19e8e4cf281116494d88eb9ae047f08209b6aa44c9773ebaa88aadfb9b58016d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddca644a6a9dbbc96941fa76080788b0_NeikiAnalytics.exe
Size

136KB
MD5

ddca644a6a9dbbc96941fa76080788b0
SHA1

59a2ca17c3496bb092258a1ad79720dd36c67e1a
SHA256

19e8e4cf281116494d88eb9ae047f08209b6aa44c9773ebaa88aadfb9b58016d
SHA512

3166447813cef7d83339729ab91851ed7ec10a26be97c8a7f6387ac5e243ad16b3bf8489eba610be941af0756eb2864f3fdf705af57aa93de1dedf2083c4c9e1
SSDEEP

3072:/jIMcPmcn+EHk8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/gU:/on+EHFtCApaH8m3QIvMWH5H3U

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieolehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe

Executes dropped EXE 64 IoCs

pid	Process
2812	Hmjdjgjo.exe
4632	Iefioj32.exe
3220	Ikpaldog.exe
1152	Icgjmapi.exe
2940	Iehfdi32.exe
3696	Imoneg32.exe
1448	Ifgbnlmj.exe
2232	Ildkgc32.exe
1164	Ifjodl32.exe
4992	Ilghlc32.exe
4820	Ieolehop.exe
1776	Ilidbbgl.exe
1960	Ibcmom32.exe
4168	Jeaikh32.exe
4784	Jpgmha32.exe
1460	Jfaedkdp.exe
3096	Jlnnmb32.exe
3992	Jbhfjljd.exe
3944	Jlpkba32.exe
4844	Jehokgge.exe
2000	Jmpgldhg.exe
752	Jcioiood.exe
5092	Jeklag32.exe
3112	Jmbdbd32.exe
3828	Kemhff32.exe
2960	Klgqcqkl.exe
4340	Kdnidn32.exe
936	Kfmepi32.exe
1780	Kbceejpf.exe
1248	Kfoafi32.exe
4644	Kmijbcpl.exe
4060	Kedoge32.exe
4136	Klngdpdd.exe
2516	Kdeoemeg.exe
1796	Kefkme32.exe
2948	Kmncnb32.exe
4512	Kplpjn32.exe
4360	Lbjlfi32.exe
5072	Liddbc32.exe
2996	Llcpoo32.exe
1356	Ldjhpl32.exe
4300	Lekehdgp.exe
3688	Llemdo32.exe
5048	Lfkaag32.exe
756	Lpcfkm32.exe
4044	Lepncd32.exe
4996	Lmgfda32.exe
3792	Lbdolh32.exe
4240	Lebkhc32.exe
4424	Lmiciaaj.exe
396	Mbfkbhpa.exe
1320	Mipcob32.exe
4312	Mpjlklok.exe
1176	Mgddhf32.exe
5084	Mplhql32.exe
2868	Meiaib32.exe
4668	Mmpijp32.exe
2204	Mgimcebb.exe
2708	Mmbfpp32.exe
4504	Mpablkhc.exe
4840	Mgkjhe32.exe
2640	Mlhbal32.exe
2964	Ndokbi32.exe
3744	Nngokoej.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Qamhhedg.dll	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jmpgldhg.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Bpdkcl32.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Jpgmha32.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Icgjmapi.exe	Ikpaldog.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ibcmom32.exe	Ilidbbgl.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ilghlc32.exe	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Jehokgge.exe	Jlpkba32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jlpkba32.exe
File created	C:\Windows\SysWOW64\Dhbbhk32.dll	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Klngdpdd.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Ghkmacoj.dll	Jehokgge.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ndokbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6920	6776	WerFault.exe	265

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ildkgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glccbn32.dll"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imoneg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfadpi32.dll"	Ifgbnlmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 2812	3624	ddca644a6a9dbbc96941fa76080788b0_NeikiAnalytics.exe	83
PID 3624 wrote to memory of 2812	3624	ddca644a6a9dbbc96941fa76080788b0_NeikiAnalytics.exe	83
PID 3624 wrote to memory of 2812	3624	ddca644a6a9dbbc96941fa76080788b0_NeikiAnalytics.exe	83
PID 2812 wrote to memory of 4632	2812	Hmjdjgjo.exe	84
PID 2812 wrote to memory of 4632	2812	Hmjdjgjo.exe	84
PID 2812 wrote to memory of 4632	2812	Hmjdjgjo.exe	84
PID 4632 wrote to memory of 3220	4632	Iefioj32.exe	85
PID 4632 wrote to memory of 3220	4632	Iefioj32.exe	85
PID 4632 wrote to memory of 3220	4632	Iefioj32.exe	85
PID 3220 wrote to memory of 1152	3220	Ikpaldog.exe	86
PID 3220 wrote to memory of 1152	3220	Ikpaldog.exe	86
PID 3220 wrote to memory of 1152	3220	Ikpaldog.exe	86
PID 1152 wrote to memory of 2940	1152	Icgjmapi.exe	87
PID 1152 wrote to memory of 2940	1152	Icgjmapi.exe	87
PID 1152 wrote to memory of 2940	1152	Icgjmapi.exe	87
PID 2940 wrote to memory of 3696	2940	Iehfdi32.exe	88
PID 2940 wrote to memory of 3696	2940	Iehfdi32.exe	88
PID 2940 wrote to memory of 3696	2940	Iehfdi32.exe	88
PID 3696 wrote to memory of 1448	3696	Imoneg32.exe	89
PID 3696 wrote to memory of 1448	3696	Imoneg32.exe	89
PID 3696 wrote to memory of 1448	3696	Imoneg32.exe	89
PID 1448 wrote to memory of 2232	1448	Ifgbnlmj.exe	90
PID 1448 wrote to memory of 2232	1448	Ifgbnlmj.exe	90
PID 1448 wrote to memory of 2232	1448	Ifgbnlmj.exe	90
PID 2232 wrote to memory of 1164	2232	Ildkgc32.exe	91
PID 2232 wrote to memory of 1164	2232	Ildkgc32.exe	91
PID 2232 wrote to memory of 1164	2232	Ildkgc32.exe	91
PID 1164 wrote to memory of 4992	1164	Ifjodl32.exe	92
PID 1164 wrote to memory of 4992	1164	Ifjodl32.exe	92
PID 1164 wrote to memory of 4992	1164	Ifjodl32.exe	92
PID 4992 wrote to memory of 4820	4992	Ilghlc32.exe	93
PID 4992 wrote to memory of 4820	4992	Ilghlc32.exe	93
PID 4992 wrote to memory of 4820	4992	Ilghlc32.exe	93
PID 4820 wrote to memory of 1776	4820	Ieolehop.exe	94
PID 4820 wrote to memory of 1776	4820	Ieolehop.exe	94
PID 4820 wrote to memory of 1776	4820	Ieolehop.exe	94
PID 1776 wrote to memory of 1960	1776	Ilidbbgl.exe	95
PID 1776 wrote to memory of 1960	1776	Ilidbbgl.exe	95
PID 1776 wrote to memory of 1960	1776	Ilidbbgl.exe	95
PID 1960 wrote to memory of 4168	1960	Ibcmom32.exe	96
PID 1960 wrote to memory of 4168	1960	Ibcmom32.exe	96
PID 1960 wrote to memory of 4168	1960	Ibcmom32.exe	96
PID 4168 wrote to memory of 4784	4168	Jeaikh32.exe	97
PID 4168 wrote to memory of 4784	4168	Jeaikh32.exe	97
PID 4168 wrote to memory of 4784	4168	Jeaikh32.exe	97
PID 4784 wrote to memory of 1460	4784	Jpgmha32.exe	99
PID 4784 wrote to memory of 1460	4784	Jpgmha32.exe	99
PID 4784 wrote to memory of 1460	4784	Jpgmha32.exe	99
PID 1460 wrote to memory of 3096	1460	Jfaedkdp.exe	100
PID 1460 wrote to memory of 3096	1460	Jfaedkdp.exe	100
PID 1460 wrote to memory of 3096	1460	Jfaedkdp.exe	100
PID 3096 wrote to memory of 3992	3096	Jlnnmb32.exe	101
PID 3096 wrote to memory of 3992	3096	Jlnnmb32.exe	101
PID 3096 wrote to memory of 3992	3096	Jlnnmb32.exe	101
PID 3992 wrote to memory of 3944	3992	Jbhfjljd.exe	102
PID 3992 wrote to memory of 3944	3992	Jbhfjljd.exe	102
PID 3992 wrote to memory of 3944	3992	Jbhfjljd.exe	102
PID 3944 wrote to memory of 4844	3944	Jlpkba32.exe	104
PID 3944 wrote to memory of 4844	3944	Jlpkba32.exe	104
PID 3944 wrote to memory of 4844	3944	Jlpkba32.exe	104
PID 4844 wrote to memory of 2000	4844	Jehokgge.exe	105
PID 4844 wrote to memory of 2000	4844	Jehokgge.exe	105
PID 4844 wrote to memory of 2000	4844	Jehokgge.exe	105
PID 2000 wrote to memory of 752	2000	Jmpgldhg.exe	106

C:\Users\Admin\AppData\Local\Temp\ddca644a6a9dbbc96941fa76080788b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ddca644a6a9dbbc96941fa76080788b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\Hmjdjgjo.exe
  C:\Windows\system32\Hmjdjgjo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\Iefioj32.exe
    C:\Windows\system32\Iefioj32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\Ikpaldog.exe
      C:\Windows\system32\Ikpaldog.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        27⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        35⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        36⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        38⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        43⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        50⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        53⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        57⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        63⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        65⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:448
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        67⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3556
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        69⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        71⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4648
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        78⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        79⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1368
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        81⤵
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        82⤵
        
        PID:904
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        83⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2824
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        85⤵
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        87⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        88⤵
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        89⤵
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        90⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        91⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4524
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        93⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        94⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        96⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        97⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        98⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        103⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        104⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        106⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        109⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        114⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        117⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        118⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        119⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        120⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        123⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        126⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        128⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        129⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        130⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        131⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        132⤵
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        134⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        135⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        136⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        137⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        141⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        144⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        145⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        147⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        149⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        150⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        151⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        152⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        153⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        154⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        155⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        156⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        158⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        159⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        160⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        163⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        165⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        166⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        169⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        170⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        172⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        174⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        175⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 396
        176⤵
        Program crash
        
        PID:6920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6776 -ip 6776
1⤵
PID:6884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
136KB

MD5
5cf9e2851d72bb5684fe4fa397885973

SHA1
87a665f940d0e68c5a5c317b177406f61814a01c

SHA256
cdc08b9416e009bf188410b2824144fb4cbfc7acd35813fd44666111086a888e

SHA512
b9b2779fa5fd1905c0a013d6914fbf82e040f4ac023eb887a8ef15422bf3e6c60598fc25a91fe0e0ec787b2de14ce85c9b04d06ec5a4c0486bc5dc8c202c5d76

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
136KB

MD5
1426dfb1baf069c52162c3b7d8a9ba55

SHA1
2a11e79c5f83103827f2bb045f3addece2e72644

SHA256
232c82cb7f3b7230aba4296566ddc482f9f28a55a1e911f274d6a38ff7e84426

SHA512
b20ca4e22a3fe94dac5d7ed020dfbf7e2cbaaf4d09e5ec86640147fa5032b853f7f8a1df52f681bb57e3400e41cbd96d7f7e5293059805b6362a80ee84b1c661

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
136KB

MD5
6392565dace0b450d112fcd571c8b43e

SHA1
b5098843045ff47b7738d8bf5d711e37c2d2032c

SHA256
a1921214350696e5130fb30881c928f14d093505b42ec4d8073276605fc96f57

SHA512
980ac6ab3310e405807df8a9ee955c94fd28bd8740b230df6fef121661100b051fb66557942a5e8d85bb075857a7e0def0c7ffd63c64c9787aa661d7ace4c8ba

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
136KB

MD5
2504b39dead7d284ba433d074f6d7ee1

SHA1
c8d659aa83b0da8de8a17c67a7cd13aa2d01ab37

SHA256
f9bd5c9611a9a77d73bdee18c1f60ee3e9880e08079539b59b1db20947177f28

SHA512
4adb881ea679ee373eabe5c535c11891cb0301422a076ed12679a1c5432634211cb3cf2ecb91e8d71f7e9643fdb98f31249f771f810bec908a81299e7ce9af51

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
b8e7e6b55cbbd86a17bbf6f5cf486136

SHA1
c6fa700a797f01a4cd3f9bf061b01d843f49b4e4

SHA256
e66a73153ef123ead863568ae30c0667f9f236067f7a6feb528d3e199e7503d1

SHA512
0a8ec1bd3797ba8a68f87a8aa62c20f242d159a4b6e65df9e78275d6abf4e2a83299eca10fe1333d694418c884df627ca5b2ae848bfd7095419a340ed0a64dac

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
136KB

MD5
67c2fb31982875720d65f9c76beffbe9

SHA1
80c4756eb01e198e0d99fc7350ac37bcc143d45e

SHA256
c52f45e14d77d8bc05a79e474773e0c996609919805f2b0f07acfad8120657b0

SHA512
776bb30372e2b36da7126046672a56bd3c1c3e507834fa8b5fc1f5e60add246cc89f01020f63ed9609a6204e0270467582b871ab265f8d2e9736b39feb96addf

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
136KB

MD5
f4c630101f7b59424f074bdea135dbbe

SHA1
30b98d95fcbcb9ab64ad543a9905f506e878da9e

SHA256
996114ff4a75df7d63b8a997b65ce07415ed5a5ee609d0d7c445fa82ee3b2e18

SHA512
a13d47fa4499b4ebd17f8bfa521f7e7975fb242a0c51a7752d465e8642b1eeb1f6497fb7d62c739ebd78a6c746aefe0d8335dbfc8a72f9e522eb754e3fe9388b

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
136KB

MD5
e17d637548d20010848cbcedfd5879ed

SHA1
e9a5df883879d5c0b60f575f232fe2badcc1f192

SHA256
4a2cad441ca7ced58759820af384dd7acbd85f346c20d7c4f66069e63e366d07

SHA512
06cb68fcfd9a0657cfa284115fe9e3499773ef186e1f042c55f7f0663ef5d8653a66fa05b4e644f0dcb8e0699ba857ba0d64ba38c16b48940020b8b3fc9d8f9e

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
136KB

MD5
0d58da932f329be1c72c19f310fc9a8a

SHA1
d6f23555fd0e90f7d6b18b683f877ceb6c28d20e

SHA256
1ce4a795f2dd15e0391594e27335f0a92b51ea345e1a70924c33ec3be507452a

SHA512
899acd6bdf13df0cccffd92ce5a0b4d28a80f2f49e92f6da3c804d0c7c038eeef84233f5cf7f9c2e402185addb442c86644181c44494f09725dfad5b80bf0043

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
136KB

MD5
1ce2392baa26d495b08156fa22f767ff

SHA1
50d8d1f551515101430a22714c3dce49fdad37be

SHA256
30e62a8b598722b56b196f633ec500073d92b1c77e7bc317c365c8492d5e8062

SHA512
ff32d80fe5741100a485eae339e85b43beb317d677f7c26fb06cb0736b4c81bff9b9029174f5e85bbe7ac988ed311b1d9df0962b0f651483b18811f4155b27f1

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
136KB

MD5
072d6f059aa84d35e8cdee70487b5dd5

SHA1
1346c7e181a634464ceada3dc2a5c64ec34ade87

SHA256
04e007c508e0147329763eee3f51b2f062c3108ed0d5cfa3c0ca778a9fd5c579

SHA512
cdfbb630fdd378eca9f45f12651cf49dd1cad22e7f0c60f7eba043c39557e873c37373ea574f4c61a9e7e4999788fce59652f719f57aa5fb629640e7158c61f6

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
136KB

MD5
19d04475565f969bb56de439651711fb

SHA1
34d2c1cb9025cdc970d633e6ca39a4cdf06c2d10

SHA256
d318ac1407d0026ae22d425a0b50af7073abfec4ec1b3ec550d10a69ec782b73

SHA512
45298f8155b32b06cf3bd51ccfaad94ceaf0ac761dde991ce8fd29ca21562684f5ba861d1bf380aea677d9d9a57e5a66225d6afb320aebfcf5ffc548b1904f7c

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
136KB

MD5
6b91de120c2729f6f94c078c72a11a11

SHA1
e294096e26f2de66d34268014e52ec1e58c81ead

SHA256
8376a06971701630e19b7d4017a308e42a4d72695d862cfeabf8a4646f32e856

SHA512
63b9b1df9b5487c08a79d370d2aa1edc06f45dfe08f002bb18450ed485d7b64498b7b800119daec0b01eb83e12724345bdf80b28c9060aec714084b7f6642c57

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
136KB

MD5
15230f3f77ed46e9bc39e46cb7b31036

SHA1
2c2920f04809251950c8cc5f1ffe7178a44c2ca0

SHA256
e349e7dd4142e665470aa8cc72593709eceee8ee88e7bfcbe3e6c9ba698c86e9

SHA512
72f8712fb5550d6e3d8c533715a03b945f13d43e6909a6ed6b11a617f31820fac478a68e6a055338ecb6f4500525696544ac819dc87f5d375af28382603aa813

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
136KB

MD5
d8cea457ec5dc365371708c6868b476e

SHA1
0a1b2cc07a2f4df1971b7811adfd7ea9492e2a13

SHA256
32d699f9fec97b293db92d2c2c53f4afd734efd2be358f434203eb3e209059db

SHA512
3f43349defaf205e6ad3b63e765f3ba26a083c64f1b90fa698e737135ae3ef21741bf467d2578877817f4f8bc7fcb51a4b6021ba3ec99681440050b6e4ba0261

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
136KB

MD5
5cedf2d19c8b9bb68004d3fa04088904

SHA1
137cc4e3ea4b4b68e1682f2b934f23528ca9b871

SHA256
9ad5146bb12089c4e90d32b53ae57ef6a151d1ee791477bb74d59f2d0b090aea

SHA512
8698d5ec7d8cf52f5a45a7de07dd5a3331cc86f3a62f51e9f565b62be347cde75e1e86195e847a65c8806c30e453d1c62087c53ec18a644af8d67d5e1a553e6e

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
136KB

MD5
7555924a631062f72350f5c8774fafad

SHA1
7bce77b420571803d2bd9c7b1ee8883d89af72e4

SHA256
07bac671ea6fddf6408ee688298584a7ead21cc5246d43e6e6c6e61cc135b5e4

SHA512
9047f4d8610c067fee85649ded163b037eb3268f03d048bbd60e6a9dc36a9abf900d7e942eaf667563f8bb1411f12bda31f34b0660dd9f37ccb312c200d12de2

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
136KB

MD5
0f9ed1e20959e209065176161e4c6b8f

SHA1
5a48fef86839e0f4ffbac9e52978de2803aab88e

SHA256
63a3ba78eea7bc89929f741faa74151135b8fd1c073f00a815660ec7aef8da26

SHA512
5dc34ad62343f140e9afb31a25667d18b7fb70c871edd29603f0778966910d459582797ef1139bf8aa0c968f9fe18620a55e8f44e5032cd4e9c55864df1cb50e

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
136KB

MD5
5b1381fb07a78fe3bbe70e6a6355c9b6

SHA1
88be3261ea051881a8a03b06a9061ee57dcd9f98

SHA256
4a7d38b17fb082ac45d73b793684a15e90190d973b8b3827af4cf6520b9f8f35

SHA512
cf846d0200c0fef0e8fa3a111f4d867da6e3166a85c862fd9386468dbaa1d721869649370f52e1f5ba1121a3f7ba19bc88c9ad345db2c95cfe9194477763ebe6

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
136KB

MD5
68c53772990af115623c677a857d7433

SHA1
f351803e5feb09eb94f171dada397f12b8ec8e04

SHA256
1d34de2689f1323e38f7fa03845d4f4d925dc87eca0ea5acb043d5f0fbc7e7c7

SHA512
e5890741e7312e3cfb6945452c902f322daa9cc00e161d4c49fe0c88446338b42db416a08cda31f2c951e02b42c7920075951376017b32e883858729e6522f83

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
136KB

MD5
762294adf7c8f9d52ab01c55f0d76c24

SHA1
70e0251c6013c4963ca52c934d2daeebee3258a0

SHA256
0bd2526bf8cf79af161f5008d27ffb16be26b0310e8ab7130dcf72c5dcb9aa27

SHA512
50af4113525db7a3d048463ea2d66cafa7588375b0150f3cb0fc926f633fb7fff5e531105d26ecc4dc7e18486473296b8965e8c460c0d966b70b70bc6a764c70

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
136KB

MD5
ff196f698711cd724cda43fef74caf02

SHA1
1203640ecb9695b697f21df47c969eb7c8593513

SHA256
6dc8aa28cf6635e819a38d11641e148080b4d93c18e66f5d02de4e9ed7beb351

SHA512
152d58b58f69130538cd43621ab9aff33a82d00061e270bed4af1e47c222ca9715064b4dc18381a348c94e9a1d644d9949bf08a18fa8dd11af1eab27d582f06e

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
136KB

MD5
218013b12022da1149e82dbac9b31792

SHA1
7294af06d119de5069fd0a2e9e170977b59a5178

SHA256
318bafc4886628095974fd85afd065dbca6ed99edd753a02e58ecbc66af94b2a

SHA512
1be208898bad8aba7ccdba890922bb56c143409265865f8491e55eaf2f1cc37c76a66fa17a9de1898ba00f62e54df89a628c9b8e19dedb4e1b3cdd056ba0ba1e

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
136KB

MD5
76658c65a9375f4ac1f2afab68a1a9a0

SHA1
eac9e1ca84cf4a4a0e89066989cc9360a9b98089

SHA256
d35530f54493be321b99ba86e2b4bf2e12b84be65f0f602e86dd08903b669767

SHA512
1923e8d29bd882a5c1bae2f5e91ff5576928c1519abad3a04f31e9259e6d530e095329e777557d14f03150a3f6e77ca8d1de3e53cc417c24b8dbf17148df6a08

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
136KB

MD5
df87a521ec167f3ae75ade473d04d80c

SHA1
0713ac0f1857d854271b3db42b1686a2b19963cf

SHA256
0e9b0504eb627ba3dcbe748ee97907c626448910ff1c8adad6978af85ba3dd46

SHA512
2bcfc5189eda0e451de78b4541385d42fdbfb53c506caef57a4a9e47400e41090ca7c78b8c6d9c15d3a9fbbe7e01ff28cccdd4d2dfa1e1d32ef4621fe968f5c3

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
136KB

MD5
690b21ab75b465f3098b1910afd6b918

SHA1
3af741d7740d6951cbdebf3647e9cd1c5b504fb5

SHA256
f72eb1c043d005c9083161d8e8d973c163e4fdd5ce002bc35f4c72c38a1e232e

SHA512
5619055476b028b4c48ec28551b3cabb6eedc8317cb5bfb53a26cb990a8be7a3bd30f56d4aec8d3f11ec7ad21bb1b8da2fb9e588a078b3de4341108b27811613

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
136KB

MD5
482fdb895ec7819b317ef3701eafe42d

SHA1
9eb9e65a2a56ba7d6f073143c8a9ae59b6133c21

SHA256
601ff1d2c862b0382617993f90d6c21156079de156f1ca7fc7952e6ddcc320f1

SHA512
ea56f417d658b5475cee1caa6811d1acf58b9543d55b056e3274a863dc2709ff5dcfd19b8419df9a1722bbe4cefddf1d6fa19ddf0ad8c117728ad15bfeba64d2

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
136KB

MD5
a235e76b94ad22a1dda03f97c7a91bbe

SHA1
a8046e6299257c617bd2394f84e89cee06439c6e

SHA256
838dde67ef66b858f968f6fd866ab0650faffdc43b77fb877d864de0ffbac8a0

SHA512
50018a6ddb94736566de23c417ff40505260b981e99727e7f74755fbda31abcb64058bb6ba06aab5097fb36f47ff5de8b5d6bb9a16bd6485f8aa8bc17a2554a7

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
136KB

MD5
337f8bfdce1266083c80966c1958c6f1

SHA1
49dfac8f7b5bfe6106d1383fcebeacdfbbef285a

SHA256
a3ef03bd796ed4df22521143e2d57ce34d9b3fd0111852993ed2ea1c63122ea0

SHA512
6faab05e1c603a7f3d6b99898d65b1a394c759754b4b1b5e494f71feff19aa9e9fb3e92ade4be28b66c47c0009aa4fe84bc8adb0c0943bef28e8e6924f42f47a

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
136KB

MD5
9912dcf62c6c33279203e76e0557fa7d

SHA1
adc7aa38cd4b2e2e6dabe44d614321f2e815226e

SHA256
b85142edaa63eb4859971de76e830be355848857f6db000052dc9f1d5a2dc175

SHA512
2eab1be0283344de45c63d5e1ebabef31e6bd9611c7293727ed4760b51da25f54f0e868359992dfc86f56e52a57fe60748de576014a9576094faf7d21c3c0811

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
136KB

MD5
9dd7e5ae314a26164c83b506b7062a0f

SHA1
29fc3b3ed6f37bdf22c4f686edbe1a3d78d0b181

SHA256
5bbd478fe27e93cf244944b9ed9c5f774cb871860e935dfcd5fdac20ffed3905

SHA512
85d318726dd1225ddbda64c839ec60d12d6ab926431f5485328ac70b345c97028fa1d077edf55fa451a8bf49ff0807b21b13f062ed2db6c9f664da8da2871761

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
136KB

MD5
acb26b264d56497e1d8cd1a0450b6264

SHA1
e941141ccb6b6b7d1848d9f923cb0ff08366b600

SHA256
bca0c823b1fab0a6d85465e3dc222a710e6c42e9bb9e98dedc314f8b86a5ec56

SHA512
f7083fb61b11fe777c7294c7ddb486221f721b17539cac5323ffe0e75396946b71011454c188aea672b613716e329af7447adbbc52ec2628845f74c6b03294cf

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
136KB

MD5
5776985a4e672ccc5ff3b68cb5e2f9e2

SHA1
f77a8cc4f321076d31cd4308ec4893efb623efaa

SHA256
bb1ca827f2add85dcb2cc87169e7f4e2d6cce5aa4569aa858a4acece224adb0d

SHA512
c6822275499473df75a2b48a189fc5e3207ac378ece87b06afd2e384baf1bf7b2c192c2eb30a036453333f49991dc1c1cd2bc739617c5b6eac176f55fe3fa475

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
136KB

MD5
790370ca975f493a24eae52665282953

SHA1
88b5ac09e23180ce96aaa950e9255985ee7bd1da

SHA256
a5344e0d2ce49dadc1447ada434158876068eb5b8d0ff97ad86a465851647e73

SHA512
acc9cca9fa286e831b245b2b495580484ebcff82767687ebaa43fa7b94843881fc95b97d2c0378f46dbdc59f2304a165b57ba64144f3d7b23faae91e1c9d7e97

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
136KB

MD5
810d71aa6bba4d3692437b93775f1d57

SHA1
48bbd392dff544b3641050fee55d42fffa12dfe2

SHA256
8b1647d11ef76e6103683fa2e163388d29b41fdb9e2b3c5f1ef0ab6d2d3034df

SHA512
38ccf3edac698f84867721affce889d5639c9e92440ffc26663d140a66dceb9df76b7d3d1ae15492e30345f856a3182ba4187fecc7d98d9b1e5f2c2aba07127d

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
136KB

MD5
9ddafc5637a944890ffb6664a14bcd80

SHA1
b6b09f65f96daa460dacd7ff23ba167e3ef33ff1

SHA256
09325836ded35b5e02011ff5562b4f2de733a30756408738c720e04ebff99221

SHA512
29fbd895cf4e94ce4bf8d776f36f648c3f5e494bed11d469e5a36664f08c0bd99b4b665a8097548b21d6d1ac71a4d391b55fb1b9b7dcc7d8e4fb87449cea99e2

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
136KB

MD5
78c792528085c771f498f75113b58ff6

SHA1
d38359d3805e4bce943640b0449f95f699c77342

SHA256
3496f78bd70a19ce0f2c0702e60f43720bc48fd97c282376726d9b43cc415739

SHA512
2a5206ae7313c29e625b32c89703146c40fdefb73fb6aae8beaf0a36335aaf6c8816914a0dfa1ae54cd932498987c1ae856164b315a6fd2d4ce7a2710ecefb25

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
136KB

MD5
79f9d1f4777c482d004706170ff2d233

SHA1
9d40c4ca685c07a3ad845a63abe23aa46a87f396

SHA256
12235cdc1e8b3670be01ad6d9704b8ec95bb9dc52cc44cc257f4473ffd9d2084

SHA512
2c77b4ad1a495f1e9888590dbc8bcfaba24878f2d4fe23b3b35cbfb4c9389dc2e7889cfed95330544544621c5179777b5e5c93da758702be9ca73fb09bcb0b34

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
136KB

MD5
349deade45c92608faacbf78e81a96d5

SHA1
33dbd17d4ccf597334e8b1e0f1e65ba77208ac17

SHA256
2f9a69be629e8fc69c608d9f52f3adab6ce81f1b02629168f4980027d6125f53

SHA512
0e2be865ba994487d5820be919dc825845111d71f7670bde5089f937380c53f2b6ffa62d99337c291920cb08c17822b6cdf69b9b1ff9128006a6d00dd1880a2f

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
136KB

MD5
cccbfec38d8b3cda4e9f1f396d2b108a

SHA1
66f7f057e3d630c9a63c2122dbc8ef1d6b3d17ea

SHA256
abf6b2f7abb86037ad5195be3f5179b88675fdb3ff619121d0d7654280e57bff

SHA512
a2bd1d68babafa053a729e3997916d9090fcaf72fcd652004b4ba1311627f2784092fc9b8ab21d724e29a84838063ab69a743e91ef1239f702b0107e1457c916

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
136KB

MD5
41fce44f8726bfa3ef4c6aef67eb8124

SHA1
711ab59a676e93e604f17061904cded312a011bc

SHA256
0fdaaa260826beb09b5020af29047139d539f6fb60552d95920e8586c375a28c

SHA512
4452a8fcc1ee12673174e5ca4b5c4c4252baa7914485e5e05ffdc4cc268e7121157785045303b8f801fc1f157efacaefce7fe8d0f63bfb24b45ae06204475981

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
136KB

MD5
e06d781f4a5b0fddc74b5ecf8cfbe2cc

SHA1
e0ed321ab9ddcbed7283f5d1471430df54b054b1

SHA256
d6b481e08c61d0fc9e760e35a1e4190a2cefd16f12484af284b7744afce79fdc

SHA512
0e90b94448fe48ab9aad38ddcc7c27c1b18ea11a0ef163e1836fdb73fcb79a180cf32f52b4749c100af3eac479cfc009acb6c8c9f9b0a90adff782dd82a1c3b1

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
136KB

MD5
18a3c7c5d23702a6a3cc087bc5441f07

SHA1
a0f386eedd4dec2ee9aa822aead3e44fef83b556

SHA256
6be8c6d83f555fe6bb97777a009bbf8d2d45cd1a2d187840baf1f7d161569420

SHA512
58b34b0d0961e606a6030d843fb405a12a940255e33561ee0a11ec9abe7fb6ae4948e3f887cb1280ffc98bb2d5fcf5a4d3e782739e3957f8e81f4294a16b4ccd

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
136KB

MD5
699a1e03b295c7b32779ba003fdf86bc

SHA1
78b58d7500846321c86fe9410eee9cbe31042277

SHA256
3561f1ce3a651c17ff7df814d4e3917de54b559befeacfa2c609a268500e3f53

SHA512
57a0668bbf1b0e9fa3253fb9839e908060c244ad49addf4148b1e751bc31c86f7bec4c9db086a1120c3dea5af030faeb6db3525a50ac94bd1659c9587e6b5e75

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
136KB

MD5
dbdbedcbfaaa642e0c4902c13c72a06d

SHA1
cd2b01f084e3e2f6c29ce171f49b0de08d8f7b67

SHA256
f9ead6af402b101d55f8126597977a08627ed9ecae48ac9e200cab0152b13456

SHA512
6ad9b5c96d0d4fce7770df5cd9099215b0bc1731bbe609f8f5180fc84ba90a1c5dca3a9df0db6e9da6c8c0fd732812e4795dcd948f547963ce06f64ca73e502b

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
128KB

MD5
8497e7e1cc4bffde75885b1e0e83db5d

SHA1
49b2e9aa215ebee631bc93078236107b70a9b7da

SHA256
b1188726e7f1b0f5f59c596a2471bb6ced5460de42a0c7df7d2ed2da7f88cf9e

SHA512
ad3f2efcec991e2aa964a71cd269d3f20437a38059cd43dfc09ffbaf117efacb5241ca7b7d14633d791dd426c35fe3a382c23616c147469c54f186d75e179cdd

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
136KB

MD5
30feca52df16c0bca0db6f054dfe5b21

SHA1
0e21bc5eeb2e7a845017b8b7df58e7a55d045b85

SHA256
985185688ea637f51f9f2592d83fd3becd65f2be344fda8f95c0712da3d0720c

SHA512
2306a6f4a09f6c89f109e6f5e9bc29e2c33bc76a4477b337cd3285bfaef837c417706810bc9d44b29d6a68b7c138dc04d19e49c03d28470626d45dde909db969

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
136KB

MD5
6bad6814d6e8f45350a50f18ff43bcbb

SHA1
9c5e35dd4916937ed8e9ac0c27fe627c6894d92d

SHA256
57118b06febfe03d56efdd2038802f6d4e5830c331915b248b9f9bfd01416bcd

SHA512
df03d9e9161579700c572b94a41800fbf1a48fc993959d5c852799b26522fc17eb7638c78465f18c5ef1dbc7c2bcde21f2ae72db795b853a5ac3b29fa15e9861

Download Submit
memory/396-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/448-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/752-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/904-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-38-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1164-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1320-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1356-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-596-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-585-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1900-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2188-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-604-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3096-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3424-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3588-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3624-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3624-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3624-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3792-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-597-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4060-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4136-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4336-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4512-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-477-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5032-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5072-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads