2dc0868e26c020c6fb842db1f074ddf7a9e10b74a473f612e3571deb9b0dcfab

Analysis

max time kernel
129s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Size

398KB
MD5

e0aa5fa6a4d53f9fa3ae96c5fbb3aab0
SHA1

e2f2381e7cc712a7391e8cce4d994ef3e52579ca
SHA256

2dc0868e26c020c6fb842db1f074ddf7a9e10b74a473f612e3571deb9b0dcfab
SHA512

0e568fbb0de2133eda9bf8a2fa22ead28251bf785c256994e1664cb34ac446e67a02bf2c1e985c660312c9721fdeb139ccc6a3844157e67fd95f0f4b07e0e945
SSDEEP

12288:AjE3JsM6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:dD6t3XGpvr4B9f01ZmQvrimipWf0Aq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe

Executes dropped EXE 64 IoCs

pid	Process
2052	Dljqpd32.exe
372	Dcdimopp.exe
4856	Debeijoc.exe
3112	Djpnohej.exe
2772	Dlojkddn.exe
3316	Elagacbk.exe
3904	Eckonn32.exe
2144	Ehhgfdho.exe
1780	Ebploj32.exe
4104	Eodlho32.exe
3576	Efneehef.exe
2276	Eqciba32.exe
1348	Ejlmkgkl.exe
116	Eqfeha32.exe
1872	Ecdbdl32.exe
2096	Fbioei32.exe
4556	Ficgacna.exe
1488	Fbllkh32.exe
3408	Fqmlhpla.exe
2116	Fjepaecb.exe
4232	Fcnejk32.exe
2500	Fjhmgeao.exe
2372	Gcpapkgp.exe
640	Gjjjle32.exe
3000	Gqdbiofi.exe
2536	Gqfooodg.exe
3564	Gcekkjcj.exe
4436	Gjocgdkg.exe
1828	Gqikdn32.exe
3716	Gjapmdid.exe
1588	Gifmnpnl.exe
2104	Gppekj32.exe
1608	Hapaemll.exe
2088	Hbanme32.exe
3464	Hikfip32.exe
1848	Habnjm32.exe
5088	Hfofbd32.exe
3480	Hmioonpn.exe
3780	Hccglh32.exe
728	Hfachc32.exe
3208	Hippdo32.exe
2248	Haggelfd.exe
3528	Hbhdmd32.exe
2988	Hjolnb32.exe
3136	Haidklda.exe
3340	Icgqggce.exe
4396	Ijaida32.exe
4724	Impepm32.exe
3288	Icjmmg32.exe
752	Ifhiib32.exe
3544	Imbaemhc.exe
4976	Iiibkn32.exe
4576	Ipckgh32.exe
2264	Ifmcdblq.exe
4252	Iikopmkd.exe
2752	Idacmfkj.exe
2172	Ifopiajn.exe
4920	Iinlemia.exe
4952	Jaedgjjd.exe
880	Jfaloa32.exe
2916	Jmkdlkph.exe
2360	Jbhmdbnp.exe
1708	Jibeql32.exe
4288	Jdhine32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Eqfeha32.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Dljqpd32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Debeijoc.exe	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	Dcdimopp.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Dlojkddn.exe	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6372	6280	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjapmdid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2052	1956	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe	83
PID 1956 wrote to memory of 2052	1956	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe	83
PID 1956 wrote to memory of 2052	1956	e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe	83
PID 2052 wrote to memory of 372	2052	Dljqpd32.exe	84
PID 2052 wrote to memory of 372	2052	Dljqpd32.exe	84
PID 2052 wrote to memory of 372	2052	Dljqpd32.exe	84
PID 372 wrote to memory of 4856	372	Dcdimopp.exe	85
PID 372 wrote to memory of 4856	372	Dcdimopp.exe	85
PID 372 wrote to memory of 4856	372	Dcdimopp.exe	85
PID 4856 wrote to memory of 3112	4856	Debeijoc.exe	86
PID 4856 wrote to memory of 3112	4856	Debeijoc.exe	86
PID 4856 wrote to memory of 3112	4856	Debeijoc.exe	86
PID 3112 wrote to memory of 2772	3112	Djpnohej.exe	87
PID 3112 wrote to memory of 2772	3112	Djpnohej.exe	87
PID 3112 wrote to memory of 2772	3112	Djpnohej.exe	87
PID 2772 wrote to memory of 3316	2772	Dlojkddn.exe	88
PID 2772 wrote to memory of 3316	2772	Dlojkddn.exe	88
PID 2772 wrote to memory of 3316	2772	Dlojkddn.exe	88
PID 3316 wrote to memory of 3904	3316	Elagacbk.exe	89
PID 3316 wrote to memory of 3904	3316	Elagacbk.exe	89
PID 3316 wrote to memory of 3904	3316	Elagacbk.exe	89
PID 3904 wrote to memory of 2144	3904	Eckonn32.exe	90
PID 3904 wrote to memory of 2144	3904	Eckonn32.exe	90
PID 3904 wrote to memory of 2144	3904	Eckonn32.exe	90
PID 2144 wrote to memory of 1780	2144	Ehhgfdho.exe	91
PID 2144 wrote to memory of 1780	2144	Ehhgfdho.exe	91
PID 2144 wrote to memory of 1780	2144	Ehhgfdho.exe	91
PID 1780 wrote to memory of 4104	1780	Ebploj32.exe	92
PID 1780 wrote to memory of 4104	1780	Ebploj32.exe	92
PID 1780 wrote to memory of 4104	1780	Ebploj32.exe	92
PID 4104 wrote to memory of 3576	4104	Eodlho32.exe	93
PID 4104 wrote to memory of 3576	4104	Eodlho32.exe	93
PID 4104 wrote to memory of 3576	4104	Eodlho32.exe	93
PID 3576 wrote to memory of 2276	3576	Efneehef.exe	94
PID 3576 wrote to memory of 2276	3576	Efneehef.exe	94
PID 3576 wrote to memory of 2276	3576	Efneehef.exe	94
PID 2276 wrote to memory of 1348	2276	Eqciba32.exe	95
PID 2276 wrote to memory of 1348	2276	Eqciba32.exe	95
PID 2276 wrote to memory of 1348	2276	Eqciba32.exe	95
PID 1348 wrote to memory of 116	1348	Ejlmkgkl.exe	96
PID 1348 wrote to memory of 116	1348	Ejlmkgkl.exe	96
PID 1348 wrote to memory of 116	1348	Ejlmkgkl.exe	96
PID 116 wrote to memory of 1872	116	Eqfeha32.exe	97
PID 116 wrote to memory of 1872	116	Eqfeha32.exe	97
PID 116 wrote to memory of 1872	116	Eqfeha32.exe	97
PID 1872 wrote to memory of 2096	1872	Ecdbdl32.exe	99
PID 1872 wrote to memory of 2096	1872	Ecdbdl32.exe	99
PID 1872 wrote to memory of 2096	1872	Ecdbdl32.exe	99
PID 2096 wrote to memory of 4556	2096	Fbioei32.exe	101
PID 2096 wrote to memory of 4556	2096	Fbioei32.exe	101
PID 2096 wrote to memory of 4556	2096	Fbioei32.exe	101
PID 4556 wrote to memory of 1488	4556	Ficgacna.exe	102
PID 4556 wrote to memory of 1488	4556	Ficgacna.exe	102
PID 4556 wrote to memory of 1488	4556	Ficgacna.exe	102
PID 1488 wrote to memory of 3408	1488	Fbllkh32.exe	103
PID 1488 wrote to memory of 3408	1488	Fbllkh32.exe	103
PID 1488 wrote to memory of 3408	1488	Fbllkh32.exe	103
PID 3408 wrote to memory of 2116	3408	Fqmlhpla.exe	104
PID 3408 wrote to memory of 2116	3408	Fqmlhpla.exe	104
PID 3408 wrote to memory of 2116	3408	Fqmlhpla.exe	104
PID 2116 wrote to memory of 4232	2116	Fjepaecb.exe	105
PID 2116 wrote to memory of 4232	2116	Fjepaecb.exe	105
PID 2116 wrote to memory of 4232	2116	Fjepaecb.exe	105
PID 4232 wrote to memory of 2500	4232	Fcnejk32.exe	106

C:\Users\Admin\AppData\Local\Temp\e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e0aa5fa6a4d53f9fa3ae96c5fbb3aab0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\Dljqpd32.exe
  C:\Windows\system32\Dljqpd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Dcdimopp.exe
    C:\Windows\system32\Dcdimopp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\Debeijoc.exe
      C:\Windows\system32\Debeijoc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3112
      - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        28⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        42⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        47⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        53⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        57⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        66⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        68⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4148
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4956
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        73⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        75⤵
        Modifies registry class
        
        PID:488
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        77⤵
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        79⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        80⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        81⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        82⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        83⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        86⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        87⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        90⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        93⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        98⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        100⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        101⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        103⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        104⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        107⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        108⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        112⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        113⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        114⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        115⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        117⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        121⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        122⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        124⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        126⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        127⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        131⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        133⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        135⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        140⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        142⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 416
        143⤵
        Program crash
        
        PID:6372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6280 -ip 6280
1⤵
PID:6348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
398KB

MD5
484061ef7d4cfdfd04cee5962eb7109b

SHA1
15af02d8897c527b19b9337001005db09f4aabb2

SHA256
eeef86ffb7979802038e1b55feb631670841afc796efdfe1b075cec6de3339ae

SHA512
4ce8b7705412343237dcd9828584b6fd47306b102a0c399ea0b2a31165724faddef996644e9643714b94febedce94bc1fd980b1c0f36f8faf06d10fb519dc6c1

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
398KB

MD5
d0e72dfb8823837f7ee796b9b44fd04f

SHA1
3cd6a5ffa019949edd8cc0af8b4b9fc99c0f41fb

SHA256
a5f12401d0c5d050ed1b6d6d041a9eb1ab646e7b8ae69adace9e39fd7daed7a8

SHA512
29217ef2740be60e7e0fae3f840294bb3d7a1d11ff91fb5dd8d7af91b74e5c48f314a49c546fdbefd279e18bc82331bad05f2d6b4aaff6c15d7a0c3e75e58b5a

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
398KB

MD5
5972d0ed936e00b0c3b9bcf5c2db63b2

SHA1
39f302cadbc3fe7bb222a89a75e807091a53fd70

SHA256
b88493047b4eb69aba64f3a276e6b23a89bd953ff08cbe2b5ff88c91f99a4333

SHA512
df7b24dba039cfc771bc020a7cbb40f322ea9126c8e27a58cc4b45c0b250434119944bca1dc3cedce22125008215770c359a550d3dd609b07302841076d331ae

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
398KB

MD5
bcec22bebc80b52dd8bc859f719c1beb

SHA1
207dc1797a7084ab3477019edab362e5851bc846

SHA256
46bc6b4e73aa1f9c3354f77a4919f84287210135f5ec1df000a382354649b0f1

SHA512
5785a7bd18d012779bf0208afc084fb74f38de8655b7b3a18f791a814bc5f01cd87e259b5dd025456fd04069939d68ec93249191446f849a3272c907c69d6a7d

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
398KB

MD5
72e5c2684ac32cc2bacaba0b4cd60317

SHA1
52e0597abf777ea67c6dfb3478d4c82e16cf4cc3

SHA256
99a369cf48288d88f1c114350c6b222dc20d0e59f7be9365a9df37de9866c388

SHA512
2478ee995c421a5f36d3c6f4857ef6e27ec7c9ff347060c39760a139b3a383bc26a894aade65f805cbdeb0cdfef331b5137757b6147320781f1b88117fff5766

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
398KB

MD5
25ecbb929385e8dd7afb42bb025c729f

SHA1
8b995740b39f29ad45abe64cdfc94ed32828382a

SHA256
d482291b9e14ab6ae51849fa96cdf8b05a67e93639bd99dbe986c4828f134699

SHA512
7d6e87b7a1177abc4582b0a2b925db9f79af667c9111aaf6e8b578581a486b2cc8ea0962cf21516c40d995b45ef8f37dffb4fb32ffeef67ba78260391754b4a9

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
398KB

MD5
8555361380084aec664fba63893cb784

SHA1
d3dc328014cf86ea1dfaf54f0f64f6af3182eba6

SHA256
88387fccd137d8ed907d693bb4813cbe9b32f4ae49e84daf893ae9fb1f42bf4d

SHA512
296041dac122c2f6c5d34225bb6f017ad0c5537fb2d97eb95350e3f2d71d04edc3e2d3d5d891e8512e6b936dd4ff7b24fd6ac82c841675609b171b0cd2658eb6

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
398KB

MD5
cded7de8ff8bbb5ed6fc543e827a0a37

SHA1
49c2fbb391ff05cc50cb7b894d8423dcd6a6cb30

SHA256
3de4d09b0bba53d043bbfe14f6f2d74c197785b3031f300cc210952ecd7e5a17

SHA512
bc6b8eec26ebecc84bd8ff54566c35c750e8a8d2c5b5cad706062c210c6c3d2a0dd0b2b0c692b7809644602060fb54e30faa6e1b6aea15dddb6f9c27f3d13e2d

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
398KB

MD5
d7db96ae579052665bcf041a015c6a8f

SHA1
419fdf4cc0558297a6e948baeeebce43480fc97c

SHA256
08330b9ac259b220b47ccd8926e0847bec73595f56e4988224a89e49ee64d0b9

SHA512
3ea9cd340cafc6fdae572dadde8b52bd49afb3f9336e8e6a54f93fc69c434f07a594a17c1013edff22582790fb0dc26d8d9e33b696f6bacf03e1138342497f8f

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
398KB

MD5
605e0170c97ab0ec29c0d11a9a39c037

SHA1
e252ff21579faeb7a9aa07d3da57361f6109e1df

SHA256
41f08d68a9d388f4afd9d397c655602ee6b3fa6d9e35b582359899e46955052c

SHA512
80656ffa894f42f7c6e0b201ac2483d2c29e5dd13649b44f498b1a295113e4a6d583e4527dd5000a36494f248aa8003be4c1b96bddecbed1213da534539478e9

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
398KB

MD5
fa57c44b83ac095f35d4b6e1bfb972b9

SHA1
f7dd3a4c6641760a663963c7e855df8db94c0007

SHA256
862d841bd0857d217ebe1ff25997051635a8efa4bdd3bf593d20ed93e5ab379d

SHA512
c01437c75433836a509eb17990dafc546872c8fb2a507b4ca541d31803aaacbaa699680507d0f92de9571b4296823272df5eaebb927c9a3d40f3c7be84ecb2c0

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
398KB

MD5
eb58d0c80f3b8e7ca130783d4a14cd67

SHA1
e3845008bf53a5da641f55fe495c8b69aa560d92

SHA256
eb77492cdf1f8aa4f77646bb1a5b1d8a747fe57d3e2eed73d984381e8ffb5583

SHA512
f078bf17a4d7cc03f239a7ee5306351ddf76ed679d264372a68e80a850d6e1ab62e620b5e07a8a329f29b8e15294d2ee372c7c0ed8b954d31cc9f33c19c66236

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
398KB

MD5
9e12c73329cdd64a4667786d82ceb627

SHA1
aa665d9d400fc6c9d12210133a7d4f55d3e6aa3b

SHA256
7d6be59a777f2e44c58788caf449f0458f21c1da17194de2b59eeb873d60790f

SHA512
c475b2c0540fca309afe2ea6a9d7ae18d07a9c5fafc54239c875571a4030d14b1ac2f2ab51b51efd8529d3f84b6758aaa342e3d1031a24863dce8ec6669fcc16

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
398KB

MD5
f9c21ff8d5785aabfa0bdef09ff2c5c5

SHA1
abd37efca3dc010d230e2a19e1287ecdffca850b

SHA256
b5a572d7abcc1e9c017d2e836eb29dc774906b163a44cfc0e33bbb1d20e0b23a

SHA512
8e70a17c4211f5a34ca2a4e0b1dba32273d397fc48423c8edb80759520b6926342f6660ff1c1e4532732181e18d04edb56884f6dfecd9087814bba5179e0838a

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
398KB

MD5
63c7af9dcf26c78fd07ed24608509572

SHA1
e69d66586cccdf2f72f3daa9ff3973006139af39

SHA256
89263c198df7b20c4fda28880ac423f373153537803979baa8282077037331b6

SHA512
16cc9a7dd92b1ccc1cc34f28a78c6bdb120c66b7053ed582923a158a8a5a60474dc25c9a004ec2d5d097912f06ba95bc317ba9b98e575886af6fc9fedec7f310

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
398KB

MD5
6f667715ba14230492d94b5b3c67fa92

SHA1
ccba5974e3ca5a8e0636596560fc4d96f7e2f6fd

SHA256
35191d8d6be6c3dcbce731eab315a599b3e57e474bb7c98f461ef809bd31fde5

SHA512
34cc38fc5865ab27d6d9c40002f723301b3baffe88e5d9bb893a87ba64859dc10c652fa1bf3e1def7dba1931630654a3bf11d45bb20bfd4a37b203dff0cf9f63

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
398KB

MD5
cd4af11bd1409b2467ca8bd963da924f

SHA1
ff4c207291265572caf1d93fbebeb342abe4de79

SHA256
5b029d200f12dfa3ce902cb802c8662ab3c768fd1485e3a479a0ccf80fb326b5

SHA512
a9b6fe2a433ec6aed6529b40d483a29c5083815f9365ba986b8725039911d945ef391e5d5feaa65b95a163e020d4d60e9c23c441de1e5c9492c14caab2111c57

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
398KB

MD5
d20f5ecbeb9adcad18fa506d2711c644

SHA1
d12b8f389ea38e2a06e13d864bb5ee822c6b7132

SHA256
78687afee4844ace478d8c261829349e74f4ce463c24641e0075f081a49e763f

SHA512
b7ea0b397b74b69299ae667d0c92fc63a0882f5855941650a4aca4febc3565cdbdf4dacfee52af90ef5e648a206c36b7e177deca5c5e662b3dcbcf2544ec9b6d

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
398KB

MD5
8db2305ea7ece9b2fa250e41291217fc

SHA1
4819e4a2055630e853e21b95896ad8e12e6dbd28

SHA256
16a09cf67a7064122cd858bf6d5f62e69bd27c221f4325825ebd6792d6914ce2

SHA512
555175fb5f23a34567827dc0cacb47f2a83688040a31efc4698e79702acdeea9a6bbd147a82784db7ff23b6c6d1d1c1094b11f41bbad2438ca6662d3d7402f11

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
398KB

MD5
f1b4b6e237c1d84b2f5d9f10bafdf7dc

SHA1
795fbe5c465a1225f5d4ce9188f0923f76b8f4a3

SHA256
2dbfe766c1077bb65a5f7436af3ef1d054129c4ef5e9b1f2651d413ebb3eee75

SHA512
8ea72bc40e06502a97b3722a9e5bac743b6abb3bc1798ced6068788d6b7a74feda3d662be9554a48c61c073c39228e9f8662f4bbc18c2d48a71b36f29436428e

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
398KB

MD5
d49416e1188fb644bdb1a0129735f07b

SHA1
25c4d7bfa2fef518cc1d8874231504948ceae53d

SHA256
38b694b13ef2be6266a71d5298a54d3b33c0d79558dd8be417a27453f161a048

SHA512
538b19248ca479fe8466566c8d0dcb5badb3543d8a412f5c2fc47ef3971488d14c7d2520b8450727289bcdd783522ec8959349c76291746fb05a3993a0050c9e

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
398KB

MD5
e66bf0cef7b7834254aa7730d9a5ebc7

SHA1
c0c5624bfad9d0f76eb33ff60a3f5cab15698e66

SHA256
762750cfb021e4e409e47936268b0f60318a9c497a4ed991af6feb0bd8963437

SHA512
41875c9b47db10c12af707f4a47f1be06950b0c55c59634513ef976dd66698978848089bd88a508c4ce80f1d38ee01574fb0b5758296f3e67a155b7967c2cfb0

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
398KB

MD5
37c9fed55c0015bc2314b03585435b5e

SHA1
bca295b4a3bfc19a1319f43ce59df3c93970f861

SHA256
8eab7e7ecb243e6f15923b04670a6d6a9c7af0bfaacfc36828668189efb7f82a

SHA512
f2ee83cfca320afbb2e2a8aa1935f83d1198c1a12ec66501f95d158a1b5354db9d49b76aa5e529fe884657540e1040ecf68035176aafe7b9fe312ece006ff360

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
398KB

MD5
75d6fff69b6d9e12ea3c694638fe1824

SHA1
8cf9bf4d11b7b4e55d715f7d1984e969f1a89c9d

SHA256
d99637f889e4d004e5bab0cd19f258f124c986d2a5ed8e76073d10dcf7e57755

SHA512
8135208a5386b610ec1e5a90a690ec82a7156455c035c576fb4943af4f45a544ed5d5fff4baebc875f5234878bd57594a1cc777f08692352fd002b7eb989863a

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
398KB

MD5
db886ffab0f08fa33c4295a24d7d9ba2

SHA1
58f44eb312bf7b531b019aeac4af07a8ac000d5b

SHA256
fc05e69ebe8a9c19ca5103618ab9e1db252ef2fa2bc3c2050a0ed55834366463

SHA512
29a147a31e7e84ba8cdf4323100503f6b1955c8a10795554a23ac240f437425104bcc01ef0cd98b7d95cd94a3c82abfb85f3a467590e49abc2b1f07b3fb5395b

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
398KB

MD5
3379c76d39157969fbe0872ccf6749ee

SHA1
e188781e538bffc5678894b28c44eae712b2903f

SHA256
624f7266428140c1002976fa826943fc374a5f9e85f330e3be5681ee6e2e0be6

SHA512
95e81b98655c4aff497e1395489a3fb1fa7c0fa42486116a477e9b8c5df765b5ce271423620d931fdb830b2e8256b63728527a20ef2f5ac5abf37e43df9b3ab3

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
398KB

MD5
4de56657e4f107d92e1a8e71d9bd76d8

SHA1
f84ebfcdaaaecc468a2917e04642e9595485e292

SHA256
9adadb0861937c77778f6619a00af1af81976d15bdcef1fa733fac99c9cb1adc

SHA512
4e0bcc5127c4eaef8d4523ba4411faace981dbe58125dcaffd0abcc835bb667ec48b530e54c7e3e504e158def47668a849ad8321c71bd451c1c7ca4a8e3208af

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
398KB

MD5
26de79103d424fc3197cf62700cb462c

SHA1
5c582dbe9080fc22bfca61dc9a2c7118b6d50367

SHA256
56bc559a197472148da7586de9d7fe227ed0b90fe6454d25a2a7c2d1bbdfe0a6

SHA512
711453aa0efd87dba233a1bf69d4a121693fae8ce02eb4ab444c07cddb20c68e5d9ce40c6b93f97ab109d9ab3d19f9155f2018589b4a3cf527f6d425509ddab6

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
398KB

MD5
cf67b0b8957cf14d0f171d0d8a960d2a

SHA1
4bf140d8ea0c860c00e2003e85c92792d170f1f6

SHA256
323057ab8e0202bd0e60ad68c01fed333f40e4a409727104c43e3a20af40b953

SHA512
5b8b7f75a543d711174814ca37828dd3915eb0f53d48409a06e4c8079cfedb91a46fb12975bc3324f42b9944f2a9758ec3373a81ba92174547f69c15305e4ee5

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
398KB

MD5
97c451a562321de90c73747742cf1aac

SHA1
7acdb5758753635e704d547fcf2ff7741d2cfdc4

SHA256
7907adcb7b268e00b0c2eb4387794fb781ebee426612bb8aba373831868ee2f8

SHA512
a1a36b0af4edba19f1913902c3afeebd81cf41133ffcc65e94e81a22fde4da0bfadd03b496761734867cf98afb909da9ab371f5978555e98feddd5c03c2dc934

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
398KB

MD5
a2edfd78d3704f33c6d1178da1172ef1

SHA1
ea8eca316878a102ff14f033d0729a4dd728ec35

SHA256
e4030ac17242bd8fcf88a28ad727e2c26af51e4e6f80d2124f8e732872eee25e

SHA512
2548d47b393123009105faa2f83f7e53ed615e5a5fb9e7be54824134dcfa6071a5b7c20292e0b0a67beb6453675e3524661387e17c8ad660ec0d04ea704c8c3b

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
398KB

MD5
5fe73a2cc0f49a67a97af3cb4469ca71

SHA1
3f33e235e6f728e9db90f0b0ba8063856bf406b8

SHA256
a8787dfc80c2d464c0768d42c5435d969045c229fb307612e42b448be1623253

SHA512
87d662e9f8091a573e5549ba7d3293950ca951b8e77fcfe9625a69663d13d5fdbe2f4cf406458b98ab5d6cfa6c7e1a05e65d3ff31c3fd36b6b79392c1d1f9bd0

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
398KB

MD5
8e44b43ca97e7497b37a07b1aeff160b

SHA1
cb39b0507c7f27e82e7223f37362968d62120da7

SHA256
16a1f020f6163db9493e679646199a5606249f3881f9f8a1e91f1bebc6c2e5d7

SHA512
e0f041cd517663c21661c2e3fcc543b994d2adb714ab50a2fc5125566bb4ae5592bd7633dca3250d4d802b0e0eb800b2b6e4bc37268f47cf522247a1cdd43230

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
398KB

MD5
38cb43552698edd6b03ffafcee21bbf4

SHA1
6392afdc3dec7a7c6955fc36cd16c1d4a2628855

SHA256
19e957550a0cf1967b844e67b83a904208867060eda375c5af225ee99ba48149

SHA512
f3ae1836126dc2942528baf96b92d2b73b4284c64fecccbba10b3a602ee7b783944a11cd2e11c185190dd3569f3859beaff2f5859032e60f3bc43f9e16ce4da5

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
398KB

MD5
12e16f4c1f54c7e6a96e341ff81d27bd

SHA1
07e68350f1f493f47675e572b182adb58b366ef3

SHA256
74bf72f2ae8359e2391d56faa44045897240ec4a7e98946d34743dc322e80571

SHA512
00f2201a3c802b39a8ece2e8615a3873114cef13480e9c72b62f9d431674e4a5a2f73ffb1e1122e7fa882025b1e6d86c3659e8d6e0621e3be0ea94f8234724bb

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
398KB

MD5
86da2398210f01c702f448dab9d985a5

SHA1
64a16209398c0f722adb4dd0eda8f8b3d85543fa

SHA256
94abd77aa8958e8250a7d5de928d6f13ff31596ad2f1fea8b1c5793bc2742fd6

SHA512
3ed7020b3b5e21dfd7a266b30df63b21a0a21e21c38818793f4fa4a38d19edaf6631d49df3fda91151465751dc50599b988bbff289a065e327e7b39637ceaf85

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
398KB

MD5
ef4dc2def0e1fa5f7de1481eb3e8ce87

SHA1
3c9bc4f825713e509c2b4409de0fa1267e3b0b8e

SHA256
0488cc29bedbfade978c780ec7b67de6a05abf2535091eac22a5159db0d10c6c

SHA512
49426a4126e59296ae22f380f1d9010436cb8b4e00420d783c28a1b0104dff7d4dd6417f6d27d50382264dd51696168fa5addeb9d58c4c55aa371f2a74440d9f

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
398KB

MD5
a76cd993b6830c96f5b525e1dfc955fd

SHA1
1d1ead5716645c20ec0f791e9a7d2f1edccee4d4

SHA256
9c82cc14db539b93f72a734da924d51105f1b206ef0b6b28d4a8515fe061eea7

SHA512
74b513da9671b947986703b0af2e1d033c19b519746b1a75db995f477b87f1404a131af79d4b5e6c6c6cbe6532f410953324b2a6068eb331cecf47f775c0964c

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
398KB

MD5
67fe953f9dca1a2beea335db75c4e562

SHA1
259b95a43c10d7e93ed17d8ab619426836617907

SHA256
b7babdf864e4010ca1b3cb6397835ee9bbc0d56432f93952a8e5a831f815001e

SHA512
166c7c760bc0e8a26fc1d109b8955fb4d98454b8fd851f7a75d32c4c7bfe34c33fe63a46e1ff32b15602ff5ff919bb1715ef6fe95a68209eec5c9522bf58479b

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
398KB

MD5
068ba38be72dbc607dc86e1e082c0d48

SHA1
f14e2fbdb96e7beaa96450281f6fdfe32902675f

SHA256
190534f91e64008615a521541dd1ebb36ca0499e7fbacb06cb1e291f7fec8184

SHA512
4e39dd73d5858c75f96db00d529181c0533cf09546dab07d1120d8c1b17df039c824b57143f3133ab04889c24f2c6a41bc81d09d918de769df5ce9962bace520

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
398KB

MD5
8d2a3cc549c2148ae32825b268f5d7f9

SHA1
f943ec813d89e573d9ebe0bd8f16978930c84521

SHA256
fe700beb8bc0ff4998187de4218ba0f430b081b3871a0a378194b3b0fc96ba62

SHA512
30c354249b595f89cedcf001cb339eb849ab7052e09fe9d76f733679e4c0aef178f05248011bb815f6483ecd9c01ab6f3ca574079d51ac4818102042216c1622

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
398KB

MD5
8c9c7601237597a805f67099d3e57805

SHA1
962fb60be4401fd9b38ec6be1651b2303afc7e08

SHA256
a1edd17b3d5ca79f37ca2a5afa4fce4633ffa9a85b5c3cc7ba734632f324b2cc

SHA512
35e28f277d0af851a9d26eb0b0603f6255b948ff4064801a1e41efa0b67b951b7965335b002ef8203c9b9ce7a0cff0917ea85c8b6e95cabe140b56d815445b1c

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
398KB

MD5
ef46cbafa23987b2decb10c17e6d9e35

SHA1
99a816351473c63b00486b611b535d52b2e82dc4

SHA256
c09352b24ee6c4f33a7ef2fc4109ba7a1c99974070a388e828f82504d9773d69

SHA512
d7511939b0c6e3cc022a8670cca31b0ba91387537b564b4112b9cbc9b3c083a1603b2a115ff58f448449ee0a3ba51ebce2767c3a918bc2dc3077efed845b8ba5

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
398KB

MD5
d6d009f87abdc1d5d258f23af18f3b15

SHA1
abed0d6b7ed76456fa4fce79fbb6c6a89ca3c487

SHA256
364d8a6e32365de921d470bd147a3d5dd98f2698af6d93838967939ecbb5f0f3

SHA512
e7adc0f03b27026e6d7100f2002790310d6aa09f8f9072a1eaf7566a57f7b93e545022967efbdc1c22687394c33615b6a2f617f363095100684666043de4976c

Download Submit
C:\Windows\SysWOW64\Ojigmkeg.dll

Filesize
7KB

MD5
5b550ac98e3426778caead01f516623e

SHA1
33806561e8eaaa2553db7eccae09afe37c35a3d8

SHA256
5a4b1a37fb1a9166583721717360d4cfe084bb960797afa221a167ddea3f2b16

SHA512
7e99cc5391efdb1ca278a3b3aec0f528a65b11f58a9b1f19a349a58cc0cfd2a145763ac52ac9753a492a441e89c39aaf255859a9efa50e1b207c16ff591e80b0

Download Submit
memory/116-116-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/372-20-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/488-503-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/548-455-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/640-192-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/728-304-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/752-368-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/840-477-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/880-425-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1068-515-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1348-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1380-514-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1488-143-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1588-248-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1608-262-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1648-558-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1708-443-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-72-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1828-236-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1848-284-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1872-120-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1956-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1956-539-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2052-546-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2052-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2088-272-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2096-127-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2104-260-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2116-159-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2144-594-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2144-64-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2172-407-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2204-489-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2248-316-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2264-389-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2276-100-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2360-438-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2372-184-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2400-543-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2500-176-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2536-208-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2752-405-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2772-573-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2772-39-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2900-571-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2916-431-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2988-332-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3000-199-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3112-35-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3112-566-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3136-334-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3148-533-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3208-315-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3288-358-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3316-580-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3316-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3340-344-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3408-151-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3464-278-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3480-292-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3528-326-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3544-370-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3564-220-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3568-465-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3576-88-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3700-564-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3716-244-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3780-302-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3904-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3904-587-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4028-547-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4104-80-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4148-469-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4192-495-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4232-168-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4252-395-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4288-453-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4380-531-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4396-350-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4404-497-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4436-228-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4556-136-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4576-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4596-371-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-352-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4856-559-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4856-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4920-417-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4952-423-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4956-479-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4972-521-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4976-377-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5088-286-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5136-574-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5180-581-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5224-588-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads