c948661266a56c92ecce3f37d875daa4e5eb9933d318b39e73cec1b8b8e8834c

Analysis

max time kernel
143s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe
Size

315KB
MD5

b2cdefc3884a1df1fc3505d44f141800
SHA1

43ea1cee164ca6c3df7630a61e4d442809087ad2
SHA256

c948661266a56c92ecce3f37d875daa4e5eb9933d318b39e73cec1b8b8e8834c
SHA512

c23eb8b93a508997380672b69232295a840435053ba012b26a1fe32368b9de327b8ae1813ed67e44022607103a5d5e652bd56a8661dce7caa7b73d8e0051b2be
SSDEEP

3072:pnzLrA+dy8IyQNJ5atq749+f4auvZ7LC4ZR4mqmnKBstqBiPXPAPePdfVQ:p3rACiJDatqI+stesMmG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe

Executes dropped EXE 64 IoCs

pid	Process
2164	Kepelfam.exe
1852	Kbceejpf.exe
1680	Kebbafoj.exe
4016	Kmijbcpl.exe
3748	Kdcbom32.exe
3800	Kfankifm.exe
1036	Klngdpdd.exe
396	Kbhoqj32.exe
1992	Kibgmdcn.exe
4300	Klqcioba.exe
4024	Kdgljmcd.exe
1260	Lmppcbjd.exe
3244	Lbmhlihl.exe
4732	Lekehdgp.exe
4972	Ligqhc32.exe
3516	Lpqiemge.exe
2536	Lfkaag32.exe
428	Liimncmf.exe
3904	Ldoaklml.exe
1232	Lgmngglp.exe
4400	Lmgfda32.exe
3056	Lljfpnjg.exe
3224	Lpebpm32.exe
4808	Lebkhc32.exe
4148	Lingibiq.exe
1824	Mbfkbhpa.exe
4892	Mgagbf32.exe
5052	Mipcob32.exe
4600	Mlopkm32.exe
4364	Mdehlk32.exe
2368	Mibpda32.exe
2200	Mdhdajea.exe
5028	Mckemg32.exe
2208	Meiaib32.exe
2900	Mmpijp32.exe
2816	Mpoefk32.exe
3492	Mdjagjco.exe
4328	Mgimcebb.exe
4276	Migjoaaf.exe
1120	Mmbfpp32.exe
2588	Mdmnlj32.exe
2288	Mgkjhe32.exe
2768	Menjdbgj.exe
4564	Mlhbal32.exe
1688	Npcoakfp.exe
4504	Ncbknfed.exe
4620	Ngmgne32.exe
732	Nilcjp32.exe
1684	Nljofl32.exe
628	Ngpccdlj.exe
2464	Nebdoa32.exe
3564	Nnjlpo32.exe
4240	Nphhmj32.exe
4100	Ndcdmikd.exe
4004	Ngbpidjh.exe
2760	Njqmepik.exe
1456	Nnlhfn32.exe
3256	Npjebj32.exe
1180	Ncianepl.exe
4412	Ngdmod32.exe
1788	Njciko32.exe
4232	Nlaegk32.exe
220	Npmagine.exe
2148	Nggjdc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Lmppcbjd.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Kibgmdcn.exe	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6608	6896	WerFault.exe	275

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2164	2796	b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe	85
PID 2796 wrote to memory of 2164	2796	b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe	85
PID 2796 wrote to memory of 2164	2796	b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe	85
PID 2164 wrote to memory of 1852	2164	Kepelfam.exe	86
PID 2164 wrote to memory of 1852	2164	Kepelfam.exe	86
PID 2164 wrote to memory of 1852	2164	Kepelfam.exe	86
PID 1852 wrote to memory of 1680	1852	Kbceejpf.exe	87
PID 1852 wrote to memory of 1680	1852	Kbceejpf.exe	87
PID 1852 wrote to memory of 1680	1852	Kbceejpf.exe	87
PID 1680 wrote to memory of 4016	1680	Kebbafoj.exe	88
PID 1680 wrote to memory of 4016	1680	Kebbafoj.exe	88
PID 1680 wrote to memory of 4016	1680	Kebbafoj.exe	88
PID 4016 wrote to memory of 3748	4016	Kmijbcpl.exe	89
PID 4016 wrote to memory of 3748	4016	Kmijbcpl.exe	89
PID 4016 wrote to memory of 3748	4016	Kmijbcpl.exe	89
PID 3748 wrote to memory of 3800	3748	Kdcbom32.exe	90
PID 3748 wrote to memory of 3800	3748	Kdcbom32.exe	90
PID 3748 wrote to memory of 3800	3748	Kdcbom32.exe	90
PID 3800 wrote to memory of 1036	3800	Kfankifm.exe	91
PID 3800 wrote to memory of 1036	3800	Kfankifm.exe	91
PID 3800 wrote to memory of 1036	3800	Kfankifm.exe	91
PID 1036 wrote to memory of 396	1036	Klngdpdd.exe	92
PID 1036 wrote to memory of 396	1036	Klngdpdd.exe	92
PID 1036 wrote to memory of 396	1036	Klngdpdd.exe	92
PID 396 wrote to memory of 1992	396	Kbhoqj32.exe	93
PID 396 wrote to memory of 1992	396	Kbhoqj32.exe	93
PID 396 wrote to memory of 1992	396	Kbhoqj32.exe	93
PID 1992 wrote to memory of 4300	1992	Kibgmdcn.exe	94
PID 1992 wrote to memory of 4300	1992	Kibgmdcn.exe	94
PID 1992 wrote to memory of 4300	1992	Kibgmdcn.exe	94
PID 4300 wrote to memory of 4024	4300	Klqcioba.exe	95
PID 4300 wrote to memory of 4024	4300	Klqcioba.exe	95
PID 4300 wrote to memory of 4024	4300	Klqcioba.exe	95
PID 4024 wrote to memory of 1260	4024	Kdgljmcd.exe	96
PID 4024 wrote to memory of 1260	4024	Kdgljmcd.exe	96
PID 4024 wrote to memory of 1260	4024	Kdgljmcd.exe	96
PID 1260 wrote to memory of 3244	1260	Lmppcbjd.exe	98
PID 1260 wrote to memory of 3244	1260	Lmppcbjd.exe	98
PID 1260 wrote to memory of 3244	1260	Lmppcbjd.exe	98
PID 3244 wrote to memory of 4732	3244	Lbmhlihl.exe	99
PID 3244 wrote to memory of 4732	3244	Lbmhlihl.exe	99
PID 3244 wrote to memory of 4732	3244	Lbmhlihl.exe	99
PID 4732 wrote to memory of 4972	4732	Lekehdgp.exe	101
PID 4732 wrote to memory of 4972	4732	Lekehdgp.exe	101
PID 4732 wrote to memory of 4972	4732	Lekehdgp.exe	101
PID 4972 wrote to memory of 3516	4972	Ligqhc32.exe	102
PID 4972 wrote to memory of 3516	4972	Ligqhc32.exe	102
PID 4972 wrote to memory of 3516	4972	Ligqhc32.exe	102
PID 3516 wrote to memory of 2536	3516	Lpqiemge.exe	103
PID 3516 wrote to memory of 2536	3516	Lpqiemge.exe	103
PID 3516 wrote to memory of 2536	3516	Lpqiemge.exe	103
PID 2536 wrote to memory of 428	2536	Lfkaag32.exe	105
PID 2536 wrote to memory of 428	2536	Lfkaag32.exe	105
PID 2536 wrote to memory of 428	2536	Lfkaag32.exe	105
PID 428 wrote to memory of 3904	428	Liimncmf.exe	106
PID 428 wrote to memory of 3904	428	Liimncmf.exe	106
PID 428 wrote to memory of 3904	428	Liimncmf.exe	106
PID 3904 wrote to memory of 1232	3904	Ldoaklml.exe	107
PID 3904 wrote to memory of 1232	3904	Ldoaklml.exe	107
PID 3904 wrote to memory of 1232	3904	Ldoaklml.exe	107
PID 1232 wrote to memory of 4400	1232	Lgmngglp.exe	108
PID 1232 wrote to memory of 4400	1232	Lgmngglp.exe	108
PID 1232 wrote to memory of 4400	1232	Lgmngglp.exe	108
PID 4400 wrote to memory of 3056	4400	Lmgfda32.exe	109

C:\Users\Admin\AppData\Local\Temp\b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2cdefc3884a1df1fc3505d44f141800_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\Kepelfam.exe
  C:\Windows\system32\Kepelfam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Kbceejpf.exe
    C:\Windows\system32\Kbceejpf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\Kebbafoj.exe
      C:\Windows\system32\Kebbafoj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        28⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        29⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        32⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        35⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        38⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        40⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        41⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        42⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        43⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        44⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        45⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        51⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        59⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        63⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        66⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        67⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        68⤵
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        69⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        70⤵
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        71⤵
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        75⤵
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        76⤵
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        78⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        80⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3380
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        82⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        83⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        86⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        87⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        89⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        91⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        92⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        93⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        95⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        97⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        98⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        99⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        100⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        102⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        103⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        105⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        107⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        108⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        109⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        110⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        111⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        112⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        113⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        114⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        115⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        119⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        120⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        121⤵
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        122⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        123⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        124⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        125⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        128⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        129⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        133⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        135⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        137⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        138⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        139⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        141⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        143⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        144⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        145⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        146⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        147⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6412
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        153⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        155⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        157⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        158⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        160⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        161⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        162⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        163⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        166⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        167⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        169⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        170⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        171⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        172⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        173⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        174⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        176⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        184⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 404
        185⤵
        Program crash
        
        PID:6608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6896 -ip 6896
1⤵
PID:7036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
315KB

MD5
06a986fc4371e36025c50fc8cb4d687b

SHA1
17a4aa138d9e709ff74a69f8fc52b813908e0bd2

SHA256
f8457a8ad5d2ff5d1e1e61ef28c3681ff3346c6d31965822c96cf46a29c65445

SHA512
7359f983345701b720c6d8880647a0ac7be84b2c56fc910fa105cc1e63166c261fa990b8d3a2c815736e0211fdb0a14da17c6f1e1f2c00ed19b5bace070eb82f

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
315KB

MD5
34f9bf6c3a04f4eb5ec51cb2e02eaaa8

SHA1
e479ab9e427081352576f781d8c2a6012318edff

SHA256
7744e353c5a1d8f518b2b83277880b27eeed4f33d9e5916ad68097f049a12004

SHA512
a0b778b8d8695286409e098bef1397b9b5e553bc946bee4e1a8e9be4b001870c1ae2a91c00d76d958cbddb3b495a37c9c2e01c1d447977fbf4fe4336b7577dfe

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
315KB

MD5
123ffc18b0fb2d4bbd57f79829bb244f

SHA1
e22d9b067f50c74152df936a1af6b5f2b3104740

SHA256
3bc1b79bf295b45b30026689a6932fea590a3f76ab882bdb293f58dda186d14a

SHA512
518046c180143d518ac3f71056f2492751a05b308b1a084205757174d8542f785077860ad6f24844f84e20ba685dea79c638a1b081b217538f3097568bac34c8

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
315KB

MD5
07da6e05da99bc795146f6d13363ed74

SHA1
be1b3d69f81e21677e075b6dbf27e907f4da5f23

SHA256
c66f91aa51081691f3e351424c154c06b1edca5691c8ff3fcccc60420a53ed6a

SHA512
7ada170dc2ce698e02d88746186f20922a7c2bf1e1c538ea58b30d9877fc87efd84e0e5df649ea299051e5b99ad7badbec1980cc3402d3dd45de2618a0d8e799

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
315KB

MD5
79975a48013b842623c19b248517aa9c

SHA1
1c1c5b489b856ad5ebb78822ae2bde5ad9ce90eb

SHA256
822742b48f365fea091a8eec1de3c9b74d62636c82c3b3f1c7bb4c84b49066e4

SHA512
7f3c1cbbc80bc97cb7d06d887446fb6d5bdb4b7aaf6bd76deeb528706aa4b87d270eaf84e2cfeedbb946e8a48e08028658a1249558e03845b0fee5833c2f2414

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
315KB

MD5
c169c0a264929d4dfb61dd6d2e49279a

SHA1
98577171c19eeb984c3aed71f0060e2dbde6cafa

SHA256
73d9b275272880465b3d30ed304796cd5c86b4bcec9e0cd1a4e40a839a28ff50

SHA512
7c13bfeac195629ea399c97ceb8d5ddc419122bc6dc7ed3108139122777f89b1d9110465e9557be37216e9c3e96fc29dca9f2fc6ace9495598722277479f39b6

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
315KB

MD5
77867db4fb67e19ef06a320350bd6c4d

SHA1
ac6bfe81f026599cc5d4f96f3672f28151dcb060

SHA256
3d6bd805fbce5b8e327a899158b745a1de6db241787bc19966978d5e326db2a3

SHA512
89808f0bfa2ba0abd0ca9bd6b390dfbcd549871f1a5577132e47654b1ce43fb97aabff3fd92e86587d52bb26bf78edafe0e4bad45e89ccac45c66275ee6845fe

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
315KB

MD5
b9dd8882118d460fd1b5068be0281c8a

SHA1
a49700e3a4dca17f792973c417544a852cfef077

SHA256
a8d3a30626aaffcc32e9fd15b8d68827ed4ec23fea711d440598224ece59f6cb

SHA512
ac530613b392926764b8299100e5a17e8cf121e0c1bae901ad73792d1d99f66778283315ee2a1375d5f74d95582193ccb86bf476ae2751e0b392a0d576fa890d

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
315KB

MD5
de4a07a0cd48311e95ed1c3af741acc9

SHA1
b1b2bbd603475795cb39087aafa5be04a17e737a

SHA256
b462e3cfafa08f19848827252a15f9e7f3a2cae64a7d30909202903b4bef7cd3

SHA512
e120b90fa5f19570f7007f23d5cfdafbbec1abce156a69e0484e9d7a4387a864c0b3dcae3803a19e83abcd59d01dae5a2586b1e3786683d03961a1450b44edb2

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
315KB

MD5
6cf7d53db96c41e947a0910fbab255b6

SHA1
9f97448007fa2d7610ec8ebaea591b1ff142a254

SHA256
6a1d123c0f55cd67418ca0db3ef2ee00280679d83ed48d40d8f4110dd930491e

SHA512
c5b03417c773753b3e1a95f4774bf3f53c317a9541d6b9b8f80b6b976d5868b16381654a0be259e68a6698d441dbe3ae559eaaa6468c92d7d94c29115e801b24

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
315KB

MD5
5b75b702460742933ba4e691aa7cc091

SHA1
83fb5153ce855808a3151348e83e824b30ebdf36

SHA256
6ecb274289ad500b43617b93f0c44b97464829fbd1c1d9c0df00f815f678c956

SHA512
75e987186ba1a8cd9025ac5ffcbdf88d317ea3fffed9dad08865252bd8c3b6d391a4a7d987e381ba22faca816a1f788b4fc9f26e39e90e6477073815d9a77626

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
315KB

MD5
efc46da235f9cbd24b6e53dcc8073ae7

SHA1
637e8530a8d4109ee64f865690f965258aff0055

SHA256
1d4f0579087d8d063d8ab8b4e36146a16af7bcaafafc2d191d6861b35ec153e3

SHA512
ffa6f8a9058dc451a3c483920b247d63cb76a6bfb7e490b00c4c8a5f871e4aeea29ca54d9e044caa02b16292ece9f44b5d84633b6187d93aff076242c05e44fa

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
315KB

MD5
d9b7f8bc256e581810d31b4ebd1e4a5a

SHA1
607331c4c4ae42fae52e1d2aceb32a0f4d33ceaa

SHA256
643e4a03dada55bfe0e2ddda3f3efcd06c515c4dba529550997e250808661284

SHA512
ceda75c4758741d7d280a0f5661d8e715098d33e53012b2f27bb52b7cb1a4a7af662d140457238aab054ffd07feeb8fcba3e0ee5beec2e8bc0ed3c7f2b0ecac2

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
315KB

MD5
8f41d8435a45caba1ed0fd0e751fd9da

SHA1
6e4def6708b66a513e50e5d4eedf4d0bf8e3fe1f

SHA256
07c1a60aebf8695ec3e93b91665408d9ce37fdcc54989589297285455f6dede8

SHA512
df8e1870280410eb14562cea5d1659915e68c10a7c31439a517791dcc20087724da5b0f7f9f48fc0e86f9eeac5a80fa94204907c07e3eb1d26939cbeb54d871a

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
315KB

MD5
436c7049e9f5f327da833230fd694f3f

SHA1
314eb27b3b6982dbf766a472bb0419829247144d

SHA256
efd3e72ea179ed0265a6a8d21ab63c885d901781cda84c834ca3b52441f75f9a

SHA512
0ef57ce033d181f48f8c7050bb08c790f325a1f55f6ef64ecfaa57095b2a805ef6e6a367b69897578f2682c6f551a23d5cebc847f7adfe2808ed79cbf0afbcb8

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
315KB

MD5
2e2b8bf68bf1a935dde7829ffecd6c0e

SHA1
aa20342c512f1fd175d75df7a95613e9a6ade851

SHA256
883a16b879220d998f71cf8d9a1c628125519098587709958a5a52e2c80915fd

SHA512
0805671be496843052472501d56d3dacba161abfd13df8ed33443e5653fd728f8de6f1efa984b144ce16b1544c9c057d15fda190743dc554724a16acbe3c7eee

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
315KB

MD5
852fcadb57d13be6bdfbf55a6c6b3670

SHA1
52fc2e49d1650160aa9a9f5cb8959ff91a188e43

SHA256
22b536ce758411a83d29b76aed56c5af77eed2ab6213875d037e140ec6f723a3

SHA512
ce90419c368af3a2d41a335233fb8baeb515786adacbae318bf9f44c13520689ab8c61fa8e5fc71c0dc8c45dee86d9ac82cda5195f881d1ff42025184d805b2a

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
315KB

MD5
92903051fb9f9ac3674af1e5a845b18c

SHA1
44c144d89ced03c409077d3308dd4607e982f288

SHA256
fed20654073fe0e8b0d55e0a34def6fc341fbfcc43ebdc76d930251c6e642ce7

SHA512
7aafe1a277804fb80aaad5eb44103a891b0ff17632902902489f23394c6932204769f3c8f8a083c1656afa093b8c5c74bfb6ebe186564e788870abac28d08ec1

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
315KB

MD5
7030798b47bcb39d965c66d7b1897e75

SHA1
619057b19877599b823458fa2e0e236d2d998f8f

SHA256
d6496ef68b6c04ed3f5f9c5c1fe75c26f4f386cf2a92bb2de72eeff35a387991

SHA512
3a7f1ec130427314dc01f7beadb8876bee882887b92b71f8220ba5a193a17675f3a4317796d3a55ce7112294337030d4c4e8d2128172625331822d47964e4564

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
315KB

MD5
c2538bdebe1d21d9f79d06f6f374e6ad

SHA1
4c9f6821abac611b25edf0325a30154ad5f080ea

SHA256
3ec7c07be1da32d343aa1e12105c705e167070c3cee3e2e9c02a0b4bac0f4ec7

SHA512
5a476dad5a01a8ffc608f0c2cc064b15f1063ba89a480bdb70ac7fdfcee62965db99c9f0ff8474b0efab3549e32d9b18d23500fac280fcd6d3d656489d24dc42

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
315KB

MD5
1cfaafeaf3139447db1bab6e37428504

SHA1
ff431b71854d643d5ddba1f86162465228dc469b

SHA256
80a4932b64823759172435b16940ae92657fb779dcae6e047c6492319fab3f77

SHA512
b1daef6bdca0e7a160bc9b6c9c404a4c55917db363fb3fe7d9629afdc7a860b50c96e2887c223d583391b47a2f565b47d6c2d28ff74c0ed1314fca60be714abc

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
315KB

MD5
b6bba61195ae22c58fee8c32e1100ec4

SHA1
0252d2ba54f3e1749ee55cd1e0a8650fd49a7f69

SHA256
8e5ef5d6d44272402892bc6a293e3f55dd26f644cba7e67c85d38f086e809183

SHA512
bb0f506e4c6c5dfb5524e1274f6765b77d10143da7fde8fbdc9f51153fb6307deb636743225b02b3de518fa7f70d516f27a87b15dc90428426726cc00859af9a

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
315KB

MD5
c98348c04852dd16ef7880df27719c22

SHA1
c2af78653e75585c76ab92f0a605a6f509ac8a80

SHA256
32346a947588faec8288642cbad53bcbb1b85a78cd659fc91a18105a9161bf1f

SHA512
6bc90b55667fd3963712294de78729f65922de4278bb1292092b937610cf8e028bcbc1682367d82f441b51e08b0b02e8287f124581077eab0341e7c9d0daae48

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
315KB

MD5
68b614e6d2b3a0aa76745d41759c193d

SHA1
999606fe291a1636d68d3a2429eb0f3e3f87b1e0

SHA256
89bb411dc0f16b62f128b6b830ae993ace9eb15e159f7399366ac6e2d348dffc

SHA512
0df371e041fc3398e3643cff4380ae2b95090eaa156d93eb59e4c1d9287054f402bd5db6af91edb86c1f10327673b142b27de054eb9edc241a5a927ee4c7418c

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
315KB

MD5
3a340ff6a6927a84a764c10315a1902b

SHA1
144791d61dae91dff964fd6ab27a70b87cb78f05

SHA256
dd7768f58ef536d3fdddc9d0dcb5433ec90d01992b7db4d9dee0ad5f3f29033e

SHA512
17a94b7b43c3e9595e21e1431bc29e22bb9660510af30a3654a88cdcadbecfc1c0fd0e498f48474753a18b997e9cf75983cb701ac1dbb7052589dd04b1b09ab8

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
315KB

MD5
858bec2dede56b2c694090e9d2faeb2d

SHA1
d44ba0a81ab477b0703ad6698c0ba9a68c0f5c9f

SHA256
8ee8f0b8aa42d9c16fdd82064264e968f9abb37a8d8ba483c5110ffcd43b1403

SHA512
9037ceb574bdf871c7489969bd3a953693165cde7a7f7a0adccf6a9a96bc838996f3d9ac5c7181a8289dc36ffaf8fcc74727de6909369ce46d824fdd9e6a88b9

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
315KB

MD5
cd74b0a01ffe800226691706d5494f9e

SHA1
65f6724961ddf6cae8232a32c106e9a521f18656

SHA256
a4ab9960c4186f142a25bcba31acae5a77366a83a9d61fcf4bf7b5095098d2ac

SHA512
694fb6d4effd29e2febbc2495a60e2f7bc6dd5ccae4918d4382d47d7fe9a05d3e5d118f79cfd67b83fc1a14f4184a0859d16b061c09ed9adecb0d44502753ed1

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
315KB

MD5
73cd1c0596f6ac172205c4fd4a172d2a

SHA1
3400b3624b61f53224ed524ed88cafc798afa4d7

SHA256
bfbb42654094ecdb8583d854fcc08eea78ad435bad25a21aa3eeefba3694efbf

SHA512
7a95b795eb07d03679d606ee55c8fd58cd5958df2bb22327a0d95aa8a9c4ecb876390a4affd26340831e945059cc2e3b6c2404d870afd98a4b8b2841d6406370

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
315KB

MD5
848ecce06fc7d39f648aa03013fadef7

SHA1
c283cfe24376688fa9193346f3a3d35bd803435b

SHA256
e7c4c64d5c615e620c657d42c25bda64c32d1dd47177c6ca63f7fe84a0ac04fe

SHA512
db93e0a437a81130063df9e7bc88cb32ac5004d7fc5286e4b5baadb34b43349a78a6054dc0035261b87f63e9014073f4075a63a1127255de34aeedef9dc7017d

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
315KB

MD5
022a01cb4cca11a7a456d414f5ac5899

SHA1
eb60f7c15127e10d2cc55e5bd93e5b4423b6308f

SHA256
3a3e28c324ad31593b4ea649d4212219d54b298e364b4da8b4f607b31ab8c243

SHA512
dc55e677b584eb97e2230b8481f8f5dd5f0000f77b98c390cf3a23b088eebcca6ad829e848b65850efdc425e29ae09a956bf3608d810315478eec6a2399b5fef

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
315KB

MD5
3c78358343356f00e1cfe1cd184d6b64

SHA1
8ce12b31da4c63dcc85a6174a168e1d338fb1a31

SHA256
e5217aab4c6a7e86c5ce09728574ba9ef7bfa743f1c758412010b0649e2d1331

SHA512
aa35055f25336c321abf00c21cb12d0998e805c884cc48a9afeb86a93cb29fe35cebe732b9502eb58df701d56550c456d25237ad3714ccf658b02cedc235afc3

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
315KB

MD5
c2c3dafeb2d8fff94513fb26a2f1b57d

SHA1
75481cb6f4e773f502ed99c6890f140439769aa0

SHA256
2a8b5fd0ad9fd3967fc3271910c1924be9fd84f304d0b67f5dc28476cfcf65d5

SHA512
301061faa3ef818a839bc7b63d6dde7ce626416cd0e4354297f86781fa0fdc4272da6281b27b9ff3302cb279cea40c0638603e40fa516e4d7b6ce53e5fdf0e6a

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
315KB

MD5
2249ad83888b4200a8fd3f282a0c3718

SHA1
dc63fdb5c86ff756bcd521eae6290a3d20ac7029

SHA256
6d9d0323226341c33f39f6c4530f505d874fac28738ad285940fd85222593e4f

SHA512
0744ac909c70e7dcf64f788de2aab9614bbfff83d927faafd90068cd268f492ab4d0504be54c4abe4d657577b7b86f6d57eeac3b969f7b0aee3b250bacc27ed2

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
315KB

MD5
d155ccbd56839e1935ac5e5668e08fe0

SHA1
81bb4cbeb23468dcff3569be688965c459cc1bfa

SHA256
acedd205bb322f40486f3aea575cf8f3137bad05f64e7fd3cf8396afe466f4df

SHA512
fe71177f8f628b3d43a6627a66335f958ad5ff02f0746d7282109f513c611f3261d2f1c19cfd7d25af8f9413ab5afd841242607fec7c2d04abe7a3c4bae3ed20

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
315KB

MD5
bc8e26adf8d3d60ad401c8bc923071ec

SHA1
8061b0dcd37c7b6d6517ae9bbc8a8ca58a7f8a62

SHA256
3f61e3b2100ddbd2ae03eabc75ed1f627f38f87b454f994e882d04c9a95d5316

SHA512
78323b49bd718214c48c5c948dd66e89136d45bd988fb601de17f435ba72f72c47324c58f3e264f3bf3ebbae5a1540b7eae061d1ddacb0425991f5eead851dc5

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
315KB

MD5
07964b27e4f213c615c1e08ccf59be55

SHA1
5e01b8aa57d11d35666d2a2aafcd5c6435e3f232

SHA256
faef7bd10676f79f3fa346d5d6596d9cb8a7568a35305aae60ea73dda7cb7606

SHA512
dce10cb874d66a13a38525e89f43e1a70700a9f39953f592d358951eb50d8964220f40dd3ac8c11b1e1702900896645eb7b6c47a1ae8a2099e0551a2911d8682

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
315KB

MD5
b52bef3a89c9094e53028c045477467d

SHA1
270447e29d4fe7fcc86738cd488662a596f6a7a5

SHA256
55486a35a1f93c7379719945a546e7249939098f99904dbbf71018ac82f459a3

SHA512
4bc885844cf62d0250cfc0e7958f3e8df7624eed0674d51d3bbf790dd9f8c87eb079d7d07e92d6ab76614edce02012c21630360ffdc755b481466da808ddac3f

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
315KB

MD5
2060188b33aa7d6c19e68f31f688b382

SHA1
b40c5bf2cc7180b5dbc06d5248ef1c0435d085ea

SHA256
99bdfa84d482996246121a46650c29e28302d03eb6db3ec39b5823f669908ffc

SHA512
8dee1d439c746c975be194bc77e07eafc2dcdae148a7870716f9dd997a065f3263bd8f0512858705e9ed7bf90a2fbca640af6ef16ab2cd8a24fe5c872d4e6f85

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
315KB

MD5
abe6ee2df2fb0a4b2f735f5be0ace352

SHA1
853ed7a59338c73a69b455398ca524464fee0379

SHA256
7f87be2b97c1fdf6e05e59cec78afa60c6309ba47780c81598e63b8446e339f5

SHA512
0c85bfd5c26f622e3508fc3ac3bab991b3638ba59052a9099942885f6bcb23d5a8fc0e6df7dee254057ba175d440fd25c204c4637f86676f60a405a44707dc99

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
315KB

MD5
8d1a18546721d9f2e6a9efe3d98604fc

SHA1
d78ab6edd2ea981f62477c55059314622eb5bf72

SHA256
241ca095b71f053ecdecf6f43aa104c62c56dedf8527fcbae8f7f6d4c6f07daf

SHA512
fbe0af39c59dabba41319619f27ca4ffc6824486d31a6e99796bc8ac89a5b6e41aaa6688146c2078dbd0b2b0d5fb06c19a7c047b5e796ecbf0ab365ba26962e8

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
315KB

MD5
addf416c37b195eee71c6c03861fa778

SHA1
6d39fdda4e3c666fc63db4b34cd62aaa0d1a9361

SHA256
a8490696d0283f2dea8caccf9b867ec849aab8347a010059c005a56cb18ff4bc

SHA512
d8ce449c858d4aed81c9ed651d489f71ab62e67fab9e925a981ead4f35e7eda63fd456d605134b37336773f5a7cf29b19e6934bc16057a2484e7263ac9df6248

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
315KB

MD5
65d03aa4b173d9f58b27fb58323cfa25

SHA1
575e70993938fcfdb635cb0dcab44f672132040a

SHA256
fcf2d70e2e883d490cce6d04af6b82c376c8f7b4d6a4f5c9a474febf46a9472c

SHA512
fb2fa660c8f7f6db23d7a606028a5951c2fd7a4b3e1dab45fdc854ec78d7ba91d4808daf7f77e49b01bf4c28ff882f30c626c525122c8d63aa9ab8482c2d1916

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
315KB

MD5
26524f01ef53ac2f6c4fadbdcc61cb78

SHA1
96a2e84361f54ccec65ace4fd47ceeae6abfdeaf

SHA256
3d4b2f9ed124cea84795a0f27d9c602660a53783b521e691804f74180cbf9bd6

SHA512
fc50fcba2544aa5c716af9a5b7fa8f96abb0792f7065c9ab5707cfcf42c2347be4a5ed54e7c68022897451cc3f454f2c7599d732ebf4f946f5938cd20a1dec23

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
315KB

MD5
ab767c103c4205e1fdfcdef8029bbb5c

SHA1
6d66cb1a273e3bab7e319280e8f79b6a77493aed

SHA256
fce4b4d958db206c96367ab65f795fc9a3c1ad4def0c2a9a08cab0b6c040d776

SHA512
92364020f4eaa0f190cae1a3ebe18826ceb5cc5d593fe6d8ae1a021291fbbbdc2962aa0f1ede81c700e7771c2e5b174d174034a43b48f30199aac29ad182c02b

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
315KB

MD5
95aaa32117bd9107c1facfc71ccbfb05

SHA1
575e504cbb4d427f78b11170169edeabfdc72b63

SHA256
55fda75035b8556986e0fa93d95ff217bacdd7aa8342cf48333d6c8f20a46d32

SHA512
e757adb173aed061b3faaed14ed034fe3bee1d8ea3036b7e8df450f41d5af640b7b30eea7631e533aa5a5095a1d4172718c407677c99f54c9f7c1ea196341588

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
315KB

MD5
ea55c418af42fb0b7b3d0e5ea466e5e4

SHA1
565ba026763845e3b3923f00e7bb8b8d0fad3207

SHA256
34111cfba2ddc36dea054f86a41b013fcaefe687209f65b949f07aafd8fdefad

SHA512
50fa21efd385ac3f678cb57214a1b5f60cb53b3e2889fc79ad639da5e6b0d78a346a809f1061429be52e9cc1dff0c5fdbb1ed7f7e894c2bf04c5a193ea7b9201

Download Submit
memory/220-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2796-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5144-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6348-1241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7020-1258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7072-1273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads