ec4e20c5976bd7795062fa396f4c3cd8ca6c54ff9b24033863c072bc5e213c90

Analysis

max time kernel
143s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 17:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe
Size

1.2MB
MD5

2306d838bc0a12d390aebfe9c20fa440
SHA1

a2598f5f1e2940124b09a208f0b1e1ed4d435c4e
SHA256

ec4e20c5976bd7795062fa396f4c3cd8ca6c54ff9b24033863c072bc5e213c90
SHA512

784ecca0fa117fa1a18f602bb6501ecdccb2d92e149a45d0121d860d091d1278944ee66adf2cf89011148633a2bb5002a24f3cb43f59dd2c93921ab55d8dd514
SSDEEP

24576:OM91k5hwq5hVW1nq5h3q5hL6X1q5h3q5h:H91vt6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beppmmoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dephckaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhgehi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpacfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbjmpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cccpfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpedjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Commqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgdfaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbjmpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe

Executes dropped EXE 64 IoCs

pid	Process
428	Bbjmpb32.exe
4300	Bhgehi32.exe
4436	Boanecla.exe
2404	Baojaoke.exe
1888	Bifbbllg.exe
3272	Bhibni32.exe
1532	Bpqjofcd.exe
4608	Bbofkbbh.exe
4708	Bemcgmak.exe
1036	Bhlocipo.exe
2576	Bpcgdfaa.exe
1208	Bbacqape.exe
512	Beppmmoi.exe
2568	Chnlihnl.exe
3276	Cpedjf32.exe
540	Cccpfa32.exe
4352	Cimhckeo.exe
4052	Clldogdc.exe
388	Ccfmla32.exe
1016	Cedihl32.exe
3232	Clnadfbp.exe
4520	Commqb32.exe
4536	Cefemliq.exe
4768	Clqnjf32.exe
1248	Ccjfgphj.exe
1756	Ceibclgn.exe
4500	Clckpf32.exe
5100	Ccmclp32.exe
4540	Dhjkdg32.exe
3508	Dpacfd32.exe
3532	Dabpnlkp.exe
4760	Diihojkb.exe
4140	Dpcpkc32.exe
2356	Dcalgo32.exe
3836	Dephckaf.exe
4228	Djlddi32.exe
1312	Dljqpd32.exe
4328	Dohmlp32.exe
1416	Dagiil32.exe
396	Debeijoc.exe
2360	Dhqaefng.exe
3544	Dphifcoi.exe
4684	Dcfebonm.exe
3196	Djpnohej.exe
3664	Dlojkddn.exe
3496	Dchbhn32.exe
4700	Efgodj32.exe
4244	Ehekqe32.exe
3372	Eoocmoao.exe
1988	Ebnoikqb.exe
2464	Ejegjh32.exe
2736	Epopgbia.exe
2272	Ecmlcmhe.exe
468	Ejgdpg32.exe
2392	Eqalmafo.exe
3080	Ebbidj32.exe
3076	Ejjqeg32.exe
3896	Ejlmkgkl.exe
1228	Emjjgbjp.exe
964	Eoifcnid.exe
2720	Fjnjqfij.exe
2732	Fmmfmbhn.exe
4512	Fokbim32.exe
5068	Ffekegon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jilbbcha.dll	Cedihl32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Bifbbllg.exe	Baojaoke.exe
File opened for modification	C:\Windows\SysWOW64\Ccjfgphj.exe	Clqnjf32.exe
File created	C:\Windows\SysWOW64\Dagiil32.exe	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ccfmla32.exe	Clldogdc.exe
File created	C:\Windows\SysWOW64\Bhgehi32.exe	Bbjmpb32.exe
File created	C:\Windows\SysWOW64\Cedihl32.exe	Ccfmla32.exe
File created	C:\Windows\SysWOW64\Ehabgbnk.dll	2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ecmlcmhe.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Dhqaefng.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Iopibhga.dll	Bbjmpb32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Eqalmafo.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Ihgjcg32.dll	Boanecla.exe
File created	C:\Windows\SysWOW64\Bejnmepn.dll	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Chnlihnl.exe	Beppmmoi.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cdahgfpd.dll	Clldogdc.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ccfmla32.exe	Clldogdc.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Bhibni32.exe	Bifbbllg.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ehekqe32.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Epopgbia.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Cefemliq.exe	Commqb32.exe
File created	C:\Windows\SysWOW64\Lfmona32.dll	Efgodj32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6656	6552	WerFault.exe	253

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baojaoke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgjcg32.dll"	Boanecla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cedihl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpmkibm.dll"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbiklpin.dll"	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Helaah32.dll"	Bifbbllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beppmmoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnfol32.dll"	Bpqjofcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 428	1296	2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe	83
PID 1296 wrote to memory of 428	1296	2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe	83
PID 1296 wrote to memory of 428	1296	2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe	83
PID 428 wrote to memory of 4300	428	Bbjmpb32.exe	84
PID 428 wrote to memory of 4300	428	Bbjmpb32.exe	84
PID 428 wrote to memory of 4300	428	Bbjmpb32.exe	84
PID 4300 wrote to memory of 4436	4300	Bhgehi32.exe	85
PID 4300 wrote to memory of 4436	4300	Bhgehi32.exe	85
PID 4300 wrote to memory of 4436	4300	Bhgehi32.exe	85
PID 4436 wrote to memory of 2404	4436	Boanecla.exe	86
PID 4436 wrote to memory of 2404	4436	Boanecla.exe	86
PID 4436 wrote to memory of 2404	4436	Boanecla.exe	86
PID 2404 wrote to memory of 1888	2404	Baojaoke.exe	87
PID 2404 wrote to memory of 1888	2404	Baojaoke.exe	87
PID 2404 wrote to memory of 1888	2404	Baojaoke.exe	87
PID 1888 wrote to memory of 3272	1888	Bifbbllg.exe	88
PID 1888 wrote to memory of 3272	1888	Bifbbllg.exe	88
PID 1888 wrote to memory of 3272	1888	Bifbbllg.exe	88
PID 3272 wrote to memory of 1532	3272	Bhibni32.exe	89
PID 3272 wrote to memory of 1532	3272	Bhibni32.exe	89
PID 3272 wrote to memory of 1532	3272	Bhibni32.exe	89
PID 1532 wrote to memory of 4608	1532	Bpqjofcd.exe	90
PID 1532 wrote to memory of 4608	1532	Bpqjofcd.exe	90
PID 1532 wrote to memory of 4608	1532	Bpqjofcd.exe	90
PID 4608 wrote to memory of 4708	4608	Bbofkbbh.exe	91
PID 4608 wrote to memory of 4708	4608	Bbofkbbh.exe	91
PID 4608 wrote to memory of 4708	4608	Bbofkbbh.exe	91
PID 4708 wrote to memory of 1036	4708	Bemcgmak.exe	92
PID 4708 wrote to memory of 1036	4708	Bemcgmak.exe	92
PID 4708 wrote to memory of 1036	4708	Bemcgmak.exe	92
PID 1036 wrote to memory of 2576	1036	Bhlocipo.exe	93
PID 1036 wrote to memory of 2576	1036	Bhlocipo.exe	93
PID 1036 wrote to memory of 2576	1036	Bhlocipo.exe	93
PID 2576 wrote to memory of 1208	2576	Bpcgdfaa.exe	94
PID 2576 wrote to memory of 1208	2576	Bpcgdfaa.exe	94
PID 2576 wrote to memory of 1208	2576	Bpcgdfaa.exe	94
PID 1208 wrote to memory of 512	1208	Bbacqape.exe	95
PID 1208 wrote to memory of 512	1208	Bbacqape.exe	95
PID 1208 wrote to memory of 512	1208	Bbacqape.exe	95
PID 512 wrote to memory of 2568	512	Beppmmoi.exe	96
PID 512 wrote to memory of 2568	512	Beppmmoi.exe	96
PID 512 wrote to memory of 2568	512	Beppmmoi.exe	96
PID 2568 wrote to memory of 3276	2568	Chnlihnl.exe	97
PID 2568 wrote to memory of 3276	2568	Chnlihnl.exe	97
PID 2568 wrote to memory of 3276	2568	Chnlihnl.exe	97
PID 3276 wrote to memory of 540	3276	Cpedjf32.exe	98
PID 3276 wrote to memory of 540	3276	Cpedjf32.exe	98
PID 3276 wrote to memory of 540	3276	Cpedjf32.exe	98
PID 540 wrote to memory of 4352	540	Cccpfa32.exe	99
PID 540 wrote to memory of 4352	540	Cccpfa32.exe	99
PID 540 wrote to memory of 4352	540	Cccpfa32.exe	99
PID 4352 wrote to memory of 4052	4352	Cimhckeo.exe	100
PID 4352 wrote to memory of 4052	4352	Cimhckeo.exe	100
PID 4352 wrote to memory of 4052	4352	Cimhckeo.exe	100
PID 4052 wrote to memory of 388	4052	Clldogdc.exe	101
PID 4052 wrote to memory of 388	4052	Clldogdc.exe	101
PID 4052 wrote to memory of 388	4052	Clldogdc.exe	101
PID 388 wrote to memory of 1016	388	Ccfmla32.exe	102
PID 388 wrote to memory of 1016	388	Ccfmla32.exe	102
PID 388 wrote to memory of 1016	388	Ccfmla32.exe	102
PID 1016 wrote to memory of 3232	1016	Cedihl32.exe	103
PID 1016 wrote to memory of 3232	1016	Cedihl32.exe	103
PID 1016 wrote to memory of 3232	1016	Cedihl32.exe	103
PID 3232 wrote to memory of 4520	3232	Clnadfbp.exe	104

C:\Users\Admin\AppData\Local\Temp\2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2306d838bc0a12d390aebfe9c20fa440_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\Bbjmpb32.exe
  C:\Windows\system32\Bbjmpb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\Bhgehi32.exe
    C:\Windows\system32\Bhgehi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\Boanecla.exe
      C:\Windows\system32\Boanecla.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\Baojaoke.exe
        
        C:\Windows\system32\Baojaoke.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\SysWOW64\Bifbbllg.exe
        
        C:\Windows\system32\Bifbbllg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Bpqjofcd.exe
        
        C:\Windows\system32\Bpqjofcd.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bbacqape.exe
        
        C:\Windows\system32\Bbacqape.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        24⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        26⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        28⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        30⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        38⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        40⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        41⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        45⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        46⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        51⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        52⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        54⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        56⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3148
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        67⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        70⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        72⤵
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        73⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4312
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        75⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        76⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        77⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        78⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        79⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        80⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        81⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        82⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        83⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        85⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        86⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        89⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        91⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        92⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        93⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        94⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        95⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        96⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        97⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        99⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        100⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        101⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        103⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        105⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        107⤵
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        108⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        109⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        110⤵
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        111⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        112⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        119⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        121⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        122⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        123⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        126⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        127⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        128⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        129⤵
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        130⤵
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        132⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        133⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        135⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        140⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4916
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        148⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3088
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        150⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        151⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        152⤵
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        153⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        156⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        157⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        158⤵
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        160⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        163⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        165⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        169⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 400
        170⤵
        Program crash
        
        PID:6656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6552 -ip 6552
1⤵
PID:6624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baojaoke.exe

Filesize
1.2MB

MD5
3ee946cd7e57c258417ce58b11370796

SHA1
d2e84a581dbbb3716f28745ff54ca2fbcad5ba30

SHA256
5e019b51d1ce4099ae9506389b4e6ffc8d8c487b6e9fb6d626a2df68921fd0d8

SHA512
ea48d5694be9b792ebe91102782ff873628dabc41be454379cda516a4edaa2cd6ee8b01600a05a0ceeacff4b65888bebc435953d49fc2df02060c899649554ed

Download Submit
C:\Windows\SysWOW64\Bbacqape.exe

Filesize
1.2MB

MD5
86ed3a08e7a921c013766281b218b40b

SHA1
90e9148b74b5df026a57f26392b34b48ef736d85

SHA256
e8df973eae21748c92d63819d2f1175db4a80fb612141ae9ac4e98b0dbe59944

SHA512
654aaf99b3189d51adfeafa2b6ec57ad04e3a57e3a718567062eee0f716501708e54e76fbb47a00b4c5f14f987fbf0fa5cc2356e49a87634b43622ee101ff5af

Download Submit
C:\Windows\SysWOW64\Bbjmpb32.exe

Filesize
1.2MB

MD5
92c9b70a4734c434fad48e7a0efa871d

SHA1
a94e3a2c9932c6decc10ece4ec4049f3021fae57

SHA256
42f2282967af274ce45eda003371bbf4cd2f5ae612990d396d724c7ec996e2ca

SHA512
9753f3bff7fa46f0fec2b61f6dd52f212a6d590eb3869567a1455889916a679af7aaa7515d8b304e8f52ee35a2ffa7bb431bce88fcb5b4bfa4b309ccb06d9aac

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
1.2MB

MD5
bf8bf0022e5e8c1adebd11928fe90396

SHA1
53aa1a37568d74e37f5b550349fa6ffaf0b74c87

SHA256
5dcd7eba20494955f0a528b04b74a7ef195b92c3019f3956e2bb54147bb566fe

SHA512
94cc892c644f39d46389091bc2c4de407c4c856aec29a1d568d556bb3d79ccb8db42070e4f52351a970a76e78cab0ffc200483e0be77616f03673a14054e277d

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
1.2MB

MD5
bc3fb4dccd42a131d2d4701f6d2a3cd3

SHA1
5f10e288a6ccee48794ac7a0beb0670d5019f798

SHA256
4498778578348e19449ba6c562347b4fd0bfb2df07737d60b1e035d05d5937bc

SHA512
2e1ea3c7569832daa30791f6eadea8697656f7656f5e79ef7e929563898adaac26c3eafa5c897d0be65b28f729516960f2e6e26a0ffd1d1bce03ed3450157db4

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
1.2MB

MD5
a89b277dac12d25f578d0614c127453b

SHA1
060f672451356137e819574571024fc0b5d959eb

SHA256
ebd63340b8de7517d5051d2cb6a051ed60e778b5f33d09e2665cf015812e703c

SHA512
b1ad1611d11c59e0174a733882ec3e92384b4f1f2079c0155fb333ed34c22bb1c3fe3576cd2fdd64dd57ff4e31a880169fd32ab66ba7ac06d6e4d97e7a48f65e

Download Submit
C:\Windows\SysWOW64\Bhgehi32.exe

Filesize
1.2MB

MD5
25880c29c32fdbc4b728c5133dace1c7

SHA1
6239d4ce02612f17ba26fec9dee759354511ba21

SHA256
05513260d445d8cd651940bd1a5b7e0dfb8a31916ea6679adae142e365949b67

SHA512
33414422941a64a52ba4206c2c5ca51133a25a8233b804582979e132a0dea7d3bf58cd0218becec193927a24aba7bc9407b276e8b5279b8436b36b5f809fa567

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
1.2MB

MD5
5c758998eafc52d5b5a637941be7a072

SHA1
5c257149ef89bf9857990ee20476aa65d5ead980

SHA256
244eb046ad86c4a436f5e034d7bdef36df72c9758f758dc509e2cae974d568bc

SHA512
aae073bf98aef755ef4d26c7e3cbc130ba0604a77b2a6fd5b6c5ce0d6eacc9f86d0d8c56fb8656df568a3182b377ffc7f828fe4a544bf4d15a4a7db8fdc941f5

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
1.2MB

MD5
f95e049122f7e3548a6b7ed6b792de98

SHA1
a79260ac76b24033a03f5968466a3b01af1f8727

SHA256
309b94fc0ec100dac026de647a104fbd7fbd6c4b33892ea5b30fe5dc7fcdd060

SHA512
5d2a3e3059f560c2619e931788f2bddde03c1e3c2f7800c45ef836a172e2aaf6052e0676be5725e4bf2424d0a2bcf8cfc7ba14fef5c0d311cd967d09e99d30b2

Download Submit
C:\Windows\SysWOW64\Bifbbllg.exe

Filesize
1.2MB

MD5
bf31ee61dc17c9aaf09a36d83bb0dd9d

SHA1
c144afa1c551b35c01b6421a9fd496386597e994

SHA256
7b1bc5b259ca99d1070b06f4e93862014824c99787e843107c0d3969937cfa45

SHA512
045a389964dd770adc8ac46f5bf59a8fbc218b2c8506b4fa9fef632e89c83f2fdc2f34562fc83ccb597d0497912b04c4f0e294cc9df3a18025c7b100d1aab462

Download Submit
C:\Windows\SysWOW64\Boanecla.exe

Filesize
1.2MB

MD5
a7f39bb006f5df287fd243875b9098da

SHA1
756e7c97d651aee7652f650f4c51e53c46d4b9d7

SHA256
7f5c94ca2d64e12b4a65d910179b7d562a4bb0e583f68510520e18650156ef15

SHA512
fa2509cdae3b1f7d5c33845d973f64f968120b5232e8d95304f357c10f3831f5b660004375fe7e091a4298a40e4cbca10a9fbba20b513aab55c5566180c9ac3e

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
1.2MB

MD5
38d86c696f7b04e3cd8971105752eb0a

SHA1
475bc28938ac07e46a7700573493b84ebc24e64b

SHA256
c5912fede901f4006a0760edecc55351bf9ff6b750c1d7366e4141f103f9566c

SHA512
95f4139b6be850929da1e8062827fcd2c492026b2be3c0ef1dc7f7aee7d72a15753b51a6b9c76f13d77f18d1a8ffe378c413dc1da213c0e1c559479a59323bc5

Download Submit
C:\Windows\SysWOW64\Bpqjofcd.exe

Filesize
1.2MB

MD5
0b8ab209ece2ba99d33f1d8cf151ea83

SHA1
84c9f3859efcdac721182e26b3ee16273488e816

SHA256
daa1c3cecff7ed151cbe71305fc8c53f2afcb482be3d84ebad26389bbd28193f

SHA512
deb2df971bebd2f6e3f803cf6f8337a9b586cc9b90d09895e99f2bce72e6680d0e6eced14f33eda1a4f2a8b2f0a74815263cd1aea060f3f1c557714f4e7541f7

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
1.2MB

MD5
00f066a77ea73cc48527ca3a42869737

SHA1
bd5f7ee3c8633e139356f0ddd099497ffbe1cd22

SHA256
bff8a95def5a0beed8df85815bb754d665f46bde1f7c6146087be615fd91b466

SHA512
9aa8d173f87dc81b1438105bde7c49c9d36db573ab5bf03c6d6a1965e11195cc29aa822f6da02f9027734fcc4bb65c59bbe09344267cd07a5d309cf063c0d563

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
1.2MB

MD5
fcf060680450106c6a1b77b7ad80a603

SHA1
9ee9fbbf9c939171e6e16d688ffb96446871aec9

SHA256
5d08d969db889870c71c0205b512705bf58bb9b34f402b61702dc7ba53aaac81

SHA512
b4e9de0f1cfc5ffc222b89903141c81217c878169ff0e6ba246a879a0b80f89dbbca0e0fe76d701b2217eebc039534746dbc60f18523fd618395135d5ba88d5a

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
1.2MB

MD5
9021a7471904bdca8f91c06e9db388f1

SHA1
d38c0d384c7ba79ec81b8d67e628d436bcdcfd67

SHA256
00a82a58b93ee13d3da7585baf46ef41b0d57c5c003658c2c14faa0ce0b9e05f

SHA512
f5001778b769faebd7adc5a3ca4fe52ad3e49fe2d05bc5a384aa624e19c4ee82d2951a5bd8a7a7c6616df497d815dd4c0ad7da9988325375bece4e4baf3969c0

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
1.2MB

MD5
99af47679bfacecf2f415a0643757cfb

SHA1
9e5719bae60c90a5090a076bef2f9b399207550f

SHA256
e90436df5dc247223f9222cb591588b5351a83c224b312986076c1f687aa58ac

SHA512
58e27405130a63437a467de374f9d00eaa8707b816c5e7ff182c5967940656196172c7689c1278c5e3e81760f9ca0b253099d9cfd9e4040240d7d3a7ad27b532

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
1.2MB

MD5
096948ad9b204e7abe22c652a7b5d0fb

SHA1
9ec283a434961bbb72c1bf3f922aa1bc644b3b10

SHA256
9425543e2ab725b2ab5274d292075041e088e02d0c6e90bfd03ff3c5bb7559a3

SHA512
bb5468ce8af477ab8afeb540579fe0f96bb42986116f2263d2c4c589c88cf8a0eb58a78e686b176c66bc4ce10721ef67358f013b7d7ffb2ffdae01d1cc60be8e

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
1.2MB

MD5
19bf4e97524505674fbb27b3d61a113b

SHA1
8e4013d92a605cfcb1e4c12aecb299630d65fcd6

SHA256
05e153a6c66479faa7c53863b8a64acfb9ac253baa5c3be82751156fa0e90782

SHA512
4d2833ed2f2a92457d2bf256d1e9d08bf9bfd7767e3e797f0d320b50668068643948eff70c62a26e45a72242945717190979377cc90673aff3e06353d47e2c86

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
1.2MB

MD5
d5e6a20e6d28e0162e51f75e8e81434e

SHA1
24f25e8e63734ad33f9f868c580f1ff5b6e247f0

SHA256
dc631b33ceaaea0fac76ae75afee92ed084c912c0fe2c79b73f93667f05f7326

SHA512
4eaa5ac380d24207fbb10d472fb4dcb7702207eb4b951134df4ce3d710d25823c382b0d6cc941c98d40800f3d1baf1cdc3d3240d989fbd3d0516cdaffb794967

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
1.2MB

MD5
09a37f273e1908b4c7faf48a15a4ee75

SHA1
e7e542af42eb386edfcb146eb0e8dc917fa31963

SHA256
b2f728b6433cc1722d45e762e9cb46e476007f250146a239d0ba20af5fabfc1b

SHA512
552f67f4ba3d28a716250207d61fea67185ffa87fb1fb79d1dfef99728fecf708acca2fad0161edbba95c6383fda05f243f64d56b1ae13296b57d5cd4e2d65d2

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
1.2MB

MD5
7c0e97d9b40c1345d4228d2a7d0889e6

SHA1
2a80ada2ee24b87e29af6f0aa2c37ad43987dcb6

SHA256
656adebd4b4a3388e7a43657f6d5170c2f553eaca344aedb9c7d215139445550

SHA512
08dc1eca257c87eb287d3ea8dccacb5412c2681b0b29d54c86b45540a3e67a19d71954251ed3972c4fcc1ade6eed674ec26f9811753826b02bf2c96a2e2679b0

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
1.2MB

MD5
c505d42a1f377e9bb98b1178ca1b25e5

SHA1
621d985883b36335b3f3edfafbfeb4511016ed3e

SHA256
ea4cab78064af3c5e9bd2ade5e693b78fb2cc9233a0ff076d7c1d5d8586c6909

SHA512
a475033f210b0b1f5877ab3549b685bfc34de36eac09b627dafbc2322fcf7297c743790e885a8f940b48ce06f0dc0f44d426c693b7874065d531765983a8edd6

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
1.2MB

MD5
9b793369aeedf5b1113a80f7c3ada53d

SHA1
31abc0d45fe7b8c3b9a338540abb0ccb3d79cfa3

SHA256
b07ddc61a77e0fe91299613448acc1d9570515eceba9737bfcac2d69b14a6411

SHA512
d0fd13171818409906bbf4ca3b8ffc3ff8d6e184e5b1f7e138f07cd1958e3de87ca11338b05e8ac170afceb5066e661ab8b0e7caf1eb3432f6ab243717337afc

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
1.2MB

MD5
36f88e3ef0a3934369b6c083c024fc92

SHA1
f99378fee85850d14d2665e07fb517a328fcc98c

SHA256
21fc5acc899c28c267f9b90f040242afabc1cd39f1131bd35b12fc3bb1376188

SHA512
80a78c4eee7921dddca5fb1217e1d0311b0720093ea44ceef441669fe4abbce77580d1b6cc789e9ae7b26eaf3db71b52d48e9a06c500893bb75cf59f95809de0

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
1.2MB

MD5
d1263043ada8bb588f8398b56a8d7b76

SHA1
9793011663127675e1ed1b4dd2662708654900e1

SHA256
22f745cf8a838ac234cd59546be1f414b61389eedf738b8d0421c3edfecc35d2

SHA512
305bbfd306845de2ba1c9a2ced46696fc46f555bcc66a6d0f9243bea554dfab3538d1a3501d7a8505f6cd76f955a7a494f5e37031e0dddbc52a21b91bcc7f641

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
1.2MB

MD5
51686ba614a32f3125d89f31aa4a4c49

SHA1
f437620243bb1bba4a577eaa12b01d8de4c112b0

SHA256
1637a40f64517cb23992389653ec2ed13fdbf2e6acd8c1a7301a8ee59382b285

SHA512
0f1a40dbadf730ac7714daef1e4ca1d14a7118fca8d43ab04c8af72344ef0afe03519fe33c66877f00f2c45c511ed781fcda69b0cb91e0ede550a9662f8e9485

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
1.2MB

MD5
77259a2a9c8995f2088b7cbccac24bfc

SHA1
2d0706fbd812a3b83b74087a836ab1d6d052bd78

SHA256
0b33ef8ab46987eea40550968fc5b440a9ba1b8b8e1022888e0b091cbcae3567

SHA512
70d62be978f8d1f2e49eb48796149b6df4b05e73164a2c5bbe30063b3b61aa0a6a2ac341c801b1b9eabd7fb7c8a56737977a54eddba2260bd540ef8735d12b6e

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
1.2MB

MD5
77d6946e94575be3038a81228048bd4e

SHA1
0168185d215ddae6902e880cd6c4c5357691d343

SHA256
3a73ac8c4e79b3c1674a5071aab4e2e343f38da79a700f03b4fe494d999da658

SHA512
d866f0d95db88223e9360e9b579d5dd30c9502ae34bd0b59460bf606f99c58edc5901a5df8095fc4086923f7db7b1dbb893bc5b7b38d18f6d60d1d26aa501944

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
1.2MB

MD5
b9af741c8bfc82d3c706abe9f0334eae

SHA1
ddee70e8310c1d29e3d2cfa9dff052970df69b88

SHA256
7f789b2f62cdfb612b75dfeef728e6ddcaf9974cdd3b6087d593b4b99eba5011

SHA512
03b3db516c63153b05d6a6c1d55ddac9d8cb8b102dcb2be7a71dc3d99ff85635836102427cd5e32d3e9ca3d8f0ee9e9123285733506e49d99921d64856c02e9c

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
1.2MB

MD5
2e8be63cce3af2b80236aa1b2b5f24af

SHA1
7451dc6c1482effc07a9a4fc797b56a535255a85

SHA256
8e75f9b9bf9ee1fbd5e0cf773cbd1cf65d6b1ea5714664c5a003391c397a9575

SHA512
c24664796377039fe8ee7e16bbf50c0c92f956abda6abcaae07378b7ea08b0fb4432b0393fd52dc852f83b963165fad55af71415082da327fc33a8a4655cd9fb

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
1.2MB

MD5
98e2709a3425932cb337c4e4ced4daa1

SHA1
4b2718694e3d61e95eb8e69fb432e53307280f60

SHA256
db7473fbf4981c900f9a52f603881c9198118df872d6c0cd55ca471b81d0ac63

SHA512
09c94def7c44601509ceeebefd28c0a42654e840e67e1e788f49d88b6b03c2640ad97069835209463257cf46f2abe131d51b08b696cc9a9951c0a76e88c3d76f

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
1.2MB

MD5
eaa6fd5399e0cf634387602d28e2f477

SHA1
fd80928d67ff3404ec875f54992de45f06ee88d9

SHA256
811245e7fbab0d0d983b0bab345f16bf1ac1cfb43f3689066ba7da07c91361d4

SHA512
d87f46c3f473f01bc8ec743b20adc87e0b9b99760ffca22e74ef97a776b8f5878c4152e0ffa746bd821a703d70fef7d5d6a8fa09a91f3d91b9b65f114e66ae60

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
1.2MB

MD5
343ff966ec65f5f911e25f26577ab9e0

SHA1
6861440c56cb9b2bb98031b4a582185bb305b5d2

SHA256
373152501a62167409ab86a171707a0b76dffc11b1ffaff476916d10dc761419

SHA512
1da91a294bc361dc6b67545def0338f6c9e60460983c7ae109c1bfc651ea2b724f066620b1cf0ba7ca5a71e5df7da945cbc9fca0c498e2d13d61c38d012629e6

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
1.2MB

MD5
e1393db46cc34b201a98b529405da238

SHA1
e01de7977cbff7a1fb686f8862d605a08c1d5d9e

SHA256
4c4f820cb49bf3051fb75376b8575f8a29e06d3494f9c2044dd21d1ad68aa953

SHA512
042aaa3a686899e62f99b3478abada5bd63cc922d50f7b09825255425b637f492382bb068a8a916847d53f2ba90c33420fdfa90482844efa84b1a848ab59d3fe

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
1.2MB

MD5
890067e6ce6857b5c1b59a7d2a346884

SHA1
b15bcee07faf4ff940b8d3e1348fc9ee25903ea7

SHA256
2cab58161b41fe446fdebfa6a5a96e07ef97d692df38c2d15fcaa16066d2dbf4

SHA512
c6e29a6c6a2153ab05a18f1dd0850c33fa3be751e76726919c68baec9810ee02de92952155a0869a52aaeccf5c154ac177bf1e7961890a1ce26e175231e79d8f

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
1.2MB

MD5
dff3181f614ebdc0fd3a7333457d1278

SHA1
3b92699b39cde51beb6446aa21f98fc0def556ec

SHA256
1c80ad5df9072f3ef3f7a1d46531dc523070c76d764b5261c666357fe9feade1

SHA512
7245baec91d3d1c5dce6d0b1de35b0055f181c05d69111e652a9764545ec562be3305eaa1192782240d5f8e46d103c4b985725910ad2185363a5ad189294a882

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
1.2MB

MD5
55564e7e111850bed23cac18d58250f9

SHA1
987c1d229d2790db4ba7189a0517c11448fba595

SHA256
29c27a44eb680a8e657ba85102e7c7abbfdd1d69cea8dd58b55e14038277ccf8

SHA512
598d0d1d79bcfa727f8b3d4ca5f79960104a55890d23be47c2ee87ebd559e12e35a4319ac56ad84f87d82916dcf4d9b90dd08e47812cf597c7c036bf686e6b49

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
1.2MB

MD5
d721bbc9ded235a82a971707a99d7327

SHA1
c65adc19dbb1e5109e4f5ef02485f34130107bd1

SHA256
bb0224db0e27726de270357ed1d67619d79976153c27c71e6d51a3bac7ba507b

SHA512
d82cdd11facb97f33d1e48ea96d4cebe568ce375e98951981b55dc16617ec33c0ce5d11fe20f295b805d487ea3cd1db1082687d705250b5906c77c901422de42

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
1.2MB

MD5
eaff0a09f6ba0416b4899ece1c5640b2

SHA1
5668505a68fa7ddf1aaadfa71265d89112da49e6

SHA256
77447d59541b650b551044460908a651e5ab1fb0837feffebf6c72e4bce2b5c8

SHA512
ea90146b6907b9de6403b1b412e7577be614821dce80295528dfa5e16293b72eea540e0a0738f33fcf9acbda04872c977f425b7268b3c01754ea9532b3365276

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
1.2MB

MD5
e31439b0a08faa82a04462d5331734e3

SHA1
c09ea91d2ae0ea7052feaa33ec63f907f7421569

SHA256
1863b281d5a1c0916fed15669977a7e293f355cc1e3b1c84804ec3f795f57d41

SHA512
442689508ce39d1d430bcd4fc3eeba8b59d81688f8cf35a31a981673f00857f328e21967cb070a17bf60c5c80eab2f92d41ce0f8ce6aee15e0036c3de78c0357

Download Submit
memory/388-723-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-745-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-763-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-717-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-720-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-770-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-724-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-714-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-716-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-769-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1296-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-742-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-744-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-711-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-788-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-730-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-709-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-756-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-779-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-762-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-739-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-746-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-764-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-708-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-759-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-778-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-718-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-715-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-772-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-773-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-761-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-767-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-765-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-771-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-749-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-725-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-710-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-719-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-755-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-751-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-735-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-736-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-747-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-750-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-785-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-740-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-786-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-768-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-722-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-738-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-741-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-754-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-706-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-787-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-743-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-721-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-1098-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-776-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-707-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-732-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-777-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-774-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-726-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-727-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-734-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-712-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-789-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-748-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-752-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-713-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-737-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-728-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-780-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-775-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-733-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-790-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-791-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-792-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5240-793-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-794-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-795-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5348-796-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5384-797-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5420-798-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-1104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5456-799-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5492-800-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-801-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5564-802-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5600-803-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5636-804-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5672-805-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5708-806-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5744-807-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5780-808-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads