f3c4d8a27c345ea2aaa4a1bd4a5bdf02a9656072c8d03b1060b3cafb78c53706

Analysis

max time kernel
145s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e753f5e2c7b62dde25aeb5ffb23f0530_NeikiAnalytics.exe
Size

1.3MB
MD5

e753f5e2c7b62dde25aeb5ffb23f0530
SHA1

bb2355567ad6bcdb3a0b8d5792f129c6d152cea9
SHA256

f3c4d8a27c345ea2aaa4a1bd4a5bdf02a9656072c8d03b1060b3cafb78c53706
SHA512

6df295bec6279ff562507e86642630f6882aac6a9758e739cabe7112feccb823fbf202110665ee92019d2184cca851a7d484de3bf2c82f2a79fcdca39f36f26f
SSDEEP

6144:Z7H4ntE5ZC2npb+oB+Zz2HG8t0DoEWufVuvw0HBHY8rQ+6bPD3wPSk8ymL2MT1d:NoAbaz22cWfVaw0HBHY8r8ABjMn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hecmijim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iejcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e753f5e2c7b62dde25aeb5ffb23f0530_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe

Executes dropped EXE 64 IoCs

pid	Process
3384	Hbpgbo32.exe
3632	Hmfkoh32.exe
1688	Hecmijim.exe
4844	Hkmefd32.exe
1836	Hfcicmqp.exe
1092	Immapg32.exe
4120	Iehfdi32.exe
740	Ikbnacmd.exe
2876	Iejcji32.exe
2656	Imakkfdg.exe
2296	Ippggbck.exe
4276	Ibnccmbo.exe
4692	Iemppiab.exe
1980	Imdgqfbd.exe
1356	Icnpmp32.exe
4392	Ifllil32.exe
2840	Iikhfg32.exe
2932	Ilidbbgl.exe
4064	Icplcpgo.exe
3644	Jfoiokfb.exe
2488	Jimekgff.exe
4104	Jpgmha32.exe
4484	Jfaedkdp.exe
3000	Jioaqfcc.exe
2464	Jcefno32.exe
2300	Jfcbjk32.exe
412	Jianff32.exe
4860	Jlpkba32.exe
2632	Jcgbco32.exe
4496	Jfeopj32.exe
3144	Jidklf32.exe
3492	Jlbgha32.exe
944	Jpnchp32.exe
3336	Jblpek32.exe
4892	Jeklag32.exe
4336	Jmbdbd32.exe
1652	Jpppnp32.exe
4372	Kboljk32.exe
1848	Kemhff32.exe
1612	Kiidgeki.exe
224	Klgqcqkl.exe
1348	Kdnidn32.exe
1380	Kfmepi32.exe
1540	Kepelfam.exe
4636	Kmfmmcbo.exe
5104	Kpeiioac.exe
1660	Kbceejpf.exe
5048	Kebbafoj.exe
1792	Kimnbd32.exe
2136	Kpgfooop.exe
3580	Kbfbkj32.exe
2988	Kedoge32.exe
1304	Kmkfhc32.exe
4912	Kpjcdn32.exe
5060	Kdeoemeg.exe
2388	Kfckahdj.exe
528	Kibgmdcn.exe
1736	Klqcioba.exe
3692	Kdgljmcd.exe
4632	Lffhfh32.exe
4616	Liddbc32.exe
1520	Llcpoo32.exe
1464	Lfhdlh32.exe
2324	Lmbmibhb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pldhcm32.dll	Hfcicmqp.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lpqiemge.exe
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Ifllil32.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Lcjnop32.dll	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Fkgoikdb.dll	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Jpnchp32.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kedoge32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	Kboljk32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kibgmdcn.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Jeklag32.exe	Jblpek32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Lmldgi32.dll	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ippggbck.exe	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Cdbinofi.dll	Jlbgha32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Icplcpgo.exe	Ilidbbgl.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6688	6484	WerFault.exe	267

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhnmh32.dll"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfjnoma.dll"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifllil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbcedcn.dll"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll"	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jimekgff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbpgbo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 3384	3568	e753f5e2c7b62dde25aeb5ffb23f0530_NeikiAnalytics.exe	83
PID 3568 wrote to memory of 3384	3568	e753f5e2c7b62dde25aeb5ffb23f0530_NeikiAnalytics.exe	83
PID 3568 wrote to memory of 3384	3568	e753f5e2c7b62dde25aeb5ffb23f0530_NeikiAnalytics.exe	83
PID 3384 wrote to memory of 3632	3384	Hbpgbo32.exe	84
PID 3384 wrote to memory of 3632	3384	Hbpgbo32.exe	84
PID 3384 wrote to memory of 3632	3384	Hbpgbo32.exe	84
PID 3632 wrote to memory of 1688	3632	Hmfkoh32.exe	85
PID 3632 wrote to memory of 1688	3632	Hmfkoh32.exe	85
PID 3632 wrote to memory of 1688	3632	Hmfkoh32.exe	85
PID 1688 wrote to memory of 4844	1688	Hecmijim.exe	86
PID 1688 wrote to memory of 4844	1688	Hecmijim.exe	86
PID 1688 wrote to memory of 4844	1688	Hecmijim.exe	86
PID 4844 wrote to memory of 1836	4844	Hkmefd32.exe	87
PID 4844 wrote to memory of 1836	4844	Hkmefd32.exe	87
PID 4844 wrote to memory of 1836	4844	Hkmefd32.exe	87
PID 1836 wrote to memory of 1092	1836	Hfcicmqp.exe	88
PID 1836 wrote to memory of 1092	1836	Hfcicmqp.exe	88
PID 1836 wrote to memory of 1092	1836	Hfcicmqp.exe	88
PID 1092 wrote to memory of 4120	1092	Immapg32.exe	89
PID 1092 wrote to memory of 4120	1092	Immapg32.exe	89
PID 1092 wrote to memory of 4120	1092	Immapg32.exe	89
PID 4120 wrote to memory of 740	4120	Iehfdi32.exe	90
PID 4120 wrote to memory of 740	4120	Iehfdi32.exe	90
PID 4120 wrote to memory of 740	4120	Iehfdi32.exe	90
PID 740 wrote to memory of 2876	740	Ikbnacmd.exe	91
PID 740 wrote to memory of 2876	740	Ikbnacmd.exe	91
PID 740 wrote to memory of 2876	740	Ikbnacmd.exe	91
PID 2876 wrote to memory of 2656	2876	Iejcji32.exe	92
PID 2876 wrote to memory of 2656	2876	Iejcji32.exe	92
PID 2876 wrote to memory of 2656	2876	Iejcji32.exe	92
PID 2656 wrote to memory of 2296	2656	Imakkfdg.exe	93
PID 2656 wrote to memory of 2296	2656	Imakkfdg.exe	93
PID 2656 wrote to memory of 2296	2656	Imakkfdg.exe	93
PID 2296 wrote to memory of 4276	2296	Ippggbck.exe	94
PID 2296 wrote to memory of 4276	2296	Ippggbck.exe	94
PID 2296 wrote to memory of 4276	2296	Ippggbck.exe	94
PID 4276 wrote to memory of 4692	4276	Ibnccmbo.exe	95
PID 4276 wrote to memory of 4692	4276	Ibnccmbo.exe	95
PID 4276 wrote to memory of 4692	4276	Ibnccmbo.exe	95
PID 4692 wrote to memory of 1980	4692	Iemppiab.exe	96
PID 4692 wrote to memory of 1980	4692	Iemppiab.exe	96
PID 4692 wrote to memory of 1980	4692	Iemppiab.exe	96
PID 1980 wrote to memory of 1356	1980	Imdgqfbd.exe	97
PID 1980 wrote to memory of 1356	1980	Imdgqfbd.exe	97
PID 1980 wrote to memory of 1356	1980	Imdgqfbd.exe	97
PID 1356 wrote to memory of 4392	1356	Icnpmp32.exe	98
PID 1356 wrote to memory of 4392	1356	Icnpmp32.exe	98
PID 1356 wrote to memory of 4392	1356	Icnpmp32.exe	98
PID 4392 wrote to memory of 2840	4392	Ifllil32.exe	99
PID 4392 wrote to memory of 2840	4392	Ifllil32.exe	99
PID 4392 wrote to memory of 2840	4392	Ifllil32.exe	99
PID 2840 wrote to memory of 2932	2840	Iikhfg32.exe	100
PID 2840 wrote to memory of 2932	2840	Iikhfg32.exe	100
PID 2840 wrote to memory of 2932	2840	Iikhfg32.exe	100
PID 2932 wrote to memory of 4064	2932	Ilidbbgl.exe	101
PID 2932 wrote to memory of 4064	2932	Ilidbbgl.exe	101
PID 2932 wrote to memory of 4064	2932	Ilidbbgl.exe	101
PID 4064 wrote to memory of 3644	4064	Icplcpgo.exe	102
PID 4064 wrote to memory of 3644	4064	Icplcpgo.exe	102
PID 4064 wrote to memory of 3644	4064	Icplcpgo.exe	102
PID 3644 wrote to memory of 2488	3644	Jfoiokfb.exe	103
PID 3644 wrote to memory of 2488	3644	Jfoiokfb.exe	103
PID 3644 wrote to memory of 2488	3644	Jfoiokfb.exe	103
PID 2488 wrote to memory of 4104	2488	Jimekgff.exe	104

C:\Users\Admin\AppData\Local\Temp\e753f5e2c7b62dde25aeb5ffb23f0530_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e753f5e2c7b62dde25aeb5ffb23f0530_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\SysWOW64\Hbpgbo32.exe
  C:\Windows\system32\Hbpgbo32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\Hmfkoh32.exe
    C:\Windows\system32\Hmfkoh32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\Hecmijim.exe
      C:\Windows\system32\Hecmijim.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        23⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        24⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        25⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        28⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        32⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        34⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        37⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        40⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        42⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        44⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        46⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        47⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        51⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        54⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        56⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        60⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        64⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        67⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        68⤵
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3652
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        71⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        72⤵
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        75⤵
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4452
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        78⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        79⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        80⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        82⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        83⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        84⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        85⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        86⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        87⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        89⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        90⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        92⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        93⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        96⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        97⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        99⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        100⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        101⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        104⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        106⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        107⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        108⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5036
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        110⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4284
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        112⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        113⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        116⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        118⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        120⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        121⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4112
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        125⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        126⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        127⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        130⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        131⤵
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        132⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        133⤵
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        134⤵
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        135⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        142⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        144⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        145⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        146⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        147⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        148⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        150⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        151⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        152⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        153⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        155⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        156⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        160⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        161⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        162⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        163⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        166⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        167⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        170⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        171⤵
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        172⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        173⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        174⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        176⤵
        
        PID:720
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        177⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        178⤵
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        183⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 424
        184⤵
        Program crash
        
        PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6484 -ip 6484
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
1.3MB

MD5
6c4fcdaefeb9a1efacf85250c863461a

SHA1
278e63529c919e514d2879ef6ad418edacf48447

SHA256
39b24f84c8bb13f24323e608a76c03fcf90b972c6dc76e6d2b5e8432578a7bb9

SHA512
5e82143af5b567d59523ef4bf660e4e3e68d1b1b59ce6ceebec24ab23e317d5d31348586dcdbaa86d3d05079a8ce7affd91881a40d874921142ce8236ee7023c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
1.3MB

MD5
f05b796fb35fc65ebc2ceb6d9db83b05

SHA1
cd92cb4543d45ff40487f87b9c145c3417dfcbb4

SHA256
c29fc22b6f9eb0636a35645484868fd4cdb221b0d6b62771d180ff1966a73f7a

SHA512
27785f6177d6880ab180f7320eb605969cf39e3ae2989c34d36a59c1119ac9b57ab5fe0121922c257815a497acda8962120f45d621721c831d98ff06fbab8a96

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
1.3MB

MD5
9c7938e82fd4ae55a76395643a843324

SHA1
f61415b7e3aae151c9de8efe2d51e661fd1e250f

SHA256
0a76541cb924c1a0a37bfcca658a7cc4bd58965a17635ccee69bcbb0f055d3aa

SHA512
7a3f15e39385292279806dde3fe54924f06e297bca7da5cfd727b585367537ff4189bf9defba779ae80e12aecd601beaf811e6d41ef7107ac6e64f8691cfec58

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
1.3MB

MD5
e479c96e83e471b5ffc2aa1cbc339de5

SHA1
499dee82c07036b262314b263afda13d7a6edfcb

SHA256
e156f19d8ab748d3e96097082837ecbc9d64feb5b09c74348eb4932357a8d38d

SHA512
0055a9b0399737417e67253a0ef172b171332a28a0ddceae8ec09c2056ef763f6f25b80b0102482d13b436d3fce504781a71000d970816ff3ec944269e6ac47a

Download Submit
C:\Windows\SysWOW64\Cibifp32.dll

Filesize
7KB

MD5
a50a8714bf40d8f2bd000910bc991398

SHA1
5641392fc9d02fea92466c11f7eff8d9ae4d3d62

SHA256
f642fdc99cd0fad29852975b8d25ecf5303be19b0a95e04eba26b6f221d65b9f

SHA512
bd235aac1d578a843758e3ad8b7d58d11df91b07e4693e9e0291f3c1290cf9ef08437e8cc064e3a2b1fb3cf159aec07da86355335f7f0cb8efbadd62e633178f

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
1.3MB

MD5
250bcb8539c3b7290f1b9a751124b3f7

SHA1
999a63e9cedd4dfafc74845ee59da77f0050ff0a

SHA256
bbbcedef4210677a8f069eec0f8a1d4187856d0ad5ac6441f86fa29ce7c6df87

SHA512
d6199e6207eeee04b0a313bbd8fe2e8df68d16dba6538921f28a9dd76277e9b68980b656b6998c8b7e381ff1d76dafd5cf579160794887bee2892f98cfe2eff0

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
1.3MB

MD5
c90c24a1135d2badb18b76e2e55e41b8

SHA1
0a6980dc5dc85dc7018df0b5f6c94547cd3c3778

SHA256
8999bac5bb0eb42ac9400aad65b2408fcee5ee6f421e9de64560e8ec3b62d54d

SHA512
12851844edfd71745e72274eb3df595b3401d2f2c63d55198379c23b4ae63a596bc9ff6d45a507aee6f32da54e3a9f564f27e3dfc38257f803dd8c3f4d76e64b

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
1.3MB

MD5
116f3032218c0ce3456ca0187a6ccecd

SHA1
1e79f9d4b17a334198aaa0f3fa38661586d7ff6d

SHA256
3de857baf45f6119b3ab942bdd34a2c4dc66e53d34ece4a8c1c52fd6a530eede

SHA512
314d05c79a78857f07c6ad411a8705fd5b88fee2d6a00349c93e2c092af0a8d229184cdede2e55422765b61afab263a445d1a4dca7153c9e683ed2ab428b6090

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
1.3MB

MD5
1cb65f59d1c6bc723a502b7b7404db87

SHA1
e0f0e7939aad41d6a4c7925ee0f1607309309dd4

SHA256
5bb50cd4a37979bc8cbb7e200c23371df0a2caaaaddf256e3317789d8721e72d

SHA512
dd34a88a043a105347af9b8aef5e0e3179bd723af252552dfdf98c5cb67e9324d66b300c5a546a19c1ea01896a1e820e949adc056e4ec9f99796ec0745eca719

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
1.3MB

MD5
e98134e3eeb19761716f217ce5c1c216

SHA1
f824f503e4eb2cc689ba82f3e90d87d951986b5e

SHA256
8a6ad7351588f10076d226da31ef4d05849360cabf521e1ad897cb5e876c7a7d

SHA512
5b47afcbedd4f258a7e4831a34a7cf76d42ff1375a446a216965edfdc0f01c15e2422c88bf02cb2b8542546c4a3c3cb2dc8fa4e1a514f8ab91ba60f88558e545

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
1.3MB

MD5
f8e931fd7892f3dc75b4f6d031a48ddd

SHA1
ab66aaa8101b489039b41fb80735c1497fa44628

SHA256
d581c8e6d3a1b58f474c394bb20b8fa8fa704336b1e1fc3ae9e011bf29ee9202

SHA512
6167c67226fa8626edddfc9554c0d5eb410ec1d667946efd5a5ebbb48dc79d85cb4386a383b1e924d316a043f4ea707eee952d146cbf3413194b2d38c6d9d5c7

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
1.3MB

MD5
612cc9014caead556763dbfea1e72825

SHA1
fe100c08eb1a90b19178c339d447e2400df59c6d

SHA256
c5a5269b559484a94a88f1326f660505216b71bdf907b1a3567a1b1e88a8674b

SHA512
b0cc3b57cb31216c20632e5cf5011a364e83c43e87e65ccfd786b62faa2cd972e9ee983729b9eada638810d35719e361d984583c3a9012e39e67250d05a3b372

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
1.3MB

MD5
395ffb163533bc7ca86a51676f87800e

SHA1
2f1a5a7885e26186282ba64883bcd45a207e951d

SHA256
9f664ae9ea8cd770b5fc4845e3754b789125d996a59ef7eb19b3fa53fa97b9f5

SHA512
958884287913ccdcf4bf95033e91fc94592574c4514c84e9df721e40910ffab970dfd2f22963712758a662a356774c5a815feb969432b17c31960ec2de567afe

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
1.3MB

MD5
1a3b969bb1441cb32c48636c551b8145

SHA1
76b48f3a4e05ac6a997cc008226729b63f80a8ab

SHA256
76ec5c87d4f2fb2cf28e5facf23a305d5c2f4ca5c4e27693f750c85fb92b4bcd

SHA512
dae3bc141ad8f4e0200ad345f913bb9b52ead8e2de460c558f0574743f1dc372933b5789f8f5a267789235c3719ed382e2656ca2d53b38523fdbd95e31533e7b

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
1.3MB

MD5
707c00a00732352f48a410537c136e50

SHA1
4cc03c9a6e06694e2e190b3787ff0fb12f009ac2

SHA256
d0b241286508089a6a06d4a956bae02cf1f3b397da5bcb58c5177d5d7b9e7645

SHA512
7444739a9580eb02378a0760e09b16320fbaa5f20618a8c4533857fe86a828af0d4bf7a3fd8904dfd9490f205e1331f36ffaa680b5ec1acbcb05fc17409a1786

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
1.3MB

MD5
de8271616883a2ac5a30e87d2e3684ee

SHA1
33f8efa971071b51c9956b0c0f354d64f89ac2c3

SHA256
5443fc020869894b639ef3f812cabb9e2f5bffadf25bccf8baea3925ee69c7df

SHA512
fa048da50f3da935a1eff30f4adc8587c6163916798a40203249423e64d9b0da6621752732b1d4bcde06f6f4642e308c096ac9ff4d0eb71a054508bca213e120

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
1.3MB

MD5
53dd2d350c587ecfbdafd7196cb2fa80

SHA1
e9ae51bfc173a268fe3c3e647e86b03e528453c5

SHA256
f2633cd22bc0a21121e2f691a9d5db4851b1988c856f5def227b83c0aeab6826

SHA512
12e222d4cc12932e2373cb18ca7f059177b3f8cc4f762455e90572eff8cdc8a87bd177f3cad02a68f83e4ab8e42e1d796192baeedb2c630c901720ed6ff44579

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
1.3MB

MD5
e35c0adb7d80b100ee4c5190be3dbfdb

SHA1
488097d6e024b724aeb037f08df327165ec4e8c9

SHA256
22fe5e93d12adf65a89211f6bc17561ba61f95badba92f890d1e60f7e56964bd

SHA512
42ba6932e69ad693608f4278666baffc7c75b487cc6d1c04afb32013509e6891828766a405ad17bbc65b283492a30f8a79184f1fc93adc9c64cfcbe611a08deb

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
1.3MB

MD5
b40486ffa7d930b6f325313635fb1a2e

SHA1
3e21d96314fb15e6f59e57d497aa6d8a53ee67c1

SHA256
d9dc5c61e8693b29156d71913a6c570a9a8bf3e7617829548e8e5e722944839c

SHA512
a0f71c4865d12f4bf003992f9bfe3d994d684ef2af93d38037b4b1733a848fa9248dedc5e97d0ef0b07ca1aac76808c0513cd6ac1fcaa080169400278a042b84

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
1.3MB

MD5
2c58fa4f933301bf8f507f4d45069627

SHA1
b2044497439a72cba25bf5656acb7fc598759080

SHA256
6d4f54e05fc7ee8c4202e56a7842af531ff7eb7097657416f054fe8dc4a3d42a

SHA512
88fea8381872d5903dd2829877c9cf2cdf06c7224148b272a105914787a97fa9e0a11900cd60e49b6decd2cc6702df71f9f3141d034dc66149870785880c40d5

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
1.3MB

MD5
ccdd550a6d042ec956f2b117ae74f528

SHA1
eb5736a38d2071d1ca3bb7797c3fde47c5c40aa6

SHA256
2e5256eba599c124d59780face94e71a51bd653114e145d108c1da88f595eecd

SHA512
8c777d821f9946a279850d7cc17a7bd77c1e23aa2d64e8a333372e9ea94875213358c1bf7650061c80d90ad8b3516df3c29e658b8e105f742150a4b79c53a060

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
1.3MB

MD5
a954ea11a4c2f6cf36cd8b46ff42ea4e

SHA1
fa3b1e028ed906cef2f5d106f379556b7ca494e3

SHA256
42c6a823341711e0adfe79d4c1a1dbfdad9eedead74afaa3f2a8a31902c269cd

SHA512
31b369f1bb6b3040fbe279853eecb460f988f66a3de8943a5435105f61939ad429379c71368610df9feb82b249a2aa49f80cc258ca0b454f329ea77fb2c0393b

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
1.3MB

MD5
298d3de8a4c89d857dc1b96b9b189af9

SHA1
1a57bd75d54943b6142ac03282f22e60466a1e45

SHA256
a552edfc7ec6d49692207862d0f2ba082cbaf9f2280778025d582157f57fd418

SHA512
3f0b3a6d304105e132757068aa5377ad2e6bd3fb3cc299f94a61131e79bd34ea039bfb87d7e8abf6957a847506e2ef85fdbb32a0810526913d57b80aca979035

Download Submit
C:\Windows\SysWOW64\Ilidbbgl.exe

Filesize
1.3MB

MD5
12a8a3a0abbe030f063d5e89bf04994f

SHA1
0a7912485cb31d521d7e5f96af344449109cb52b

SHA256
d3923c9971c28d0dce48c4d3c30b98f324c139aaf7aac0c326426c3a8cfa998b

SHA512
a5f5b61fde2905ef8dbff329360e46482dab748cb4a7a20a08e717b417e323c04c62b7a8d562adae3c0846912fe06489050321a88bc04f5cfcf6ce4a1ebde38e

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
1.3MB

MD5
8d39578d70bcda8a57a3ff69450b8e49

SHA1
db0cbfa6f5bd84504f49cd6d43aabdf95e6183bb

SHA256
ed96cedf105c81d4c754eda3e54d014a2c12ad8b04c2613eb8dcac4abd7e00ad

SHA512
1f3b7397e42be1ade865c704ac5c24002b85cb182315a28ad31de65a0ab5aca196107404eed196efd0d0d3c8bfaa34a198373335bb67da75ae34873e610a1473

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
1.3MB

MD5
e214b1969d8081db1068e463029556c1

SHA1
4722a75cab0d8438fa78f2ec15803159d41c082b

SHA256
1291fb61ae4aaeca0643a8dc71024965ca6e117d9df41df10018e8fb4edeeb1a

SHA512
270242110b73f49dd4271f7dcbcc50f12ebb5b7f65fedb4d79f8764a7f21bb533adf552051bff916da7500e976d2b55bd5449dc5ce7616efd7cdeb617dfb7876

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
1.3MB

MD5
60da3c80a46357120acd8acb4619e67c

SHA1
83342e130725c59518693a90092565ccc1a57e11

SHA256
e6d0ad2c2c654c8bd0fd9ebc6a2ff6b69e5ed793bbedd6690bbb0aba65723c0d

SHA512
fa0e7282559a64b5f62b922a7557ea1b5ddeccb1d0733562fb476d43674bb63cf3c9e527fbd2008111c551804539a9f5960fecb17a8f869b20db6c963eef94ed

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
1.3MB

MD5
3f76433de61c59bf13a936926b7ea8de

SHA1
1955cd190e7a41493195b5ab8e7e703e4140f3cf

SHA256
f0fa04487dc04ab925be62e2e59cd521093a1755979c502410c4f408a6922f8c

SHA512
1e7fde7887035ee2e8c5b6260110ceb34e1c1081bb5caf7bc76d2b744e534ed5356faa665ec8336811ae657dc3c371ade33b52fb066de1ce4cd532b54d955aa7

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
1.3MB

MD5
dd3520d498a24b22c5506a4a4ff0197a

SHA1
f3181e9500079d22bf32db32bea9f7207a84a1b1

SHA256
c5d4abf33de395c9ff33a87d326598c332827ee544d61da65c96e2afdfd942da

SHA512
dbb5024a542effc2e65db0f39a743f872940158433c876a96747a3307264f66f1051cfbc6ddcad6b673050a0440bde65f7e7e6c0eea76a465cfe1e6a54b337e8

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
1.3MB

MD5
bffe071eeccdbb57b2217b25df6fa692

SHA1
86fa110765132eea6d095d5077474ed70a465aee

SHA256
d8be5caa03da1b15eaea353fce326c71a749556ef238518d18b4514a59e2f852

SHA512
fd5819f44aa01a2f718cf32113f3c8acc07e625ac07daaa4fa7557989d8833ae93c5d26215f9a00c0a4fa429dbdf3970894af4493516347134eeee9d4028de28

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
1.3MB

MD5
b1ce2c543c815031292060eb713f1b77

SHA1
e333ffd816f6c09a689f9319226618d76332dbdd

SHA256
99eeef34d4a7fd65e3ea2c5f9f8cd7f03c4700bfc6b87488e801f0d4e60230bb

SHA512
e7dd8394be12e86294856ffcea33207c995e1dd40dc269b97f5d0aca8c7c5d6c83ff37d0cb2cd8abed633c6fc29fe94c0d034da2d3e3305ca8878b0554503bd3

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
1.3MB

MD5
67afde6168df414600102095694c8709

SHA1
2c56aa05b7a6d81b67a1786543dd471ac4c0578d

SHA256
c60327bb78a2dd8b332d7e4867c109667a66c4b6b913bb3ac81de0841f48d958

SHA512
85d921b1c25196b119e18f66538dee33cc48cbe4ad1d1394563eccda6bcfdfc492f1a2d31dd050038add8652653bb83bfac21cf7c252e88aa57c97a98d55a6f6

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
1.3MB

MD5
719dee8dbcafc914913edbe5386526d2

SHA1
c4be23868013f5a41934c53686317274beeebb61

SHA256
5b1962d398e4d77364599248a7a3adaf099030f94c00697b41fddd9ffd7494bf

SHA512
b9ef386679d224de1db3d37d5e9a6ae9f790c140509102f5900f45ca1708a7b1fd88205961756213dafd1c16c2029cf8dc74940734de3499c6ab7919f100987c

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
1.3MB

MD5
8755209b037ac4237e83584e789b5e7a

SHA1
7ab22624c1b17b781c760ba6e5761b5657eb180b

SHA256
f11a5d89b770962bba16dfd4cb6305077ca25c6e79852e31e12a8b149e284d0c

SHA512
76c35664a68bd19418a8af87d7f0bd5874618d2da6aa13911211cf96ab93e2656ba8aa561248ffb8a4dc5385fcb7fa30d86da0aadb4baa25fbcc289aa343f823

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
1.3MB

MD5
92b0a8844294747291445e8f152b1547

SHA1
61d86b37d57d1066f344e1d0dc95dee0bf3ee22b

SHA256
6620f47cf145b5b497e4c85a0a89d36bd828b9abfd8bfd32fb045c3629229738

SHA512
a3e2e73825d5e13b5bd338349bf5c328128797292d345610a774cd7d91849f8526d0af1c9952a8e8c87b5b05da77d170f7dd22157573fc4bcd4af3e04ac082d8

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
1.3MB

MD5
678a83d03e7c23f4f284abc6f63f244e

SHA1
db262fb3a0558e3e050524b5aeec6e3565f0dae8

SHA256
0723d1af6d1350b9e314728ab910a7f61d441ca4339214bc2db4687fd41c8666

SHA512
26bc8260b8d32a71d52fcaf7482b07baffb10f3852b718c2c0c9fdb77617e025323ef3eeda1c591fcb49ea27839e95158faef319e36d1560c14c36b10c0e6d86

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
1.3MB

MD5
9969f11b3bb43c743e979082798a0c96

SHA1
f42b267f12abf314d4b59482b7f741973aeca4a3

SHA256
8d74beae1ab98f270f4f19708d445d0b159c4b1af261f54c987038a4b9f74bd0

SHA512
fdfe636c6faa7b7aa4a0400c5ef5c35370f97eed54fe25bbb2d3d57e78bf811a992517a60a39cbd9070397091b3fdeef824face2bc5297aa7cc9b508888ebcf2

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
1.3MB

MD5
e147dd056bca10cc4ad1a08017e765b7

SHA1
7ceb0485615a823c9f0145dd3befbc98f7e5d22a

SHA256
95262c0658bf9dc12d9248c007d7411367bdadead72bee40d5721fa5ab8ee476

SHA512
c0393c1648b8dc48fb46b3db43f114f443f0c6ee05c2aca5936dc1fc5826175ddad353a1eb7811f2afbb0bd8a977bfccef8b2151c93089da1aa72a8670a17c04

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
1.3MB

MD5
91ee5506dd4f3a40f77e1cbb398fc4d2

SHA1
116afcbcf331c3b7260496e3c8b4cb1c95891c76

SHA256
c9dd654249b5d30ee6eebed2c9aaf950ac0b33d387731ca2ffcd219427fb90bb

SHA512
4ad1226bf68986141a74b95b5c5b0798ebcbc9c60a21959a0d89bda4123d6a04abae533ff60df4cec3f85d480cf094b934b02f0dc61d662d80360b31f64d6eeb

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
1.3MB

MD5
70967f10944c68b9ad601843838b25be

SHA1
68d0595270a5163d0ff87ee65df5cc2d001a0262

SHA256
2e410284bb2ea1e892c29e2bea0eb5de63d03ccbe25aafc603340531fa1eb6bf

SHA512
f55529f1615ea2d892ed51fcec476a51637804efef099d0dd1b02af8982521429977242699d4eec790f0f73c8cd34ad341fcf648ec4550121273f266f7c689f9

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
1.3MB

MD5
3c82a2c573e1f9e66a9ae9fc86d539d6

SHA1
61011f12250c75126d0242d6b47a8788bc3c9815

SHA256
6f2810a2781e34dd0dd5784a0604931f645ff6a721252fb2187a05596f2c889d

SHA512
4c0af5dbf1c5f44a137ad4d892f5241196f6f0669ac014915c3530155c226e93eca69c1075c79392406b72d86120c5306d37ba83d50bd9270192f535b74e6eeb

Download Submit
memory/224-845-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/364-878-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-820-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-861-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-801-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-826-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-857-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-846-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-808-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-847-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-868-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-883-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-866-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-844-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-830-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-851-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-862-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-853-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-843-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-807-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-887-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-854-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-804-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-819-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-869-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-860-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-818-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-814-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-822-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-871-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-810-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-802-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-811-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-872-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-856-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-867-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-817-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-824-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-827-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-881-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-825-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-855-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-813-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-873-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-863-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-884-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-812-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-815-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-800-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-805-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-870-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-829-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-842-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-809-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-885-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-816-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-823-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-880-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4616-865-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-864-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-806-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-821-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-828-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-858-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-886-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-859-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5144-888-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-889-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-890-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5252-891-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-892-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-893-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5360-894-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5396-895-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5432-896-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5468-897-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5504-898-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5540-900-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5576-901-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5612-902-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5648-903-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-906-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5720-908-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6520-1191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6916-1177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7056-1172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads