93a996d1678b94bbfce8465bdb1c93d2ffc6f09cb1652b50b56fce8ea3763c95

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe
Size

439KB
MD5

ae65d248bf5b93f13dc734e5101d7e90
SHA1

989beb354e3e9790cccdd23505e1bba8bcb087e7
SHA256

93a996d1678b94bbfce8465bdb1c93d2ffc6f09cb1652b50b56fce8ea3763c95
SHA512

022ee29b6960e91c44def2af6ad96b486860ab3ca4c8bddbeb38e610c3ab4a7ddc7d62a77ed97e90eb7ebcc95db434cd6a4d9725635abd56a462fe7cb7f3444e
SSDEEP

12288:CBJjHPeKm2OPeKm22Vtp90NtmVtp90NtXONt:cjnpEkpEY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjodl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkikkeeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe

Executes dropped EXE 64 IoCs

pid	Process
820	Gkoiefmj.exe
1208	Gicinj32.exe
1360	Gdjjckag.exe
896	Hmabdibj.exe
2924	Hobkfd32.exe
3512	Hkikkeeo.exe
1444	Hbbdholl.exe
2464	Hofdacke.exe
2900	Hmjdjgjo.exe
420	Iiaephpc.exe
3276	Iehfdi32.exe
3628	Imoneg32.exe
3668	Ifgbnlmj.exe
664	Ifjodl32.exe
2980	Iihkpg32.exe
216	Iikhfg32.exe
2004	Ilidbbgl.exe
4540	Jmhale32.exe
3520	Jbeidl32.exe
1484	Jlnnmb32.exe
4840	Jianff32.exe
4500	Jbjcolha.exe
4716	Jlbgha32.exe
2276	Jifhaenk.exe
5112	Kemhff32.exe
3740	Kbaipkbi.exe
3020	Kpeiioac.exe
3464	Kpgfooop.exe
4712	Kpjcdn32.exe
2972	Kfckahdj.exe
3892	Lffhfh32.exe
3204	Lfhdlh32.exe
4232	Ldleel32.exe
4336	Lmdina32.exe
4072	Ldoaklml.exe
2684	Lgmngglp.exe
1460	Lpebpm32.exe
2572	Lebkhc32.exe
3328	Lphoelqn.exe
2264	Mgagbf32.exe
5100	Mmlpoqpg.exe
4476	Mibpda32.exe
2448	Mlampmdo.exe
1732	Mgfqmfde.exe
1356	Mdjagjco.exe
5004	Mmbfpp32.exe
2112	Mpablkhc.exe
2668	Mgkjhe32.exe
4780	Npcoakfp.exe
4128	Npfkgjdn.exe
3208	Nebdoa32.exe
852	Nphhmj32.exe
3232	Njqmepik.exe
3592	Npjebj32.exe
2056	Njciko32.exe
2724	Nckndeni.exe
1864	Oponmilc.exe
2228	Odkjng32.exe
1452	Oncofm32.exe
928	Ocpgod32.exe
3860	Oneklm32.exe
2400	Ognpebpj.exe
3444	Ojllan32.exe
4032	Ojoign32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Imoneg32.exe	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Hofdacke.exe	Hbbdholl.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jbjcolha.exe	Jianff32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Lfhdlh32.exe	Lffhfh32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Lphoelqn.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Elhcgeja.dll	Gicinj32.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Iihkpg32.exe	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Imoneg32.exe	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5608	5520	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqfok32.dll"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdfonda.dll"	Gdjjckag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicinj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hofdacke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghlmgij.dll"	ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 820	1880	ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe	81
PID 1880 wrote to memory of 820	1880	ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe	81
PID 1880 wrote to memory of 820	1880	ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe	81
PID 820 wrote to memory of 1208	820	Gkoiefmj.exe	82
PID 820 wrote to memory of 1208	820	Gkoiefmj.exe	82
PID 820 wrote to memory of 1208	820	Gkoiefmj.exe	82
PID 1208 wrote to memory of 1360	1208	Gicinj32.exe	83
PID 1208 wrote to memory of 1360	1208	Gicinj32.exe	83
PID 1208 wrote to memory of 1360	1208	Gicinj32.exe	83
PID 1360 wrote to memory of 896	1360	Gdjjckag.exe	84
PID 1360 wrote to memory of 896	1360	Gdjjckag.exe	84
PID 1360 wrote to memory of 896	1360	Gdjjckag.exe	84
PID 896 wrote to memory of 2924	896	Hmabdibj.exe	85
PID 896 wrote to memory of 2924	896	Hmabdibj.exe	85
PID 896 wrote to memory of 2924	896	Hmabdibj.exe	85
PID 2924 wrote to memory of 3512	2924	Hobkfd32.exe	88
PID 2924 wrote to memory of 3512	2924	Hobkfd32.exe	88
PID 2924 wrote to memory of 3512	2924	Hobkfd32.exe	88
PID 3512 wrote to memory of 1444	3512	Hkikkeeo.exe	89
PID 3512 wrote to memory of 1444	3512	Hkikkeeo.exe	89
PID 3512 wrote to memory of 1444	3512	Hkikkeeo.exe	89
PID 1444 wrote to memory of 2464	1444	Hbbdholl.exe	91
PID 1444 wrote to memory of 2464	1444	Hbbdholl.exe	91
PID 1444 wrote to memory of 2464	1444	Hbbdholl.exe	91
PID 2464 wrote to memory of 2900	2464	Hofdacke.exe	92
PID 2464 wrote to memory of 2900	2464	Hofdacke.exe	92
PID 2464 wrote to memory of 2900	2464	Hofdacke.exe	92
PID 2900 wrote to memory of 420	2900	Hmjdjgjo.exe	93
PID 2900 wrote to memory of 420	2900	Hmjdjgjo.exe	93
PID 2900 wrote to memory of 420	2900	Hmjdjgjo.exe	93
PID 420 wrote to memory of 3276	420	Iiaephpc.exe	94
PID 420 wrote to memory of 3276	420	Iiaephpc.exe	94
PID 420 wrote to memory of 3276	420	Iiaephpc.exe	94
PID 3276 wrote to memory of 3628	3276	Iehfdi32.exe	95
PID 3276 wrote to memory of 3628	3276	Iehfdi32.exe	95
PID 3276 wrote to memory of 3628	3276	Iehfdi32.exe	95
PID 3628 wrote to memory of 3668	3628	Imoneg32.exe	96
PID 3628 wrote to memory of 3668	3628	Imoneg32.exe	96
PID 3628 wrote to memory of 3668	3628	Imoneg32.exe	96
PID 3668 wrote to memory of 664	3668	Ifgbnlmj.exe	97
PID 3668 wrote to memory of 664	3668	Ifgbnlmj.exe	97
PID 3668 wrote to memory of 664	3668	Ifgbnlmj.exe	97
PID 664 wrote to memory of 2980	664	Ifjodl32.exe	98
PID 664 wrote to memory of 2980	664	Ifjodl32.exe	98
PID 664 wrote to memory of 2980	664	Ifjodl32.exe	98
PID 2980 wrote to memory of 216	2980	Iihkpg32.exe	99
PID 2980 wrote to memory of 216	2980	Iihkpg32.exe	99
PID 2980 wrote to memory of 216	2980	Iihkpg32.exe	99
PID 216 wrote to memory of 2004	216	Iikhfg32.exe	100
PID 216 wrote to memory of 2004	216	Iikhfg32.exe	100
PID 216 wrote to memory of 2004	216	Iikhfg32.exe	100
PID 2004 wrote to memory of 4540	2004	Ilidbbgl.exe	101
PID 2004 wrote to memory of 4540	2004	Ilidbbgl.exe	101
PID 2004 wrote to memory of 4540	2004	Ilidbbgl.exe	101
PID 4540 wrote to memory of 3520	4540	Jmhale32.exe	102
PID 4540 wrote to memory of 3520	4540	Jmhale32.exe	102
PID 4540 wrote to memory of 3520	4540	Jmhale32.exe	102
PID 3520 wrote to memory of 1484	3520	Jbeidl32.exe	103
PID 3520 wrote to memory of 1484	3520	Jbeidl32.exe	103
PID 3520 wrote to memory of 1484	3520	Jbeidl32.exe	103
PID 1484 wrote to memory of 4840	1484	Jlnnmb32.exe	104
PID 1484 wrote to memory of 4840	1484	Jlnnmb32.exe	104
PID 1484 wrote to memory of 4840	1484	Jlnnmb32.exe	104
PID 4840 wrote to memory of 4500	4840	Jianff32.exe	105

C:\Users\Admin\AppData\Local\Temp\ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ae65d248bf5b93f13dc734e5101d7e90_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\Gkoiefmj.exe
  C:\Windows\system32\Gkoiefmj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\Gicinj32.exe
    C:\Windows\system32\Gicinj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\Gdjjckag.exe
      C:\Windows\system32\Gdjjckag.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:896
      - C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:420
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        41⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        48⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        59⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4560
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        75⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        76⤵
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        77⤵
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        84⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        87⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        88⤵
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3096
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4880
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        92⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        93⤵
        
        PID:688
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        96⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        97⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        98⤵
        
        PID:728
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        99⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2996
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3900
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        105⤵
        Drops file in System32 directory
        
        PID:4736
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        106⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4644
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        110⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        115⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        118⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        122⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 396
        123⤵
        Program crash
        
        PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5520 -ip 5520
1⤵
PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aminee32.exe

Filesize
439KB

MD5
524d976d2c48323752990d5f0341892b

SHA1
d26c32ba4d2ff55dc686159e752ed16619bc92d8

SHA256
74275a1165a3b5492f350b19a77d452fb3b7f03d395db7c1946067db4dbe54b1

SHA512
f7e6261bf696d01310d6b2a64f9f766a9684fc884f378994db6685a8c333da6621edaabefabe64d91639e9e874113cd7051ff6025b8a65c50f60ab06dbbe422d

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
439KB

MD5
c831155aefcfcfa2fd59b3736a9b85cf

SHA1
7f40bf37bb8436be07be3bf2dd0920e87d422f28

SHA256
5f3cc4453f5f7bceacebcc38573fa988abe6942eab1a2b859ac984650d6d7f6b

SHA512
010f88b4623eccb6ded96f22a7d87275091420f12a2946072a10ba3d90e46a538d3519b03c13698e45d845e73ec1054e7d0fc20122a1b5d862fc02917f187c42

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
439KB

MD5
93e1bcde430a153d53d9e9d101d10419

SHA1
8ab7ebca0bb7d7afa43aed322cc1d07028fefaf3

SHA256
f6baea6fdf3920c3483b39eff35546a2583415cd735f7038112b7d5e86113953

SHA512
e782073981377edf9e3517c9616d6c33663fd78849b24b2ef42c04b36b0f01225e460424b9841c53c4b8f3ae5e0b28087d52a91a4ad2655919555906d813a639

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
439KB

MD5
ef948742d58331bc32b62ee9c8b0dac7

SHA1
902a5c541e4e4c19ee614f4318ec0d9fff06e4d5

SHA256
dc0c3529a5693d00a3c5147451d56412789fec9d87782f1787e92ee903225717

SHA512
963644ead88a5a81a20b918690e4cb314ac329ad86de5f9a49c06ecadd638d338b3a86104a0dd38db823c5e7be1b81fd1f1bbf79fb5d0088371b7f08c197211a

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
439KB

MD5
42acf773fe670a4b47c05387f29eadc3

SHA1
930fe96434edcf398d84667d360406d267dc7a92

SHA256
15680ad37e3912f934fc607b2fdb95a7c43c3c13cf9e47e7787082fe97dead86

SHA512
66275e13c60bc4c5413fb8ba4a131dde3440ad7457b0403bcff47a20d8adc7d5b6f38560e3aaa15bbb8c16adc071250d45c6775cf46b0192799da9f2b7e92037

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
439KB

MD5
c0fde812bb45bb56b05699c3bdb7f4e6

SHA1
808eb551dc3854eba234f396a5fecdd1a88a3195

SHA256
b02ea5fdce4df02a864e197c37e3193765607af76e5aa8e5414b6829571e33e8

SHA512
e2cda42de5023a58e7f448e1f6b989c115018936591a2b91ba2170975ee057337e9143d3ee452a7764f0cdad990256edb17e3c4a8d75fb49b05d4cd99d15693f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
439KB

MD5
a50f2f5cbc0339a910b5085740b7a59e

SHA1
a6a72e26224a9d0a2ab4a4148700b335bd5539cf

SHA256
e4d98df8bcdb47f91706c91d302a67a97ef6fdc54de3d5467b7364fa09d6db05

SHA512
f1d7d560fbddb024e528f398979435de45a388ea5402880d3b249d9c23861aaba86c55659272d5534972b03a54cc696a21c8d75c95db633d166e4dea69c37690

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
439KB

MD5
3677465d7b63b2c02885c5387afcc8f3

SHA1
fdaff013123982aab57e2c9ee6735d958a907129

SHA256
272cf2484bd8f885d00e3fc3b632ec227e259c578ccae1ea98b53f4e0f213357

SHA512
8571f8bc4704030df6ee06f2140a844a285df772e7c9143f12f7e66c4297bf489274fdbfed2884b383349369e58acded5dd62af685cd40cd7254117150090c75

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
439KB

MD5
b702909cdfdaead85987aa2ef52723b5

SHA1
18e37c0f4ed4e9a0116a7c85307e51c3c12ba5bb

SHA256
5385dea9f71aca8424057478fe93e480ea7ea34a88a2157fd2bdcb4fbd5e01a2

SHA512
bfc2f37791a589e4564b24ddbc60dcf873cd8df91f75e5452cfa01aaeadd16f85979be8b25f7485e469ae83b02709f687a23ce001afc57af041ec8dbe04859b4

Download Submit
C:\Windows\SysWOW64\Gicinj32.exe

Filesize
439KB

MD5
8315b090e0685f6ceda35d79664fcc39

SHA1
40452e77266c58fae43b9b2a21ec052f09fce849

SHA256
7d52ddc1c744ae8b6b39f8b05996a074cafc87ba29242984180d15fa00f1c8ed

SHA512
18fe0becbc84a84e5163b1b3b65aff8a7a1e05de529eaa839eedfe73d4bab4fd62766467259a5cd71650527e5786881bfce0107e7976e3e0c0d555ddc0042037

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
439KB

MD5
0aee71ac5cc8c22a7df806b12951eb42

SHA1
c7f3ee4d942b1b56750ba31ee3aca26e24f27ff4

SHA256
d8cb5e8f2b4c834b39c02d94e4098da1139f957e53c7b3adc984361163cf311c

SHA512
2753c97fbcb30a4e6b68314682f072fc24582b2a7e15283b14d7c37f0ca06cdd3b687a2fc2deb7dcdcd55e5dd2279512a7edbb50ebda5e49cc0a846efbb82d5d

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
439KB

MD5
e00bdbee24858c4a19c4fdbe5192a106

SHA1
92f6a15b86a824b7faef3778cd34a59561003671

SHA256
3a015e9c4368e862d8df078349521046a5785eff683cfceb6b28e526b1be3456

SHA512
4d73ca874e4ab328dbaf449eb1ccf0bb3c948432ad33cde1332c2cd4cda84dcb736a984fa2c3b413ed0de279aa1ddeaf8164893e602b3b4bb39cb216f6132d17

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
439KB

MD5
5f8b60387f4b3faa14151e982de999da

SHA1
089f0943a59fe9b0c7eb522382cfdbca9a8225ee

SHA256
675216e157900aa70b8d7d9204c18c6953ea2f1920544ac84c0b85346b848bb4

SHA512
5b0c8b79b152bbf0958a3e7549529c94165a996053439ad3bb6191c8dc58ed0fe06b8cd880698f993755d61966a03d0d05ea1ea5e9b8f88ab18c9d7fac66b5df

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
439KB

MD5
42a1b54984a42923f899c3539ca7d963

SHA1
d40369df2d1bbc50fd4ed5249e957384980cef26

SHA256
3e8de26f6814d6e8cd7aa7a167527d9dc3e3ed5a32d45262a80fcf8015a43424

SHA512
10eac9a9495d330c76d066041f527b7535249b2ecaa295afef237a3d1a339607cf175fec62957afaf8ce261904fcd2f68da944b22c59a1e4baa56bcbeb43ab17

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
439KB

MD5
f006545cbcb009112bb1cb9ae7bb2811

SHA1
cd98b15b8edbdcf100689a921b63a2aa8ed10308

SHA256
a4ccf54a2fafc557c362395ca04217d24b6346b8e97b77afd75b1537802876ee

SHA512
de8601b22acd48e28217180c6455285beb28f486c416058b877158d30f1c36bdfed2d276609bfba412f16955ec81484a3dab6ed83f33a31cf92e2264d862c6c0

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
439KB

MD5
0675b2a265f72d37dd815fe351cc046a

SHA1
e69d9b2ab41f61065b569de74b85b495f9bf5126

SHA256
fe66c844b2e32147031f3e581ee5fc38405668544e70bb00faaf647c1e699393

SHA512
d9bb713927deb240bdea8675b8bca662cdcbaf72afe0cfdc6d3d59b5fd3763799a47c0121a00e5e17ef0af253c741812ec1fce0785b6cb9fd6213ae773641d29

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
439KB

MD5
150cb932032c28a5ee1fcfdc94466b81

SHA1
e8c921ca1dc270e3e008eac7410269507c4a1081

SHA256
1aa32da37e9edd734b5460dec08f01938b0b22a87ed77b49bda7da4d0446fa61

SHA512
37025afb0949196fd705e54a8f140ed25f60306f99531e016ff9c372729e0946581a30419446f7c00f874a4ef197b6f50be469c6b184dfd4a7d1c0dd3677983b

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
439KB

MD5
a12d2a08333dc968751ca53d4d7216c0

SHA1
910159bd0e5c9e7919e0143f3a22139e2998b577

SHA256
b2c70c5873802af5f1beb2c72561d3c608bac8b6f5d9783275e283a64771407a

SHA512
585355473942110cee9a6dd86478b8cbe9338073d4ed0b666683a7c6dcb218c8d5f16d2eed634f1a9cc4afb38895a38224d5a083b0e7cab62e2b02391af44747

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
439KB

MD5
e7dd7f9594706b7f9e99a9a4f55e589e

SHA1
30584bf9ddd8cca3f2ebe3d78a1178412d69b93f

SHA256
d461ff191109d6bf048a929fffbaea27c403a565e7ff4c3d617e3400418cdf71

SHA512
8e4975616031cfb00968d64629509ee10da471a7b8791b4aacdc25c333a6ed6ef94bab9fb6cd56a53d2ba8e0e5ba28c930094deea6ff6bf2449967177b4da6d8

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
439KB

MD5
f00e8e09bd78f707c5bba2fa6276b40a

SHA1
12c7e41ef1e202765760ae275855ed2793ad504f

SHA256
555fba7acbdd5dc191b5f9713306bd0fb9a5ee393d8d0645ebad319709c7dc41

SHA512
1f4f4810eaee33528b74ec507559c608ddc502d68682770acca1bead19ae018eb294b7cc0a1b3f0988b2aa3f129eb98439f022c6be938ae19feff33a301a2917

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
439KB

MD5
89815d3fc247cb824e6fc71da83458a0

SHA1
491b0f2f9c35091bbc4ca86d7fea85c821a5e8fc

SHA256
f1adc893329e0c8295222a49ac1e1023702a5f414a94814860c4b73fb751e41e

SHA512
a0ad5c7bbf4f93c68a806544b68874724149579aa2c99abf7eeb562e22c7c94aab8f042566070ebdc99f9f7a5d6eb8229c1749037dd1652fe2adfa7592d6573b

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
439KB

MD5
1e05f9b3d7cb2533b70eb0370eb8bfa1

SHA1
7a8a0a0eaa71d279a430b0f69d2b9fa1d65ecc9d

SHA256
e3bf4c47bd04ed98e2a4d99b9d470ddc24bb89ba4376dc9d980aecb3cbd88060

SHA512
70e71d2ef06b69a297ad2f044dae38a7feced6a3aef4ca174e74c6bafa3c1f2d27d01ebb5f2d4d92b3aed3f75149b1aff7c3d74af804775d1667ae78c3eabd9b

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
439KB

MD5
af037519bb29037db7b6ef034b6b7985

SHA1
e283f0cbc440f526f754cf6d777a3f46333f7658

SHA256
9fb3cc207571e17cce1f3bcf6cd6f9bd9ec23b1e69b0284ad43aea1317536351

SHA512
357da248329aeaed4cd9a02539e03f73954e8ccfae75b3373be9d6e6cc80bb827b1b0131c15925d66b8e7bbd5542578c7a6be9355e8a45751009733f5aa6b5d9

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
439KB

MD5
8680fd4b0d18f8133a9b5c2ab27086e6

SHA1
5f7f73743c75dc6b697bd271c103b500953a4677

SHA256
254ed2b686d1723af3634e0b89c60bc071ed1147f56152cfa580edde4f47f39e

SHA512
e26ed8cac524832b906c3ef50dcadf90702dbe1a13bb3c9165953c78af41d17e64dda40bc947bd906eeb115dfc78761060041ea61245cfc0019ea4f9c3df74b1

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
439KB

MD5
a65d147be65264398ef35afeee9e2390

SHA1
2249f828b35ec1bcc84c1a39e61a73d91742ce5d

SHA256
f17fc886b948f0b7bbd8fcd98a9fba0db6e65621823d9503f3c81310d3feee0d

SHA512
3c41237f1d8fd08165246df2275005e78c70f7a9838652c88511f4d3e5c7ebbeac267b5b8e51ffc40a5f237da27da930a5239bf8a1a428a4da51294945c4e3bd

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
439KB

MD5
9cc3f1477de84f3cf3e438b969b7a518

SHA1
a064c4f12fff65a3f3cd9c6d887a7a0230d8707c

SHA256
2c28dbac0cc1a1c057e2ad7f3d3b6dce707df4afe7bf86cae888fb9f7c5ebb9e

SHA512
8668cddec6b39ecf5f18a2d84e8bffec9b043eef0fcc949cdb7358b3b36b452a78978c3519e23674f5ec345965275d2ed727e90e6548ead08ed0d95d8b815b80

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
439KB

MD5
410da98af4194d8ebb1a1411600101b3

SHA1
2fa48d462a7dd66916def9d2d9b0a1fc1b47bd00

SHA256
66f669fe2f0fba0dfcd8a548565469b83e16710315128ec12bffaebf1f70be16

SHA512
5483c67457d2d86d001386c43267f83585eb65654c2ffe3a3f75897d02151d56f2fc95f0f9d84cb2c38948348ed214eb06e9cb4d8343afef760bc98c79ab788f

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
439KB

MD5
91bff70ff94286135cde3d54de8cfd25

SHA1
ecc5ee58de9ba94b0f112e8a8b7a92c0a0ed6fac

SHA256
ff0199758ec6c5a1c6267191f6654f14700ea84b14b12bf52d5b025bdde301d1

SHA512
654690c2d403d22644ea09449ad61506abcd39a102fdf6b4a4f158715c50d4a6d67314770b69c152280268a4a5ab2282f6591728e10df34f2c867050ba0624db

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
439KB

MD5
7737cacbe77509cd31d5430ab192dcf1

SHA1
b00a192ec3efb72cea9a70f14a2c1cb9573724ff

SHA256
6000b20ae40b1b876b26668744417e16a0cd5d849e1f95e8f9c66d04eb19b8e7

SHA512
25e88f88024d4d7c4c93bd2159b6a13d2c28ba0570be3349bd839b00c4f50ba53000fcd54573f19db09da3b3c235fe4ab47f86c12b83d111b437488fae9ec67c

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
439KB

MD5
9450785036b2f320302e136aa65d05f8

SHA1
453f2e76a992f97642e6135e5d44bc581ccce98d

SHA256
9800efaef1e9e4badec51e9eb75bf95be619c78a488cef2446766fc118cd62d9

SHA512
288a5f1dcee68e530466d4a3498a8d433bed3e3cb2fb7f32e9a909c160d094155c172538482167b3c4ce90e266e23aa9e6d427e268b4397771d086393740a3d1

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
439KB

MD5
17e65b25f67ee927447fdea9d4befe45

SHA1
5e1fd95a96cf0a5f63904c97635e2da3b1072167

SHA256
4a11a0f24dd1955bd4961711ad9fa7dc46123747872031683f13b9a18b376d86

SHA512
af0cc7e0eeaaa913f76b0f26cdeef68ac7e79aa3c3b53b5af88988c4091dd18cb7bda2b6989a2d0ba28e929e24cd13c029df1456e3bc4c350fe295234fdfb516

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
439KB

MD5
1eba6c80ddae050105b11a4687dc1381

SHA1
d0c211c8b39bc7f3ae22d8d63401df6a9e61b7a7

SHA256
d44bc794666c4bfd75077073e73f2b1dce7033d1cedef2a64761a0610bd0466d

SHA512
feab2a7020fc0f972e21edb167ff97f72364fd3351d3d4f108c3247947dbe353ec3a8bf9a5a08117a4b9288bd44ec6651f45cb38c52704829d101f0f651a12bb

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
439KB

MD5
573f943198c4603b3af50ad54325f001

SHA1
70c40269b41e7e2a09427bbd092e5276d8459d3a

SHA256
cedc3ef906b4b21d7d49a731b22145ff921cf0e844f295432d1fbb68852ca510

SHA512
c03ae0d0dec911355fa084f90321eefa8a5cca759ec1997bb88de0d73b5ffca9febe83c92db6e21ade2371feabb02f4c82d4aed38d0c2cac4fec81eb9550e0bb

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
439KB

MD5
1b6359960e7f8647c1a7627845629779

SHA1
13159f7b8bb9e58c9b0674ffd660b410f2a60863

SHA256
a39dc862005b0192a59481cf0d384d68e4a03c173554db9db4fcae09668f6ec4

SHA512
65452555d4d20b8ef4b1703f189516688dd2e6ac031ac9e86d7d4deb968b14693e4f4a846c5bc0e89ee6039206c4c7d84e12a113b148eace9462f601e9853e97

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
439KB

MD5
bc76daae15323425e77b4210d5d26cbd

SHA1
3a1c38f6440439a0f089d27a0fafe3767f85416c

SHA256
ac91e4ef52aa772ef75836b03aec2762a4e752e1fe9c889afca78754ce9a0a2a

SHA512
39660cb2d191acbc6490764dba186c2c42f20d4464268cf60ca1e430e5da02e1319cd9f9a1320c581dc16f9f58cf5d730e8e7b38b8ee51827bc6b01d5307736e

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
439KB

MD5
02be989751fd24c2f085ecc9ed8b579c

SHA1
2bf05987ea996f4e70292e57401d1b6c603016a9

SHA256
02734dc66f923207854f8693b33e4ab9ceaf78ece01df4b01316090ebc52b237

SHA512
54e62a039ffc3453e99af082a7d566998d3654cfa578b391c876101e4d09ccca22928c66d118ed20f5f02f699ae15fc76b5e37de03c45f4c63af577dbc2d2830

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
439KB

MD5
45c0e3df1e9488fb11db4d0b98fff510

SHA1
4746b7861a22aa393acfa0f374f1ac7ece057808

SHA256
2c56fe70777d9d64720618a90e1dba070c3e6df471151399e624f67e50b5a1f5

SHA512
96cdc7e2c6a76ece82308f707eb2d30bb5d5bd9d9be37741903550b3b17004809e2cd08457f76eff6d2447c851d847b511e1dc03543e74425bb914d78b96f08c

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
439KB

MD5
89ccfd2f010aca718f8760c8718f4b23

SHA1
6f4ec8e36e793237a7208fe701250ec97d6f3a72

SHA256
544ad48bebcfa53b6c00cbad4d095561fc37ef17b609b48914c8ffcea30caf40

SHA512
916c47fc28b61057da1dbbb92c75616e195703c34ee060ad153f1a89c7076d940323666883919e7c5a4f7351f4630f14e9eef97b19844bfd74ecea07060c1553

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
439KB

MD5
b4b227696dcf54967c28c73d3cd3da72

SHA1
1719557d10b4054e96b6fe254c8cc25b38e87eb5

SHA256
25db63a128dbf7929c749df052204a6a6f48f932a0994c6bb3a7e1ca837fbc5b

SHA512
63b7a662fae9b1b37888b9c802a173725c14ff679c8b70c9380dc342269697c95548c4d2edb395331995cd4e49b82c47beb4b394c79224fc4a7d992ea30e3819

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
439KB

MD5
dbcebb4d851780531f555585c3c0574f

SHA1
6e2c012049b60a9d8b6b3999cbd28326d41037f2

SHA256
7c817175fc36a33268b3d762ca2f41b69381b370bda26cfb4caeb1735a62f99b

SHA512
ce93116643cb0466d014c7b4aad5ca987d1181387934183702855f710068970c6f285077600502b2c4b713ef1cdd213608cec6d9a2528f33feec5c54781e1e9c

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
439KB

MD5
f19c8a90b09f1d84b415b34cedf2d5d6

SHA1
9c58b275d43f97c286ef23b4715daaf72ab5b59a

SHA256
0b5bb3f26417136b9241dc9c9411883664bf299e81c725dca5585b4a8de112c6

SHA512
9184569d3f592bcc04b0d424c372e80cd58de620cf167df12459062779a7299f8c7833991c9435b00cfe4b6f8644ca31ec9481b792bdb52642915ec348d92663

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
439KB

MD5
309cdc5577f583478c2408d3a80f5d80

SHA1
0f6e1635f4f88181ce504faac47c2f4a9b748c04

SHA256
451db50405f3861f89d486ceedc9d898fd0197c269dacef2eee60c432ce7c690

SHA512
93f56aa950a1d4f389b5fb8a490fe2a13b0a7ee983dc7f8e94c11af3b9ebe8fb496b0333f924d60b3f8f7c29c02937abcc4fcc9517d72af115eee59839a7bbab

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
439KB

MD5
cc354b03a83fdf7844dd09e605213247

SHA1
675258027c3460342ff15b0c16b29a9e2670bbdf

SHA256
e825dc3bc4f38e0a108444b81b117bc87a70d7ee388fa0c73ddacf9bd8ab6974

SHA512
cd5a32d85299c3c850d12fa912c5cf070a291eae89c5991100fe587762179ddaa318bddc8dd75ee038fb955df02e8d692e73175a64d4afbf1b15c25f4f147728

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
439KB

MD5
0a94b0da9f61215abdfea9ff60610039

SHA1
9af3969fe232492675fbeb6897c30c6c9b72bffb

SHA256
b081bd232242d094a25f5135fb99454a7fa7e1e702e4d5d2c2e1052b2e4908ef

SHA512
1cd24b3352378230f22976391965a120ddaa0bd28cc27942d7ef19143811f885a1ce04a64a7960297390d090f00f4ba82ba73506df5671f4f7a3d905bab190e3

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
439KB

MD5
43970da5859fda6370a4be863b05a74d

SHA1
3d905692ff9e07804e58e40c3f9cbaff9d2b087a

SHA256
0e232fbb80ee10710784bba80a19edc5d4a77e249dd24db2ea196b7977300f7f

SHA512
91ef4fd07afa101ef8a6be4f4c7145a477f76301cf462d31b371073a070ff0640a0f4dc29e9e73e523d1e3ba12b6484037318b01cdb538c6a9ad0c05726a9220

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
439KB

MD5
336a4f96ca98ab4579ba198d3f9424b6

SHA1
3c933ea3f6f807edda6f5aa2af79c01b92453556

SHA256
d8a8c164371d92f8ef5eaf756c76a4e175aa056574795cc6adfac4c7afa5a817

SHA512
f44eb3a62af84a4059d4f480a9b82652e0a3d2727d535f098247211fc21a58922c2920a06b00cbb770674218e51e71c410ce98b63f8a12fec2527dda93a95799

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
439KB

MD5
f19381562d5afb2559012df71f13bf9f

SHA1
f1044d2786a98809a3e0fee3d78d9b25fdf05544

SHA256
fd4fbbe4a94a073efc1b02ea95693cac9a260107030bf8bdf57ef6b1e951c7e1

SHA512
b331a4bd90ba4f76ff31bf887d06bab838e40228f3745fca71619bb7b25fdd709aed3f61af68cb360d9cff5d0d0737f9105e9d6edd8b00d35c41c5ae1d2fce02

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
439KB

MD5
83e6f1bb2129395794362031ca51ede0

SHA1
3793db6bc406c468b8fa4338aa6fcb906dba898a

SHA256
6c6f70ed198bae8a0caf34f89062281db2ba7e0e47bd523dae67c621d47fce17

SHA512
4b0a5e4f77a8956463e03635a0f72553385c0ac1118e253a27e84fda83f124670a119bb0a98b33f4d9e5d74418b4689864635b6b69793325e0e659cab951547c

Download Submit
memory/216-128-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/420-606-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/420-81-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/664-112-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/820-548-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/820-13-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/828-476-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/896-1036-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/896-567-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/896-33-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/928-424-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1184-518-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1208-554-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1208-17-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1332-575-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1356-334-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1360-560-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1360-25-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1444-592-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1444-1030-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1444-57-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1452-420-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1460-286-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1484-160-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1536-524-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1640-470-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1732-328-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1864-405-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1864-929-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1880-535-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1880-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1880-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1988-851-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2004-136-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2056-934-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2056-393-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2100-536-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2112-346-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2228-927-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2228-411-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2264-304-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2276-191-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2296-568-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2324-482-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2336-510-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2400-435-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2448-322-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2464-593-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2464-69-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2572-292-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2668-352-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2684-280-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2724-399-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2900-605-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2900-73-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2924-574-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2924-40-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2972-240-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2980-120-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3020-215-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3096-594-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3096-868-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3204-255-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3208-370-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3232-381-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3276-613-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3328-298-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3444-441-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3464-223-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3512-1031-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3512-49-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3512-581-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3520-151-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3592-936-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3592-389-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3628-96-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3628-619-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3668-103-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3740-207-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3836-452-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3840-899-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3840-494-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3860-429-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3892-247-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3980-542-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4072-274-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4128-364-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4232-262-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4336-268-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4476-320-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4500-176-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4528-488-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4540-144-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4560-500-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4560-897-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4712-232-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4716-184-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4780-358-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4840-167-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4872-561-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4888-607-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4892-512-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4984-458-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5004-341-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5036-464-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5052-829-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5100-310-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5112-200-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads