99d5f42ef94b18bc30882965d6825a0b64341a480b486e879c9cbe9b12587922

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe
Size

77KB
MD5

b49a9fe70f23f98131a86077dbd8adb0
SHA1

b9b8ec431e96d2ee23b770b78fd4e88c173f1ed2
SHA256

99d5f42ef94b18bc30882965d6825a0b64341a480b486e879c9cbe9b12587922
SHA512

f14b0c8fbc10c457e59160708ab8c4b65649307130ab334b933ca75adc6b814bd82c91d1ed1ee84117ff752de9821bb62b8ba8ebf9e0761880d15a79c923a443
SSDEEP

768:zHhqsCdH+fVq6wBw8aFsMGFq4vL1NBQYf4IOjg2p/1H5pVeXdnh2F4g85+0ii3br:NCF4wBfhFq4Jnf/D2Ltcwfi+TjRC/D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe

Executes dropped EXE 64 IoCs

pid	Process
4012	Llgjjnlj.exe
4444	Ldoaklml.exe
3764	Lmiciaaj.exe
1040	Mdckfk32.exe
4116	Mgagbf32.exe
2912	Mmlpoqpg.exe
1776	Mdehlk32.exe
2540	Megdccmb.exe
3152	Mlampmdo.exe
4688	Mdhdajea.exe
3180	Mgfqmfde.exe
4956	Miemjaci.exe
4512	Mlcifmbl.exe
3460	Mcmabg32.exe
1000	Mgimcebb.exe
2308	Mmbfpp32.exe
1532	Mdmnlj32.exe
2084	Miifeq32.exe
4796	Mlhbal32.exe
2212	Ndokbi32.exe
5036	Nepgjaeg.exe
4312	Nljofl32.exe
2664	Ngpccdlj.exe
3884	Nnjlpo32.exe
1868	Nphhmj32.exe
4064	Ngbpidjh.exe
516	Nnlhfn32.exe
396	Ndfqbhia.exe
64	Njciko32.exe
4784	Nlaegk32.exe
1196	Nckndeni.exe
3472	Nfjjppmm.exe
712	Nnqbanmo.exe
2072	Odkjng32.exe
2724	Ogifjcdp.exe
5004	Ojgbfocc.exe
2524	Olfobjbg.exe
1988	Odmgcgbi.exe
2272	Ogkcpbam.exe
4856	Ojjolnaq.exe
3536	Olhlhjpd.exe
2732	Ocbddc32.exe
2776	Ofqpqo32.exe
2188	Onhhamgg.exe
4244	Odapnf32.exe
3380	Ogpmjb32.exe
2456	Ojoign32.exe
4704	Olmeci32.exe
684	Ocgmpccl.exe
1116	Ogbipa32.exe
2228	Pmoahijl.exe
4892	Pcijeb32.exe
4780	Pfhfan32.exe
1348	Pnonbk32.exe
4584	Pqmjog32.exe
4932	Pclgkb32.exe
1200	Pfjcgn32.exe
380	Pnakhkol.exe
1732	Pqpgdfnp.exe
3868	Pdkcde32.exe
2884	Pjhlml32.exe
2068	Pqbdjfln.exe
4388	Pdmpje32.exe
5100	Pfolbmje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Miifeq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5616	5388	WerFault.exe	201

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Miifeq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4012	1428	b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe	81
PID 1428 wrote to memory of 4012	1428	b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe	81
PID 1428 wrote to memory of 4012	1428	b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe	81
PID 4012 wrote to memory of 4444	4012	Llgjjnlj.exe	82
PID 4012 wrote to memory of 4444	4012	Llgjjnlj.exe	82
PID 4012 wrote to memory of 4444	4012	Llgjjnlj.exe	82
PID 4444 wrote to memory of 3764	4444	Ldoaklml.exe	83
PID 4444 wrote to memory of 3764	4444	Ldoaklml.exe	83
PID 4444 wrote to memory of 3764	4444	Ldoaklml.exe	83
PID 3764 wrote to memory of 1040	3764	Lmiciaaj.exe	84
PID 3764 wrote to memory of 1040	3764	Lmiciaaj.exe	84
PID 3764 wrote to memory of 1040	3764	Lmiciaaj.exe	84
PID 1040 wrote to memory of 4116	1040	Mdckfk32.exe	85
PID 1040 wrote to memory of 4116	1040	Mdckfk32.exe	85
PID 1040 wrote to memory of 4116	1040	Mdckfk32.exe	85
PID 4116 wrote to memory of 2912	4116	Mgagbf32.exe	86
PID 4116 wrote to memory of 2912	4116	Mgagbf32.exe	86
PID 4116 wrote to memory of 2912	4116	Mgagbf32.exe	86
PID 2912 wrote to memory of 1776	2912	Mmlpoqpg.exe	87
PID 2912 wrote to memory of 1776	2912	Mmlpoqpg.exe	87
PID 2912 wrote to memory of 1776	2912	Mmlpoqpg.exe	87
PID 1776 wrote to memory of 2540	1776	Mdehlk32.exe	88
PID 1776 wrote to memory of 2540	1776	Mdehlk32.exe	88
PID 1776 wrote to memory of 2540	1776	Mdehlk32.exe	88
PID 2540 wrote to memory of 3152	2540	Megdccmb.exe	89
PID 2540 wrote to memory of 3152	2540	Megdccmb.exe	89
PID 2540 wrote to memory of 3152	2540	Megdccmb.exe	89
PID 3152 wrote to memory of 4688	3152	Mlampmdo.exe	90
PID 3152 wrote to memory of 4688	3152	Mlampmdo.exe	90
PID 3152 wrote to memory of 4688	3152	Mlampmdo.exe	90
PID 4688 wrote to memory of 3180	4688	Mdhdajea.exe	91
PID 4688 wrote to memory of 3180	4688	Mdhdajea.exe	91
PID 4688 wrote to memory of 3180	4688	Mdhdajea.exe	91
PID 3180 wrote to memory of 4956	3180	Mgfqmfde.exe	92
PID 3180 wrote to memory of 4956	3180	Mgfqmfde.exe	92
PID 3180 wrote to memory of 4956	3180	Mgfqmfde.exe	92
PID 4956 wrote to memory of 4512	4956	Miemjaci.exe	93
PID 4956 wrote to memory of 4512	4956	Miemjaci.exe	93
PID 4956 wrote to memory of 4512	4956	Miemjaci.exe	93
PID 4512 wrote to memory of 3460	4512	Mlcifmbl.exe	94
PID 4512 wrote to memory of 3460	4512	Mlcifmbl.exe	94
PID 4512 wrote to memory of 3460	4512	Mlcifmbl.exe	94
PID 3460 wrote to memory of 1000	3460	Mcmabg32.exe	95
PID 3460 wrote to memory of 1000	3460	Mcmabg32.exe	95
PID 3460 wrote to memory of 1000	3460	Mcmabg32.exe	95
PID 1000 wrote to memory of 2308	1000	Mgimcebb.exe	96
PID 1000 wrote to memory of 2308	1000	Mgimcebb.exe	96
PID 1000 wrote to memory of 2308	1000	Mgimcebb.exe	96
PID 2308 wrote to memory of 1532	2308	Mmbfpp32.exe	98
PID 2308 wrote to memory of 1532	2308	Mmbfpp32.exe	98
PID 2308 wrote to memory of 1532	2308	Mmbfpp32.exe	98
PID 1532 wrote to memory of 2084	1532	Mdmnlj32.exe	99
PID 1532 wrote to memory of 2084	1532	Mdmnlj32.exe	99
PID 1532 wrote to memory of 2084	1532	Mdmnlj32.exe	99
PID 2084 wrote to memory of 4796	2084	Miifeq32.exe	100
PID 2084 wrote to memory of 4796	2084	Miifeq32.exe	100
PID 2084 wrote to memory of 4796	2084	Miifeq32.exe	100
PID 4796 wrote to memory of 2212	4796	Mlhbal32.exe	101
PID 4796 wrote to memory of 2212	4796	Mlhbal32.exe	101
PID 4796 wrote to memory of 2212	4796	Mlhbal32.exe	101
PID 2212 wrote to memory of 5036	2212	Ndokbi32.exe	103
PID 2212 wrote to memory of 5036	2212	Ndokbi32.exe	103
PID 2212 wrote to memory of 5036	2212	Ndokbi32.exe	103
PID 5036 wrote to memory of 4312	5036	Nepgjaeg.exe	104

C:\Users\Admin\AppData\Local\Temp\b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b49a9fe70f23f98131a86077dbd8adb0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\Llgjjnlj.exe
  C:\Windows\system32\Llgjjnlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\Ldoaklml.exe
    C:\Windows\system32\Ldoaklml.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\SysWOW64\Lmiciaaj.exe
      C:\Windows\system32\Lmiciaaj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        28⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        35⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        42⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        51⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        55⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        57⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        59⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        61⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3412
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        70⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        71⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        74⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        79⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        84⤵
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2116
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        88⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3672
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1692
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        93⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        94⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        97⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        101⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        105⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        108⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        110⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3932
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        116⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        118⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 404
        119⤵
        Program crash
        
        PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5388 -ip 5388
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
77KB

MD5
b31f731e9c0e04d3f53c4832795273cf

SHA1
e320329cb72a242c54caee3a88f56f1082a8ccbc

SHA256
42ffb382fdf7f0ff7626306ff8eed738f7bbffb08fabd3935a223623df9b5958

SHA512
ee70f36720036443f5064ed8d7be0c918783c3faf8b7d21ab9bf9d2985b05442c29370d452281b4d13bbd4d3d354adf2a573f0845c25618b13cb62bf68248ff0

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
77KB

MD5
bf53039e3e4fa6cffc95a296b51fa445

SHA1
50d72996ef45d26905fcfc5f8bddf2091b011a93

SHA256
0c629b36b53ccebbf06d35425f7e94d640338c927b3d6a6f53456aae9f8c6319

SHA512
943afb591c5aaea271a84dff29f171148ec09ebf33f847ebfa3d1bf86d68c5c7226319f18587e0b4750c28fbc108dfefceb3ac2414220099d1f3d97c2b2cf360

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
77KB

MD5
5d35a2c106370364efd7843a600b60e6

SHA1
e8af8512439593469f68f71fb7c8ad6e95f66ed9

SHA256
5d1409b570b5c0c094d1966d2a792f0967537710a4511ac7108b9601c43ec665

SHA512
c5fbde60a1cf6644ff5dd4302c8fa961e6e3721c725d311f82c798b4de40c8d663f6699e5672bc1ff456a6f293350017e5fadba612a1591ad286434e057ad94c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
77KB

MD5
6f15fb2c76fe6497379db5d99a0bbad1

SHA1
046963180eb48310097a0825d20fd8c3fcded868

SHA256
ce4ed53ff734bc2490e96a38232bb7d9f5bd3f41a64da9c5697988efec50f1f2

SHA512
e34fb70a1f28f85b8a8f2656acee81c3af0d961bcc84dd12086c5c70714fc1fff48be1de6507672b14683014ef167acb77366887618ac303a22ae9282c54693a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
77KB

MD5
a5e115f21b4352071bafa81bbef16198

SHA1
a4ee4e3a839d46a5f3d576dd73cb0bdeb1e4686c

SHA256
9f9152a79a275851a50fa304b335eaabdb72e7f580164c5b6594045dd8ef0f81

SHA512
4ed65833255b94959821c16aeb579074ce6d5abbd5db81f7cda65d8dfc30aaded87a7dbf3b9b3374d2df03c6665d1a03d21cc78128a6b677d299de5760e564d5

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
77KB

MD5
a5cc5d680f913c54a22c2edc5053fe44

SHA1
4a0dfe62f7c3b978ac578720dbc43ab712ec08be

SHA256
508967e05dfc462d589c86881f8bc62d4c2fb00c62bac7f47b26066d3f201404

SHA512
14c96ecd4451b72733a926739e9114849be5e0f2de300e1ce215b206844ed4ad885bcb4c63dae8690eaab61e11d05b0bc2a06d7c1c979a732731f36f3b6d15b6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
77KB

MD5
f20ce4c99eb48893026ff63bc33bdef4

SHA1
2f6635b1683bf79d3da41c705c60823335caba3c

SHA256
84b75c926746b70ded71895c2d718a980a044f35b8a92faf6cd18f3a176ae1f8

SHA512
e94d2920227d24673e43088bd654cddae054b68998fb930ab40c2ca8adce9dfd87b76232b30d46e295cb6bc6a8a7c2421eb94e31cfe161e984df0f96245803b3

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
77KB

MD5
ebfb3e976bde8d718537b24844f61597

SHA1
06d11a8c8da638db26f3c4774d3e65bdd8e0a9f4

SHA256
1e3f31f3bc8c8a1589700b3a5102ec8276ca86b70d1613c45432679c414a05df

SHA512
20df2bfd41f074d61a496095d06a9aca28583c3964e7896bd924218f42ae355d3ea45750be727ceda74c992148fa93843b3871e485bb38e3e31d7ae0efd9bf34

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
77KB

MD5
b23eb5ccf19cb477d0a173c6d4c8e678

SHA1
32a28374688a2fc9bf7b07b9980f88de83217a03

SHA256
cb1a48b2863b79bdfa7a64a97b2f87fc59fc7732f02e1df136f96de6cd947ea9

SHA512
b917eca664881f54bb81b5eb33a8c63319551abc682d0c18cfa3ac382e028edc8786518e93bfd1da11ba07a70de91f6da1ee89ebb0e5befc949926292b001cee

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
77KB

MD5
f4721d38a12a95c6149aa10360886f6a

SHA1
587ac61a5684244b49813bda19288ece85a5fb60

SHA256
32fea1a2470bbbb0c837385e1b972f286715b7e5edf6a4f3b755d5fb14438448

SHA512
a63a95e1cf562c42c8a0c3c8128715072278994e797b988d42d73aab63e2accc7dae6598842037d69bb409a1639d3e3ad4948500e7a4fcd4aa6df7ad22a37ca7

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
77KB

MD5
e630f6eabab39e6b46a061ef12d91ed4

SHA1
74ad55bbedca893633b08c97a37ddb652197c54f

SHA256
c36201d21a768944de9ae41167fde2817648fc78cad2fea6b5703cae69a3e1c2

SHA512
f554729ee01decb40c04b27535dcc7eb188e507eca20221a23461a674daddc4822c3f30a81904e9ee47eb759cc12adade91497eb528e01dd26abfb8d8fb4188c

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
77KB

MD5
3d30aaa11887156efdb3948144c22dd6

SHA1
ce492d26c7e8f8ab74c6f7ea6ade154d25208e7b

SHA256
271c5dde117e8331224f2e2d4e7de479933480be55cc0a8b5a4c654f74f4e918

SHA512
a9d29fd518029a4aa3295f4186536d71c9d07077372b9b1533bd3fc0a39e1ad7e169c829db995a792c23e4c3005fbca74e3ab402e6fe49a545eba6fc61874533

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
77KB

MD5
f2e467c8f7a476711aa42f466b48e8d6

SHA1
3cbb4abd3cf381739652cd4cd593101c49d11d76

SHA256
15bedf82a8b357d9c71c474f61c4cfd5429cdbc2a2e15259a7af791a78ffa557

SHA512
5ce4cf969b4f913fce687fe61a142fdac202105c5e637dea77ceacbe882b8c226162a7844460dc034226ebdda50c75fefbaffb30ce30345c92da4cabd491afdf

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
77KB

MD5
4d64c5e5ab0c5e4846dbaf27e1679ea8

SHA1
0134bbd0423a4752d54e7d9592376ad8b891712d

SHA256
56781610fbfc6623a1a96220d5f1374586bd189b20e524cf539cda7085ff39ef

SHA512
55cce1d9033947832203e0bcdf4635b008195b00ae471d625f3f1cb194f091009a354ca842a163d2f5c075a82af94191db56217234f893de85119b1243c9d958

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
77KB

MD5
2b3536cbf75d3ba0770ad5445b2b709a

SHA1
c30eb1f77518d50ff0649695c968b9e6d639370b

SHA256
bc9d008d83f8dfcbf846c6801984b5191707d0848f73dc8e2c9eade7da33c789

SHA512
3defbf7b35a5613daf96de6b8a84cdf79e76b438bbf1e13fd403f49983f435b12f798a9a1d7b227bd6cddc7808d1d5c0bb466b17b549c641f4b272e278b629bc

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
77KB

MD5
c87a1b61c74efadaedfc7e1c19990e79

SHA1
17338d79831f288b20529542f78a1b34be5bda9d

SHA256
8326ac948a355d52f22ee3b963468120e9125e3247a8a6105c760574aae91b59

SHA512
e26bd54774ac8d8abfbe1ca059f2838d00e82fb1a04112eed908e1dfdc422211b910d4b729a3022a1bd7ec6d9b334b083d0751a97b80d7816133f67e322725cd

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
77KB

MD5
93dd55c7d1f398bfe02c25d902a87aca

SHA1
a7ad83e2d9cc9db80852efecc4d193b09eb9f25b

SHA256
9f702a5c48cabae16ed7c33c920d993e6c9a98b150d419349d2ab7c99cf2fd88

SHA512
dd3368b4a0ee995356b75b010e27376ad8810341fb48d5ca9ddae069c0c2ff225b700f4a8fb196dd251d765d188a2522a222fcb4f724ef4026d577dbcdf19506

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
77KB

MD5
694ebf9e543a3b97d66d06490ef25dde

SHA1
0f1ba21f52b3e5da143c76e24f96f4a6c6940032

SHA256
5891b37a13c66a78aa2f3647fdf8a45abfba563efbcc09691f1972e22817b9ec

SHA512
b820208ceb53b77015df26bf1c3587bb4e77b11799f09eb02554215553bf535796e26e5460d3d885bedb0150e27d73a06d44bdacfa953955005f32fd7ca439a7

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
77KB

MD5
fb8092b0db68a3f61fc30478050243b1

SHA1
3c29569a7f846f44b888ef75d8e4e9008e081257

SHA256
19399b72f63a25948727770fa9c188317b0a308c270c1323e24bfacfe03ced22

SHA512
24fd32544a993399082ef9e7655489c7df679239ea478b9c90e17a66ed3913c026f1d6dfa7152c5bd003c876a4c64cea64047bf12cd3341a1fbd50e981dc22b9

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
77KB

MD5
cf3c4ba33de2d3cb14e0e002e4de5dfe

SHA1
975256c0f2b57c6af5038eb3f6c84c4e27aab78a

SHA256
ee9958471c2cfd84462624d05ecc7e088310e4da8151962618dee30307fa57e0

SHA512
521c7248b13708d7ff869bd777d1f31926ab2b960bf616ed10f4dc31560e04a81b4d327c61708b878ddce8d78c1a950b08d7616dee43cd2c40734ad50f42b173

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
77KB

MD5
cb1e19948bd4785e8128fbf11876fe4d

SHA1
7946e2cd00f5e85ae23d949c6b5c2ca56768377f

SHA256
9dc70ed8c6004b0b66be341dfead1eab0123bbdba6535e485f09879beffed69d

SHA512
7de980a7e979ddb1f70a1eb91387ca8aa7744809b412fedbd72edbb9d12ad004dbbddf1a4bed217606ab6bc8355054a60e6a43d9a0cb3294003a00f2591df8d9

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
77KB

MD5
06888eca73a64727ab46ae6dbb7882b9

SHA1
776d923ba72be3bdf794c74e86483e0d0d1e67fe

SHA256
7a5be2f57e255dcb1ae7af6341028cfd974bc6486d6b1da3a73510bec4a3ebf0

SHA512
8a5a8542f7404703152b058257227283e825b4cb3df6c2f3ae62240a936f672b0c00304d11869d86ad6288400f97283935b5c271815afcf843e20b3d5041ff7e

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
77KB

MD5
ec966517e6f489a1a15c26e795a9db7a

SHA1
8e9b65497f5ab041985d859c9f143b71003a6730

SHA256
8c1230819d4fd504485f11a6173b70a288c1107eb58b161bab68390a76febaf7

SHA512
77e16b7d4d85c3e729dc37c207afbff2134a8edb8e4519403c146129d5a97bf4fc0672052f088695fda2b4fe21cf24fb178ce52e1dfd4db3d24929529c10ae71

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
77KB

MD5
a5f37da578912bd4626f1d8fb3386b74

SHA1
440f5b563fad86934832f41529d0e3dc7e2284c0

SHA256
372decbfd12d9f9de63b28ecead35203f9c33fa276e4a80eb182ec7608bf1d25

SHA512
2f3cbc06fbca5fed71b17e49b2f437631363e2c0b8ec1589f7b4e5d94f346fb6262c2a3202f3e5d32b4e5218cc986a436ae68029080bdedf6363f63456baba60

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
77KB

MD5
c7fa5ffe2116e20784edfd640d937ccd

SHA1
38ab53dc7902c769c9897fb1f686cefafca2339c

SHA256
5fc2848467b721a6f2dbf1cc67d63101a6f9a480bc31a04aca542bf091bcdd59

SHA512
011f724902923e48bb4ee75e4374ffe1e1e681f0157674bcf82d37baafb91429b76dcaa5d968569c353be86b1a602a3ee05a8d8c9dda8686e8b139a31a8c8105

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
77KB

MD5
9cb0a9f7f850562cf0a733151729244b

SHA1
7d13674e2d5151870cbe210a8ba89c20b526902e

SHA256
16a3a50429127838dc6607a3d42a343cd6bcbb83e2198016926283a5b12b4f09

SHA512
f7d4d43e1d50e3a392ca293222ecb02cb20671e4e8f5986d996a3568ba76d4de408076b710b381695a89fede950c722729462a79414546885de108d69189bd3d

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
77KB

MD5
d7d064b1c950784be46a8723fb36d930

SHA1
66d9b3fa4c40be5daa32109bb63a53167b455733

SHA256
ea5d1fe8ade668e65ef6230bf5d4cf2ba9862af6e70d03b32eccb5de7fbad0d5

SHA512
cd28dc833dde7afce7c57eace74bb35c50224aecc7f82589a6308cea828a0d9b40e10becb661d9f7d8963ce2dcbdcf8db15ba03ad0266e0e3824b6c4bdea6947

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
77KB

MD5
bac154c07f2b93bb09e13d0cdec2979b

SHA1
07904625afc99d42528f06dc197cead7604858d5

SHA256
503f12e1054f97e1901b30b6bc28d32cd9b17269816038e09d35026e475bdd00

SHA512
4a5d7f8d13e0ed3208d8dfc232290b8af500818fadd3606bc1e5c531da7161853ab44a0ddbe1bf8a95002685d18d5e08e2cfa3e02e3ed0bfcf37267e1643ae3d

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
77KB

MD5
80851f1213413dfa60464506fb7ef98d

SHA1
7bab160b47be25ca29b06fc9586bb073cea5dfa8

SHA256
3f8238118707a678c474e6dfa7c5de4e0c20e62dc151e8ef350726d1cfc0e040

SHA512
114c4347c42dec7638b5929ef42a8d6ceb68873ac8d3f64848c237ca6a12b277be762ebcfad907e0736ba89c4c30a190c102b8567b47b2a70f418770dfee5178

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
77KB

MD5
925a3984a2b78dddf44e808804973a3d

SHA1
eeab40d83602e161e6a103dd416c9fc4bf12766c

SHA256
742b2a7ab9c05d3b5d371e9f82e9feebaabd6f0911b4dbaf0f6b29955f35c477

SHA512
e3946729a8b71ed3dfd9944faf168f8634dd25382b980222b6dae0c4caa0bc4a66923662bd65269af8aa6af57262b3135105a1117111263d3f2ed4232bf00e07

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
77KB

MD5
f766238c73d0c680ad639623a535286a

SHA1
c772c4f43a8e12dd4f19ad9abd236205768ba101

SHA256
02eb74d40cf2070e19e441aa8f8a89eedd96938ea15e855fa910cf871d7eb1fa

SHA512
4b806711b37b765537925f51d2bf565886a1e6f5872a84435e7778891ca31db9ff74aa16aba13df00cf8919136f9d90d6506107b8dd3481d6caa6764e501ebbf

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
77KB

MD5
6af0132fa5593512bbdb09a5d4f4a61c

SHA1
4fc0a84afc31375d606445f16726e6e6ba699ea5

SHA256
045b06081661d2e7cd5aee31468b41ec116dd76cf3097949b4dd68c0ac07d578

SHA512
6a3f473fcaf308953ede2aa2abc5da41015126e72edf60c8d96ac91a4acde166f825f48f0903fa7d2ebd8a3eb3f99c733cc8322553c767b8e976b0577d9b5437

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
77KB

MD5
7a88e84673106cd37ff721f14e252d6a

SHA1
dd927fdd46e495944ec57834598a5b6cf7ed7ed0

SHA256
4737fcfe61c0179808bde428faccd9daff6bba513159ee3b79c4daa1ffe2b542

SHA512
b1fc8b1dab3733044539c50d3a0168ea14f4fc608e5d7d6996dfeac948235548a6f893a9eb6c360a3778a0bca403daed5b4421090ce94e5c2d306fa3b133e560

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
77KB

MD5
5def105e2430480e25b7406d6327848d

SHA1
e04d1e44e25010c717127494672486c7ccbcc012

SHA256
0da4317125eb3575865a0b922f40d227a54ab7802b008481e9ae707b766a0ecd

SHA512
737614c11045a042b9bf9dbfa5648319101b987807e630d8cc3ce6fd2d1d158dc3d235d7e286ccd611a2ab102a806e58054577fd050653451457152bd4d7d017

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
77KB

MD5
480c0b187e96d64b65b187a8ba66706e

SHA1
417bb0fa591e06842e00c421e871007a88770392

SHA256
ca3d0daeb109a1736bf53eba7b0c738ca147e54e24d4f98a30685aa601e9fe7e

SHA512
698fa80304eb458894c093fb5da287b02cc9b91cac0c86e21214e0ef336e592583977a3fe9c33f6ca1973aea2404b30a568d22ef68263a481e4e4a8405311f09

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
77KB

MD5
0341de28fb314daf99c33c359005c15d

SHA1
0f49e5c86ab97d3a843f3f3d87b998c8146aed7a

SHA256
783c7d0ec9fa4282cd69bde785bfd56944cf99431799368a49eb57cd9787a88e

SHA512
ca5df65b437bff11c5d003c45fb103a87f4a6e9ce8feb7998143be733afc48f27e833da28bf1ae5793e3082deefd2a87e1587284f5f1ffd62d9410c16fd94411

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
77KB

MD5
502a0dcaf5440717752fc6a543fe65a1

SHA1
0bbc7bab0715b421dbfbe11d2fd88f494e30f5f1

SHA256
d86a6061a93c576beb3104d4a37e9818e872166e0c21b6a67962b5353b466263

SHA512
8fbff50dfe1ea1187ca8f27d838449000f61c4e425c0a2c05d410930f828120f2cc1b7c22edaf25f135079a0cf4e0d3b4959a6e7bc13e175091783dd671faf27

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
77KB

MD5
e7ab5ee83bac6e76b0e0c92ac262fcad

SHA1
3d62ee0ba8dda1e2b6ac89a60ccd0ae78fb81e87

SHA256
2e58b291a74a7c38047917f7ddb9f224ed7bbc8d474982993e8a9b157440d338

SHA512
36e33c00a0abe15ba77b336f0139e3f48b54d34e7fd95752ef1d5e0fee668ad84dce5511350903601b1292099a8e54445e722c352e1fb24c9f86e3563975a325

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
77KB

MD5
9a747e27a9a8bf2e3fc37ce80ede96d8

SHA1
3b62cf84a18a0f2dbeca98891cd59b8ba653b8c6

SHA256
c0e8661e86ad8a41972132429845422b8c0268a34683b64ceb693e8feee688e3

SHA512
28aa1b8417850c4bbc8d604029d63ed8b910dd47e3e861ea0a2a1dcf6702a876d6afc27ee937358681ec21f01f383ea093aa1bf28aa9e810e305d053669397be

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
77KB

MD5
5080c99e205526464656dcec48c7ba04

SHA1
27e7eafa7adfca33739b270eff6be92f3872311e

SHA256
0d0dc7ed30c88c765d2d89c4a65593f0641e40525c52d1c53084aa47baa54ce7

SHA512
2c76fa9b2fcd60f9156f535d4d15427d20cee8b1dfb8184f48509c3af612b92436f959295d28c11376f8186890f79b4fc6a28cc9083069fd208dbc4849b96080

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
77KB

MD5
5e941445285019e3447fb6db18c8ecaf

SHA1
5bfd45828fc6ae661d6ba0799d7fd449f434d19b

SHA256
e9f81dc4bf5635b5f77db97526bde532f72aa29acb825843827db495fbfb5362

SHA512
a1d89f3d671fad5c6203e1e9a7be119c04e9f1679b890adb66b8341522704730219e8248dedb214747cb7242234acb60d32b5e8bc043bdf7252620a672c7681f

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
77KB

MD5
62b81eca062abdda87525100eaec434a

SHA1
f7375938748732f61080ed7ee495b7297e32322d

SHA256
7c617a7b6976b8215fb3e6d8d6003595be21feeb727a120b3079d432aabca1af

SHA512
9e275622adf323d1fb4b425d8fef3e26126b7f0ff6c67d4c4f5380c30b0a7e11a7d8bfc22d76d18d4d2d8767959e0908e0b9be15c838ed8d520eb11ec477359d

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
77KB

MD5
6f037fef2c8209175bb08042cf7c3969

SHA1
6298c7a56ede35d40d76ac40c130085f914ce28e

SHA256
3d25ed44c0fa7282f03fdd7e27b819365f6a3876b8446035c9a61820e44e8b8c

SHA512
ab6a1dca346094f8e4bd2e914963629a92a0e0233d44e85b5b784e0095435dab101fc271fc39724c4f0880924412d34f06c480a9195766a24d697ea456541ef2

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
77KB

MD5
5a2dbc25bfd5a9f52bffadce6dbc5af8

SHA1
6997b2d209fb1156892f057d9ca575d659e03a38

SHA256
f6a03db2f7da2dcee7907073a0ee0260d2bd8d7b3bcbad1a1273e4b59d949172

SHA512
4923f5ff6ac5e5422e2e1499d9b69b0ee99b7afa0b50a9b85d02d20a790c8f55981f9049a1de6b86f80465429bbb6a21010aff1863310478d0fd01753ad95ac3

Download Submit
memory/64-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/380-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/712-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1196-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1348-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1428-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2072-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4688-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4796-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads