b84ddb79d1c6694b20ef3c2a44a1e33f8c5bc65b8c59111c1d5b34991c41cc86bd

Download Submit
C:\Windows\SysWOW64\Mkjnfkma.exe

Filesize
89KB

MD5
7b4c99315f798e7c4dd8b075bd2fe4fc

SHA1
78077490ee72e378973cf38d0e6dfba2c37ca5ef

SHA256
e0cc2a766ad26d7853a8f7f20ce9065e4f31be090d93edea39363190d2ed57a2

SHA512
39777a8a50c02ad16bf4227fbfebbccb11fb846091e22656370498f7040318441f4ba0529acde4a5942bb8502e740342f8a209eddec4a77a0566a02d050b967f

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
89KB

MD5
dfe9b995d898a6f2cd7aeece2b2dec23

SHA1
afc85331304b7977c61a627bca8eea4034288ff1

SHA256
b3c3f52fa5244b94611790cfb53aac51d1cf5f0fe598d91863d022a78823cba3

SHA512
b4cd03002758b2da4fe8060f5a5239cfb7065badcff6e1d4e2ace468a842086e8945a99aa338e0086cdc4ba20729cd8124c01c9aeb4892c9fd0537f6e07f5ea8

Download Submit
C:\Windows\SysWOW64\Nagpeo32.exe

Filesize
89KB

MD5
b941ad0a83a361a1df654ff78df28a5f

SHA1
4b101edf81e8200bd2899fadba54b3ae59717b2c

SHA256
bccfba6a59e1cfa3772af2c626506721d1501bebf27116f11bedc7daa3520fcd

SHA512
14acf2416142d7110ee3a5d495b0edc610eb921fe702b89ffd82a91a17a51a3ad915982f4fc7bf8e5f6744e118cd8fb1b8d05b950d5dd03fbbba383561e9ddbb

Download Submit
C:\Windows\SysWOW64\Njinmf32.exe

Filesize
89KB

MD5
3ecf51fcb22d1b0ba4feee449d9c5b62

SHA1
8162fd9c05b9268ceda188377bb37e431adfe15c

SHA256
c6e7e3056a23d403aa51b111357c012c263e11a2fc31a828fc365c3fa4fd915a

SHA512
49c5ce457190d0e33f29c787a1097d629e0e6962496756941b69358ee37b50b2c3b16376d26ca0768af41e8ee578658b70dc53cdbf3819c842a9baf7e7846a83

Download Submit
C:\Windows\SysWOW64\Nmenca32.exe

Filesize
89KB

MD5
83127e98b6265393dca3f667185ba25e

SHA1
c441ad11e75ad0c7eda5c4ca15168e96fefbb8d5

SHA256
7f4cfaa24f7b9e1d5814353b5d97d7dc40857b2cb996f29dde8f434cd13c2b66

SHA512
8bb4a5e75ad7c9e0edffaaf9c613515bb63e00990e5438c1019f8bbb26d0ee14116c854e7c3b611b5b36c85b6311b8ec94598f5e25fde8561b749bdcdf605103

Download Submit
C:\Windows\SysWOW64\Oeehkn32.exe

Filesize
89KB

MD5
b00277bb1516006575178b69c00d9768

SHA1
586c8fcc826ccecefd484ee7bb8750c75487f72c

SHA256
9dd48f92cd734915bb69b44657e5790307a34371e862ceba8f4dcbeff02f9f5f

SHA512
1c26ee33ed9c9c40b67dca2b8f48fdb4061c33775a4074ce16ccf7d55fab9f7f9853eb04c586ba36cc46df739f652ac5761a15d891dfccef9875ce0f88fe202b

Download Submit
C:\Windows\SysWOW64\Ojdnid32.exe

Filesize
89KB

MD5
36ce428fc8ca1c30ff3d2199b9b8ebc8

SHA1
83110644afd2e29c8455de90d3c436f04d4a58d8

SHA256
53a61c8f3cf6ab685802e1bb12944999bc460337d16007467e47f04840809bd7

SHA512
3876499fcd0356d782ec9c178e24f6e59f0caab554e477753fc05181fef2c01b4428ff25d962542698d170bd1aa74e261d77c8b6d8a6ab05223593669f7868ad

Download Submit
C:\Windows\SysWOW64\Olfghg32.exe

Filesize
89KB

MD5
7b447c008ed3054cc343ba8fcb80bb8a

SHA1
894ece00029d60ea054b923d8f2dd6622c6db99d

SHA256
9fcd3efb942b70ae28eecf5713e8fb4dd03ee8b3a1603e4ae78773392efef59b

SHA512
34cb41d32621acdba2430d459ca2212c041236f1ac2fbda478c215b4920a88893a1b5a3070f988ab8d3237a030e533d507a224f080d0600def2e45cbbcfbd0b1

Download Submit
C:\Windows\SysWOW64\Pmlmkn32.exe

Filesize
89KB

MD5
275f6184eb0c3beff6819bc64abc73c2

SHA1
67b1cbdf6dfeca1c8c3f77582374d74678d739f9

SHA256
a36960ef90d16a29782ebe45e6d8730077359ab321189cbd843e35f1a984ac22

SHA512
e4b628db2bfb4001740110c26b71a3d56660c56bf5c0a07eba8c7ff7c571f66277bc16c560f9304dfe134d298608352d190db8b6792ba4ce4e1555be5d74606d

Download Submit
memory/212-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/856-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1420-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1420-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1624-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1884-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3160-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3236-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3268-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3340-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3376-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3592-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3612-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3868-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4016-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4076-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5176-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5216-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5256-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5316-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5384-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5424-528-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5476-534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5536-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5604-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5668-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5708-561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5772-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5816-578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5864-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5908-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads