f1c87f94a5ce8989fc37c7ebb29de2e0cec30c3ecb91ac1529ceea2283973747

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe
Size

186KB
MD5

351f35943d25d183639cb661f04bc8c0
SHA1

d4eeeb0dba29800337ea7bcb34f2cbcb26c06f95
SHA256

f1c87f94a5ce8989fc37c7ebb29de2e0cec30c3ecb91ac1529ceea2283973747
SHA512

0a3839606c6294b41ce1f3e55890646c700658ad0d87d53cd10f88c09e31c7cb93f36a33705e252d97eca51459e80e2b9e00ee49a592e0f5e4f59c7339d83466
SSDEEP

3072:IcKQAKH5FttR3SE0iYvf33Fv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:PAqtzinTf33F+Jk/4AcgHuv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe

Executes dropped EXE 64 IoCs

pid	Process
1288	Jlkagbej.exe
4768	Jfaedkdp.exe
4932	Jpijnqkp.exe
1000	Jfcbjk32.exe
2464	Jefbfgig.exe
1900	Jmmjgejj.exe
3256	Jidklf32.exe
4480	Jfhlejnh.exe
3240	Jmbdbd32.exe
3488	Kboljk32.exe
396	Kmdqgd32.exe
3268	Kbaipkbi.exe
2024	Kmfmmcbo.exe
2888	Kdqejn32.exe
1820	Kfoafi32.exe
4924	Kimnbd32.exe
3948	Kdcbom32.exe
528	Kfankifm.exe
2052	Kbhoqj32.exe
4956	Kibgmdcn.exe
2728	Kplpjn32.exe
3576	Lffhfh32.exe
2780	Liddbc32.exe
3984	Lbmhlihl.exe
2364	Lpqiemge.exe
1560	Lenamdem.exe
1436	Ldoaklml.exe
3352	Lgmngglp.exe
4200	Lljfpnjg.exe
448	Lgokmgjm.exe
1624	Lmiciaaj.exe
1960	Mdckfk32.exe
3408	Medgncoe.exe
4880	Mlopkm32.exe
872	Mchhggno.exe
3968	Megdccmb.exe
4384	Mlampmdo.exe
4084	Mdhdajea.exe
1036	Meiaib32.exe
5028	Miemjaci.exe
3468	Mpoefk32.exe
2188	Mcmabg32.exe
3212	Migjoaaf.exe
1976	Mmbfpp32.exe
4224	Mdmnlj32.exe
3368	Menjdbgj.exe
868	Npcoakfp.exe
4272	Ncbknfed.exe
1568	Nilcjp32.exe
4788	Nljofl32.exe
3264	Ncdgcf32.exe
4352	Nebdoa32.exe
1020	Nnjlpo32.exe
3512	Nphhmj32.exe
4496	Ngbpidjh.exe
4828	Njqmepik.exe
4536	Nloiakho.exe
2712	Ndfqbhia.exe
4800	Ngdmod32.exe
3764	Njciko32.exe
4856	Nlaegk32.exe
2784	Ndhmhh32.exe
4776	Nfjjppmm.exe
412	Nnqbanmo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Kboljk32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Kplpjn32.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Miemjaci.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kdqejn32.exe	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kbaipkbi.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bagplp32.dll	Jidklf32.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	Lbmhlihl.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Ejckel32.dll	Jfaedkdp.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jfhlejnh.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6836	6580	WerFault.exe	253

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpphah32.dll"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1288	2816	351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe	85
PID 2816 wrote to memory of 1288	2816	351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe	85
PID 2816 wrote to memory of 1288	2816	351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe	85
PID 1288 wrote to memory of 4768	1288	Jlkagbej.exe	86
PID 1288 wrote to memory of 4768	1288	Jlkagbej.exe	86
PID 1288 wrote to memory of 4768	1288	Jlkagbej.exe	86
PID 4768 wrote to memory of 4932	4768	Jfaedkdp.exe	87
PID 4768 wrote to memory of 4932	4768	Jfaedkdp.exe	87
PID 4768 wrote to memory of 4932	4768	Jfaedkdp.exe	87
PID 4932 wrote to memory of 1000	4932	Jpijnqkp.exe	88
PID 4932 wrote to memory of 1000	4932	Jpijnqkp.exe	88
PID 4932 wrote to memory of 1000	4932	Jpijnqkp.exe	88
PID 1000 wrote to memory of 2464	1000	Jfcbjk32.exe	89
PID 1000 wrote to memory of 2464	1000	Jfcbjk32.exe	89
PID 1000 wrote to memory of 2464	1000	Jfcbjk32.exe	89
PID 2464 wrote to memory of 1900	2464	Jefbfgig.exe	90
PID 2464 wrote to memory of 1900	2464	Jefbfgig.exe	90
PID 2464 wrote to memory of 1900	2464	Jefbfgig.exe	90
PID 1900 wrote to memory of 3256	1900	Jmmjgejj.exe	91
PID 1900 wrote to memory of 3256	1900	Jmmjgejj.exe	91
PID 1900 wrote to memory of 3256	1900	Jmmjgejj.exe	91
PID 3256 wrote to memory of 4480	3256	Jidklf32.exe	92
PID 3256 wrote to memory of 4480	3256	Jidklf32.exe	92
PID 3256 wrote to memory of 4480	3256	Jidklf32.exe	92
PID 4480 wrote to memory of 3240	4480	Jfhlejnh.exe	93
PID 4480 wrote to memory of 3240	4480	Jfhlejnh.exe	93
PID 4480 wrote to memory of 3240	4480	Jfhlejnh.exe	93
PID 3240 wrote to memory of 3488	3240	Jmbdbd32.exe	94
PID 3240 wrote to memory of 3488	3240	Jmbdbd32.exe	94
PID 3240 wrote to memory of 3488	3240	Jmbdbd32.exe	94
PID 3488 wrote to memory of 396	3488	Kboljk32.exe	95
PID 3488 wrote to memory of 396	3488	Kboljk32.exe	95
PID 3488 wrote to memory of 396	3488	Kboljk32.exe	95
PID 396 wrote to memory of 3268	396	Kmdqgd32.exe	96
PID 396 wrote to memory of 3268	396	Kmdqgd32.exe	96
PID 396 wrote to memory of 3268	396	Kmdqgd32.exe	96
PID 3268 wrote to memory of 2024	3268	Kbaipkbi.exe	97
PID 3268 wrote to memory of 2024	3268	Kbaipkbi.exe	97
PID 3268 wrote to memory of 2024	3268	Kbaipkbi.exe	97
PID 2024 wrote to memory of 2888	2024	Kmfmmcbo.exe	98
PID 2024 wrote to memory of 2888	2024	Kmfmmcbo.exe	98
PID 2024 wrote to memory of 2888	2024	Kmfmmcbo.exe	98
PID 2888 wrote to memory of 1820	2888	Kdqejn32.exe	99
PID 2888 wrote to memory of 1820	2888	Kdqejn32.exe	99
PID 2888 wrote to memory of 1820	2888	Kdqejn32.exe	99
PID 1820 wrote to memory of 4924	1820	Kfoafi32.exe	100
PID 1820 wrote to memory of 4924	1820	Kfoafi32.exe	100
PID 1820 wrote to memory of 4924	1820	Kfoafi32.exe	100
PID 4924 wrote to memory of 3948	4924	Kimnbd32.exe	101
PID 4924 wrote to memory of 3948	4924	Kimnbd32.exe	101
PID 4924 wrote to memory of 3948	4924	Kimnbd32.exe	101
PID 3948 wrote to memory of 528	3948	Kdcbom32.exe	103
PID 3948 wrote to memory of 528	3948	Kdcbom32.exe	103
PID 3948 wrote to memory of 528	3948	Kdcbom32.exe	103
PID 528 wrote to memory of 2052	528	Kfankifm.exe	105
PID 528 wrote to memory of 2052	528	Kfankifm.exe	105
PID 528 wrote to memory of 2052	528	Kfankifm.exe	105
PID 2052 wrote to memory of 4956	2052	Kbhoqj32.exe	106
PID 2052 wrote to memory of 4956	2052	Kbhoqj32.exe	106
PID 2052 wrote to memory of 4956	2052	Kbhoqj32.exe	106
PID 4956 wrote to memory of 2728	4956	Kibgmdcn.exe	107
PID 4956 wrote to memory of 2728	4956	Kibgmdcn.exe	107
PID 4956 wrote to memory of 2728	4956	Kibgmdcn.exe	107
PID 2728 wrote to memory of 3576	2728	Kplpjn32.exe	108

C:\Users\Admin\AppData\Local\Temp\351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\351f35943d25d183639cb661f04bc8c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Jlkagbej.exe
  C:\Windows\system32\Jlkagbej.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\Jfaedkdp.exe
    C:\Windows\system32\Jfaedkdp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\Jpijnqkp.exe
      C:\Windows\system32\Jpijnqkp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        23⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        31⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        32⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        36⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        42⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        44⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        50⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        51⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        55⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        59⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        66⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        68⤵
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        71⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        74⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        75⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        77⤵
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        78⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        79⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        80⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        81⤵
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        84⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        85⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        87⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        89⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        94⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        96⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        97⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        98⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        100⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        101⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        102⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        103⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        105⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        109⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        110⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        114⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        115⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        119⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        120⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        125⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        128⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        131⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        132⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        133⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        137⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        138⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        140⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        141⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        142⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        143⤵
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        144⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        145⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        146⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        147⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        148⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        149⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        151⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        153⤵
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        156⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        157⤵
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        158⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        159⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        160⤵
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        161⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 396
        162⤵
        Program crash
        
        PID:6836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6580 -ip 6580
1⤵
PID:6696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
186KB

MD5
64cd6d708be17697c7b0311d6b2fbb27

SHA1
b3ddefc0d7b4e4c6c2085081ec96df97d915bbec

SHA256
c72b0ded910cd5b69cabaf51c47da57e534dac5f59b55631755c0ee0f16ca08e

SHA512
687c4d2a3a6b07b50196b4a8b52cce837dd4aae21dd6229bb5431b16365856f4dab393111fd1e4f2f1241c842f6ece4a20b8a5f00c197106bf30c401789b0585

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
186KB

MD5
132e74bbf12cc040e078d2aaf0cc3a0d

SHA1
60a871a8fddaaafab5fe8d28baffc4c257986e3e

SHA256
790bb0f0c5f202988bc6e57d654def8fe29459cdad738077e91871a9d7160eb4

SHA512
9aa82d20de9a90fff1aac2e22ca004d529cb3022ca231c25b16efecb67656ef9ea2dd0ad0edb8d798e3dc29a7fab6bb2d78efe368e8203a096dd8a53271d410f

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
186KB

MD5
c2869b36aee8f02b5ffa3c8f750e1d53

SHA1
92f422bde3b6032058fad57a4f5f86c2c189c6ad

SHA256
22cf695bae83ff2f5badb3aa996cfba146ecbb569ff44a5ef0aa02bda98302a8

SHA512
9ee91680d356059e2e0d1a69350ad844f3d83bffd0e98f33fd5404dd6c18eb1bfcb5f4289dd5c9fe6022d56ae4e76c29184c3059c994d79511d04ff7509c3abc

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
186KB

MD5
3d05911c30e63130d62c61a353f31a34

SHA1
b633915d8e0f2c2a60eece6d9bdd7563ef92e539

SHA256
4ec2fe28668fbe01ef93703b4a4a324d59a7db146eaa26d7759e0a572e2e7235

SHA512
d298996f4301012ddb07d7fba3180cc10e0f6d4803990aae9258d3ddd8781d5e4d3b1b972d4acb7c3da5a28ab2984c957802e185d286605eff265f7295d1da6f

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
186KB

MD5
cf17b5f34bd5913fdd87abec9472ef83

SHA1
43c6002d362f69cfb036e14d9f8cf2fadfac50dd

SHA256
83d6126fcd29b9ac6e19c98de7e4fe6a497bdbd3ab3a0a19b600a204980e2f59

SHA512
c08314fdedd46c1007f9c42f292b554bae68ddfce222933c6d764f06d604194e5a12bccc0c226b1e9bfc2711c8408686f6910c7ac2d9b53e9cab991894ab664a

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
186KB

MD5
990307e262d3b7478a23a01948bc3c3a

SHA1
ddd8b549f7eeb74720941fe75bd6e681f6bab191

SHA256
ce9fc1aeb71037aee5741eafc3a290a442ad6b357d0f1408e804a2bbab7dbef0

SHA512
15533677dbc865dd216f274d026cc273b18abf6ea8389fafe7d58b935d86e78664e231ab3ca511c87f5543ffb8e08309ede396f0458bf52f2acce20338b78798

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
186KB

MD5
569a71d263fbc47e8cd8e4e283463241

SHA1
56a0ac73e503ff8dbaa604aed3c02e92961b6808

SHA256
3562ac5bca82fc4dd87bf82871a0b016a206fe38e74dddf758a4d3206e210a80

SHA512
9733e49294ac24a63dc2d841d3768b43c3f55c059957b7f7f0ab9669af6f15798dc33bea9f5074ade5f0861605597a95e78237e11fcca7a7f3a4e23dc84d721a

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
186KB

MD5
38212833f5d8b8d29bfdcbd6f8f88a9a

SHA1
bda7c19346a73fa2f71fc360565820b61ee4cf3e

SHA256
08e5718a470f172cfc602c2fac0c4b93c3e1fa8d2c25e12aa60f6460e03ab01c

SHA512
bb228d17de906cc469f372e46fb3bda290ffc8677d0bde3bd0c733aeef6bdf345fee0f1bbcb4caf1b46d42487bfe9c2dae3a4409c9d7b072b6e885b510d5e9ee

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
186KB

MD5
9758fdd2f17a0adc9bf61af8e3864576

SHA1
9a4bf4816dce5187ae0a1571435dfb9ba599f349

SHA256
026412fd69756ab70bb6b1f1d96482335bcc006f0e636634b4f7ac538b422f13

SHA512
695f9014a44c10eb1410131e4572e5924ee40dd78322b9c402ca8a3e16080a9679db3814c74f935d939718fafbb59368c2eb3ceffebb07c81dd8b7c892a37afa

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
186KB

MD5
86c22a3536004be973d600a29426d0d6

SHA1
f4da43464a3ee3e2ece61b0e3cbf999cd49263a5

SHA256
f0372fb400f2826b414733b65920da726478844725373b8f971a2983b0000cd2

SHA512
affcdeb568e468a4357df8e273cbac235466dcb5987f9d56e89caf2e22dd15569a057a816b476e6b70b1799c005f58202be5a564610aa96d487c6b2a0da1df2d

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
186KB

MD5
669e724625a77aa2ab47af71237a2b54

SHA1
da4e6654622969fa14900473d91e7e991e1ce084

SHA256
867cf90410d7596ca1c6018f192ea098ae7a65e126ecfa252e284551bae6819f

SHA512
3df9fe1804a7a776cd6b04fba04b4b58e869e8050417b6a5359744724c9350017b1b35eba120018b5c8bd518bb359f62dee7a6ab5febef4a681a369745bf6837

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
186KB

MD5
5469708c026bd6b3f9d336a928a2aee0

SHA1
c6f223903208243203dbf1d1629457d48e97714c

SHA256
3bb0602d6d61dc796f8634757bffb4a2ea2097e416ec1f96aa0bb5261ce66e4b

SHA512
3fd93a508d8adeaafbbd41228904f0bf276202591a5f85ffdbd5e5de562829ee3bf6802d348bd6f2e28305ddd045aa8ddd5491a6e364ada18fb2baafa18913d1

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
186KB

MD5
f3b8105373a1a7ae080f830b9aeb87af

SHA1
0b21bc5757d6130c617220bd6d974b768fdad5fa

SHA256
37181658c72841de3b9ffbd107d45996010ce9da35fe493634b77254e4125867

SHA512
212c25b84b1a7dc42786d10d0b4fe80f842b5b701fbb0d0dbefac99c270cb147422daa9539cfa59e5253d02c32cf21951d8ced2e75d9f18d949b1489f08426af

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
186KB

MD5
aea0141de17e4c200c6ed2e560d907a2

SHA1
19176306824bef2fa19545e06dd4c5676af400ee

SHA256
3cfbf2a1ebe28d55c6818dd011be07a8dea63f31d9147e3430e6844a89f54109

SHA512
6e1c46bd94795a8e56e0d6fd9a1736b7cc492f86829351683b1c769c2122cb6f7ee33afb80b13485bf773de24dcdec99b4748467efcaf45da674046bf70338b8

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
186KB

MD5
f8883cae5bb75fc51367c34738160869

SHA1
9b6b60f1415a22f57a45e703931dc97e848e80cf

SHA256
a587c0a0debb5f1087d1c32b5e71ff6703e29cd80c5404a8757e44fff9555123

SHA512
58b0c9a9672223a05a71d613016cdd8ba76f0f189a288107dda47e424f7f4b1d5befea6279881dddf98f6741cb4f50c3e65f06925d8472ec5ff7788f0fb05c31

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
186KB

MD5
4471ffcc3e524836991ac52f57f9fb72

SHA1
776faa22e2429accd162a696632d02ea6f0b8597

SHA256
b8569a5eb6372773bad8844fb7296dab168fe3d7bbafb7b9691ac63ba398fbbe

SHA512
e1b40bc13f77631a5a594806ac985ca7ac8271c481c9d1254c2331d4c3083eacf92b7a0d577930ca7c5ac1e22fbe0d20acc51d7070b4642c29c04ce0502ffeb7

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
186KB

MD5
6e7d5c03543a4e13a24465b7009456e4

SHA1
52058761aa57e7605c85687fcfd477462fc2f83e

SHA256
ce269976f5b3d856d340932d775625a45dff32dee52317b3cabed44a413c5114

SHA512
1c6d0a00057b8cc177779dc3f5525fc7371dd566997d229a088eb6628d4c94853248d9bb010eaa08d9a11c0be56c88bbfb894af7e15cb3794023da1f83aeacd1

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
186KB

MD5
ec0d526d3629d260f5e737910ef5fcd6

SHA1
983550b47ed310fd62c10104b2dbc43e9103c451

SHA256
54d3682e155d497bb9b09ba1d5bacbdbbb42d7c07b54c700cd76aa1196a32767

SHA512
befec2ce6fc19974e9fecea5a9403fcd2ade04ca64df243013aab41ee1d2b83814d31e74c34289fda245f205f1124fbc27a1737ac3e85d1d939b741b3bb07846

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
186KB

MD5
ed2e9f985ae4c47916433b82a914a5ca

SHA1
c17fde09d7313a98a7c28dd7ac43d4dc72c5a0f1

SHA256
10d7abe74f2d90ca008af03149301658fe31c702eddc55745296feddf232583c

SHA512
74666e732f00a31d70c64d7825d9d07df23008e1239a93ded4a4741b02dd63da5915146c2d10b9a10bf8bac4eaf0f4ccfbd08e6cca75ec76f9211779deac8205

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
186KB

MD5
877e1bab26b6c978e7497dbd074c78c3

SHA1
87043e75f46ac3e92f7afa59832bb4d28f5969e3

SHA256
1d6c4ff430453c94a258a0bba29d9081047d5aeb4909097849f002839987c2c9

SHA512
2b5c47e0cdb666b5c9ddb851f9281272fdc1f62e2058484ec0b5209dd0f6d520b4b07ff7087c79c1a0a76e1c0d4a48e312ddd0885bd5d55d3418457ef6f996d8

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
186KB

MD5
3778ea3a03d18379bb4f7a3a5c9b05fd

SHA1
419f2954762c6ea04e622d429be315817df8f3be

SHA256
463bf4dfe8348aee0e52cbed0022e861f2d5d596a29c5b2bbb8a75bd1cc1dc91

SHA512
c919d2a651f0b19c3d2722479c5f0e26a647d945b789cfbe7103769a2709f3fb1bdecf79a0a97b161efb41b22911135c1059e7d2de3555baa7c56ddfc4a645b1

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
186KB

MD5
1e25b7e32764d0b5ca0b9b46ce80a7e0

SHA1
f7a86df23e129ae3acc41c22b28b275a8770bd62

SHA256
0240ca5f907380ceee3a0d6f448b2af3838d49528c2b21403017e445ea96b824

SHA512
111f4c5c83050f173f6885a1bfebc7cc401d14c38d12a7aeffe62464ab68d5f58e80d7d611f17620122e01c5bd184cb2dbcb514d08c8d1efc8e013dc9f0498be

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
186KB

MD5
a254fddba24718d21d791b54e9f0bbed

SHA1
1be1de1c2a71e0490302a155f7045ad8755a1e26

SHA256
ee0bf4b11acfedff7353f07f941098c7b0c35baa461a51d51dae3bf539b49c16

SHA512
a986c1a676e18d0bd0d63de5f946038a5d9ad32f6b7109c4bdbb9abea21a32b2bd1a30d947bdea97575844a2af678ea1550044ff704c991757bbcc5e316c60d5

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
186KB

MD5
95926c0e5e501adbdc96f512e834fe3b

SHA1
737b1f4604b47badbb43bc340f3600d7233b973f

SHA256
4e65d8481b759b5cd8b3bb02f8ff0e9dbd9286b5cd2afbc244771829cb1fe61e

SHA512
c153e94f59a96380e9a55dd8689decb906434a010f92791723df72f484cd3c4a7167e96409182a7be94458e27b0092fcb57367674028402e6913d3e187243bed

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
186KB

MD5
68d8ebdeb2b5c20d07d4b2a6ef3eec05

SHA1
fb5903de231d0b2cb2d399fd4fc7b84abed9125c

SHA256
a5446abffd4c3dfcf5aaeb93e9364c8d2fd9b0b7e1db03ab27c3e93280c768f3

SHA512
c49431304b3659b307c3225aaf7c94a2314b9e2da606286c48cb5524d0cbe6b818588ce716fba0db917654767bc9958c9fec9e6f4d52533b097aecc7f7215ce3

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
186KB

MD5
595190e1cbc7d73ca2b20d42ba96146d

SHA1
e3160c849204227a0c6049765299244fcae17fcf

SHA256
27dbf4daa01666553cdd45d6563fe39c032fe9a57a74a812d4a4fef06b9ba23d

SHA512
2a05874f723c5f24a07f0095a9003b893adf85ac119bc47911a8711a98db584123593c2d6f3e0dc95c4b0a40d8c52f8db334dd9e39b7e143630eb9daadc58f94

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
186KB

MD5
fa151beb60b2334c1a17feab5005e345

SHA1
a8b69b117800121fd42ae1a26b2819b945e802aa

SHA256
74659743df346ee5ac6582295af762f720519e735afef1aaccd4a70c60049f2a

SHA512
fd79faccd4e81e801cf22a032c6d54fca976c33e3160baa92a8aaf718869445cb50372fd692546c200ec2beeb14109fd6d1c62783d2ebe336308325edc32eedf

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
186KB

MD5
fe7ec7cbf1a926d8e64b39d2843b103f

SHA1
7fc0b1bee8a9723b7298ef943cbf8f9259e52203

SHA256
cc3a9b0c1a0415ba6e8ef608c1a71d53aa6355e39ea3ddd8eee97cc945d5ca3a

SHA512
ede794dd63947b5ba98b35e4aa5737a5ce740260f9704fe336533efb41dfbe9315bf904ff92797d8a579354bc84b6a0e5942e4f9bab4dd46836b6bfca335703e

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
186KB

MD5
ff21bfab8bcd4209a8922b589a38e1b7

SHA1
787b0d072005a5e53aca33238810a9431823a786

SHA256
384714d9be2e6b606847b82e3ebdd65d801e1cf7083c93a02678db27706bb975

SHA512
c293dfcfcf2638f9e268d30e3fa11ff6b70cc74a2914ed1de86e15aeabfec0c274ba4e7e6e6e88a68af8c46f519fe7e6f6a939898ab681f306d707148a828044

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
186KB

MD5
977a8c7727160c6bc7596809a2ad8830

SHA1
4db30b61c8ae0ebfa1320c8fc6b4fcea83003647

SHA256
2e613340d26395bee606051152ea329f045d1d6a2a5130c4e1ab2e7ca4e2d5bd

SHA512
0c4db3937d25444b9f3301b8e9e76a22d1dfdb57edb34dd3f09387c39386f99768c1a0ddb67ff1c70ccebb0371c2bbb05e72e324ea13da9edb414b228f53ef4b

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
186KB

MD5
98dbcd76fedd2befbaf057f7358b1f31

SHA1
9ce232fca1e96cb0d2f5c0949f84399b0f3b52cc

SHA256
c808023ee3efbb8ec8e4c6556a06f6fbcf9ce1814ed1335cc8b664cc1987d71f

SHA512
b7bdec5a9a732b2a0b7a4908b3db51b181f05c302e9e44ea4f878c86d1c5933a4303c20dbaf7cde2b5d0400f800b03b8b634592094f9c307c0707e0a64a67cb4

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
186KB

MD5
8703aa89091044a07f2033538d33f8c4

SHA1
d1c2fe321118b00a98c84ea23b8858a897c69ead

SHA256
48521037408e3be1a91724e2a0fac383652ada18d8de96a353002f5906a2eeef

SHA512
e779d01deb43b5ddfc2b0de632217e3fa5ad6f3c8be326e9d1b30051031f09430408ab9a4c1ae7d4d604634f1b21ed477112c866de4625dff769757f0b6f7e78

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
186KB

MD5
e2afd4c67e234c88f2adca26a77ac51c

SHA1
f12c03f95508afff64da53e24923e38ce264f5ff

SHA256
9d83678711259a1471789d1e8038fe491780df5b2797682a5b6ded2ddcaf3d50

SHA512
0e3a60a90e0fd7f52f097df7eeb00f1c815e3cdc939ae2c430387288fd4539ce822a22cd93959ab2d935d4958764508075877325d2b3bc6ae7a08661d91077f3

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
186KB

MD5
cd5be297199b717f67c177e3198982ed

SHA1
e093c3a88a9e042fcc7c4ee9c3c858aa938a8477

SHA256
bbffdb82429b9a4a546fb4b6b0e420d5e9d49e7bd04476f575c69a57c2fe376c

SHA512
a8f65826eb04ea27ab9d6e3c9fcc30d27cb3a327f8451cf7bc3e0a822c7bd2cfcf2f401099ab29466d47b76d70c3127738d66724f699ac7d2e679ad1fe87b15d

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
186KB

MD5
cd3fa2d98724c6c792b967510c824014

SHA1
747c0f4798a24febbbbfecba464e1557d64caeea

SHA256
77dfa5be44cdc7be68ee660e0295a76844b5807abdf6202dfdb14cb6edab3b73

SHA512
a223fbd0d4f4a3cffe735a8e0e12556460d69bcc27b7b21141bd08d557d1568613e318a4b8233c09b6d364a94b3c39af1439eb7f17f8db6f5c551177b5e5a049

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
186KB

MD5
af1c40f57144d750b89c11a937c527a6

SHA1
cded57fb2fb6811e2f9f5edc4410b4aef449eb96

SHA256
d6367201e315afa7d5ac979f55e6c7a9aa62b8804abcc637a25957b06198a618

SHA512
cae162bccf6518dc0a5ae5fd2c9838edb6dd9c8ad4ceac93e6aad3e7e7b93c977fa9ff743ba7cf56ec68347d095a402bc5773687d34e758c9ec3072c3a07fa3c

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
186KB

MD5
e3549b88784aea684fe61ffb102e5c95

SHA1
3cec6b66609b3cce660860ff94e7af0eef96c218

SHA256
f255f8d3f4b25a5d0fe77084abce8ffe87c2130df310ea31b38256f235b07b61

SHA512
941da9715167cfe15b84884b749f04d195758c5b786f60bd76ed1b63c5057edfbcad60c387ae5c7249149cd914b46a1f5dd8c18e8fb735ab3ac80b760cd28e9d

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
186KB

MD5
e67b53deddfe5f7a1e505e3a9ec8bc51

SHA1
f570b1a0d7fe8565a1b7e9489628790c817514a8

SHA256
69d7bf9162c3d854663cd08cf0ff0a0dfdaafbdc2982d1ac90effa6ec2014353

SHA512
f4a89977a75a6e0662db8ce1a18e01df13252f9fc6fe32085e1a215eb781450f6396a55cbd483d140f58e33723a56d425c170029626d61ce4e0619b2986d994e

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
186KB

MD5
491430d3795f8b601a461950f79b19c3

SHA1
da501050c982253f58e5223e8a4f820e5344e2de

SHA256
67c7f44e23127c08034a7f4dadf61d308ee12475d1d3d489366edcc0aa848859

SHA512
413591376303e2b7efe9f266ead845e80d1a23f5a3de9589de69eacce00603ed77dffafb4a7fb7ab6841e4d51dc6134c713e251b0ec1d4693fa20118da492f2b

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
186KB

MD5
ed5b4d4858330fc183a2aa7b1d41d521

SHA1
037e4da8e351ca48e4a526380f2ec74f5daf5ea2

SHA256
70ecd72e8540f4778c17d70285e687fc4dd6137b6f4fd0a0690c97a9491600fc

SHA512
19a1c0421d28fd25b163148314e393f25d05028406915bd4a208ed3a7bf74edd309c64d4deb608844f301c473c70f2563a18301de03cb3d2915de55c1f060439

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
186KB

MD5
ebe558fbbf9ba5801a307f7f5f1106d8

SHA1
6f31410fd2c77ffce66cfe94f67ce4ba57b7628d

SHA256
153d84712d550851a5f8231eed3ac28a63143375ddfb164fcf0a436b07c9ec3e

SHA512
1fa71d858f9edee4c18448e40ac93ee732879318cd95c2fb9ef8f09ea042e80faa4c741b1323b3c78d97a5c0e8196edc8922399df24425043e3bb858456e0ef8

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
186KB

MD5
6f14d2a87068463faab14cf1af7d1f67

SHA1
083e5183d32cce039f67d02d5fa29046103479f5

SHA256
4f71a95246f8093f4269c453e4a12dfb32ca5007a61193e661a58cb09b3b2799

SHA512
0ad7dec7bf439ab590fb6c8f30efae9989f7be6a7c45cb3de26e8f61d734e0aba06ab703210cbddd6485f16dc86a8a5d092cc9645a601957e569dbaa00abe484

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
186KB

MD5
7b85b91c4f3f82b1b72270b0a1c4599f

SHA1
1ceeb2c2dab19eb45b9579d954dda02510df19ba

SHA256
b572b07b909e219c62bb185cdabc064001c5f91955f9864d6087f19906aef8c5

SHA512
04e10bda583979678c83fc558098c5b3fb678e62b906d5496b67fa07cdecbebb1d705a819341501093d47302d6f00832eedff191ce4d5ba234970f1250de2a3a

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
186KB

MD5
ec1c7e939c38699c79012e35552e4bac

SHA1
6bf5b931b92a0eb3999df8775ca91e2cef266944

SHA256
79722e1faff44c45c561f022fcabdefd612c26a6f8545ed73715d34f7a61673b

SHA512
83602511611f50eceeddb2162a738e5d0392f950d886f12d54a19211756e33910102b3530d1465815e7cb16284e7bd2e2c15564f89ac1f339f290fa90846fe79

Download Submit
memory/396-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2888-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5264-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5440-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5524-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-1149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6052-1185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6096-1184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6564-1111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads