5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867

Analysis

max time kernel
139s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867_NeikiAnalytics.exe
Size

264KB
MD5

dfaaea70735d5184e303501b9953cf00
SHA1

a944c3b573320c4f07bfab7d5338efacb26fc2d0
SHA256

5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867
SHA512

ad507d2b85f6bc6fbb40e9c0ddbcdaf363b09b1495c775bf4b6334eb8e0fba79809910f1da5e43df6fc503001d4bd00d965420f17ffaa738c69a527d85747d9c
SSDEEP

6144:5tLS6mqPpui6yYPaIGckByLLgNHVXW9fVLpui6yYPaIGckv:5tO6mQpV6yYPayLLgNRYf1pV6yYPo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe

Executes dropped EXE 64 IoCs

pid	Process
1776	Mdmnlj32.exe
1388	Mnebeogl.exe
3340	Mlhbal32.exe
968	Ndokbi32.exe
4216	Ncbknfed.exe
1968	Ncdgcf32.exe
1456	Nnjlpo32.exe
4872	Ncfdie32.exe
3372	Njqmepik.exe
4848	Npjebj32.exe
4108	Ncianepl.exe
4500	Njciko32.exe
1584	Nlaegk32.exe
4708	Nggjdc32.exe
3164	Oponmilc.exe
4200	Ogifjcdp.exe
1088	Oncofm32.exe
4252	Ocpgod32.exe
2324	Ofnckp32.exe
1208	Olhlhjpd.exe
3644	Ognpebpj.exe
4920	Olkhmi32.exe
684	Ogpmjb32.exe
3416	Olmeci32.exe
3368	Oddmdf32.exe
3016	Ojaelm32.exe
1188	Pqknig32.exe
3492	Pfhfan32.exe
4408	Pdifoehl.exe
1860	Pggbkagp.exe
2176	Pqpgdfnp.exe
1072	Pflplnlg.exe
4808	Pmfhig32.exe
3204	Pdmpje32.exe
4988	Pcppfaka.exe
1184	Pfolbmje.exe
3200	Pmidog32.exe
3988	Pdpmpdbd.exe
4416	Pcbmka32.exe
3260	Pfaigm32.exe
4168	Qnhahj32.exe
4932	Qqfmde32.exe
3228	Qceiaa32.exe
3704	Qjoankoi.exe
408	Qnjnnj32.exe
3852	Qddfkd32.exe
2808	Qffbbldm.exe
4928	Ajanck32.exe
3304	Ampkof32.exe
3592	Adgbpc32.exe
1804	Ajckij32.exe
3112	Anogiicl.exe
2992	Aqncedbp.exe
2972	Agglboim.exe
4244	Accfbokl.exe
4936	Bjmnoi32.exe
4984	Bagflcje.exe
1404	Bebblb32.exe
1708	Bfdodjhm.exe
4740	Bmngqdpj.exe
3344	Beeoaapl.exe
2532	Bgcknmop.exe
1728	Bjagjhnc.exe
3788	Balpgb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5728	5484	WerFault.exe	197

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 1776	4880	5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867_NeikiAnalytics.exe	83
PID 4880 wrote to memory of 1776	4880	5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867_NeikiAnalytics.exe	83
PID 4880 wrote to memory of 1776	4880	5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867_NeikiAnalytics.exe	83
PID 1776 wrote to memory of 1388	1776	Mdmnlj32.exe	84
PID 1776 wrote to memory of 1388	1776	Mdmnlj32.exe	84
PID 1776 wrote to memory of 1388	1776	Mdmnlj32.exe	84
PID 1388 wrote to memory of 3340	1388	Mnebeogl.exe	85
PID 1388 wrote to memory of 3340	1388	Mnebeogl.exe	85
PID 1388 wrote to memory of 3340	1388	Mnebeogl.exe	85
PID 3340 wrote to memory of 968	3340	Mlhbal32.exe	86
PID 3340 wrote to memory of 968	3340	Mlhbal32.exe	86
PID 3340 wrote to memory of 968	3340	Mlhbal32.exe	86
PID 968 wrote to memory of 4216	968	Ndokbi32.exe	87
PID 968 wrote to memory of 4216	968	Ndokbi32.exe	87
PID 968 wrote to memory of 4216	968	Ndokbi32.exe	87
PID 4216 wrote to memory of 1968	4216	Ncbknfed.exe	88
PID 4216 wrote to memory of 1968	4216	Ncbknfed.exe	88
PID 4216 wrote to memory of 1968	4216	Ncbknfed.exe	88
PID 1968 wrote to memory of 1456	1968	Ncdgcf32.exe	89
PID 1968 wrote to memory of 1456	1968	Ncdgcf32.exe	89
PID 1968 wrote to memory of 1456	1968	Ncdgcf32.exe	89
PID 1456 wrote to memory of 4872	1456	Nnjlpo32.exe	90
PID 1456 wrote to memory of 4872	1456	Nnjlpo32.exe	90
PID 1456 wrote to memory of 4872	1456	Nnjlpo32.exe	90
PID 4872 wrote to memory of 3372	4872	Ncfdie32.exe	91
PID 4872 wrote to memory of 3372	4872	Ncfdie32.exe	91
PID 4872 wrote to memory of 3372	4872	Ncfdie32.exe	91
PID 3372 wrote to memory of 4848	3372	Njqmepik.exe	92
PID 3372 wrote to memory of 4848	3372	Njqmepik.exe	92
PID 3372 wrote to memory of 4848	3372	Njqmepik.exe	92
PID 4848 wrote to memory of 4108	4848	Npjebj32.exe	93
PID 4848 wrote to memory of 4108	4848	Npjebj32.exe	93
PID 4848 wrote to memory of 4108	4848	Npjebj32.exe	93
PID 4108 wrote to memory of 4500	4108	Ncianepl.exe	94
PID 4108 wrote to memory of 4500	4108	Ncianepl.exe	94
PID 4108 wrote to memory of 4500	4108	Ncianepl.exe	94
PID 4500 wrote to memory of 1584	4500	Njciko32.exe	95
PID 4500 wrote to memory of 1584	4500	Njciko32.exe	95
PID 4500 wrote to memory of 1584	4500	Njciko32.exe	95
PID 1584 wrote to memory of 4708	1584	Nlaegk32.exe	97
PID 1584 wrote to memory of 4708	1584	Nlaegk32.exe	97
PID 1584 wrote to memory of 4708	1584	Nlaegk32.exe	97
PID 4708 wrote to memory of 3164	4708	Nggjdc32.exe	98
PID 4708 wrote to memory of 3164	4708	Nggjdc32.exe	98
PID 4708 wrote to memory of 3164	4708	Nggjdc32.exe	98
PID 3164 wrote to memory of 4200	3164	Oponmilc.exe	100
PID 3164 wrote to memory of 4200	3164	Oponmilc.exe	100
PID 3164 wrote to memory of 4200	3164	Oponmilc.exe	100
PID 4200 wrote to memory of 1088	4200	Ogifjcdp.exe	101
PID 4200 wrote to memory of 1088	4200	Ogifjcdp.exe	101
PID 4200 wrote to memory of 1088	4200	Ogifjcdp.exe	101
PID 1088 wrote to memory of 4252	1088	Oncofm32.exe	103
PID 1088 wrote to memory of 4252	1088	Oncofm32.exe	103
PID 1088 wrote to memory of 4252	1088	Oncofm32.exe	103
PID 4252 wrote to memory of 2324	4252	Ocpgod32.exe	104
PID 4252 wrote to memory of 2324	4252	Ocpgod32.exe	104
PID 4252 wrote to memory of 2324	4252	Ocpgod32.exe	104
PID 2324 wrote to memory of 1208	2324	Ofnckp32.exe	105
PID 2324 wrote to memory of 1208	2324	Ofnckp32.exe	105
PID 2324 wrote to memory of 1208	2324	Ofnckp32.exe	105
PID 1208 wrote to memory of 3644	1208	Olhlhjpd.exe	106
PID 1208 wrote to memory of 3644	1208	Olhlhjpd.exe	106
PID 1208 wrote to memory of 3644	1208	Olhlhjpd.exe	106
PID 3644 wrote to memory of 4920	3644	Ognpebpj.exe	107

C:\Users\Admin\AppData\Local\Temp\5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a54dfc11747b8d0261d452f284d3f1e4de00c4e4e583f34ff53d92f36fba867_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\Mdmnlj32.exe
  C:\Windows\system32\Mdmnlj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\Mnebeogl.exe
    C:\Windows\system32\Mnebeogl.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\Mlhbal32.exe
      C:\Windows\system32\Mlhbal32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3340
    - - C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        27⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        30⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        36⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        44⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        62⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        67⤵
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        70⤵
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        71⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        72⤵
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        77⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        79⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1580
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        82⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        84⤵
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        85⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        88⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        92⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        94⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        96⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        100⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        101⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        105⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        109⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 416
        110⤵
        Program crash
        
        PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5484 -ip 5484
1⤵
PID:5652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
264KB

MD5
f3f94f574a4285e6032e942d65bda553

SHA1
6d7b98f4b1ef0bd96be0705d9bf91f608ebe36db

SHA256
d837a25a7cf7db69c1fcb4e556b69b9def400807d0b39e3405403dcee462148c

SHA512
fe91de1b2c1ed6de35ec1b3840be628f0c6e46b6121034ce82d183010c7685b45ff9ae94ad7934a7fe883c1560ccc5c2f495cde20c8029b36719612a2e8c73c3

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
264KB

MD5
ef186c897cfaea6625a6d2cc166d6e79

SHA1
96f4519f475db938a32d3bf9e2ef813535e83e85

SHA256
f798cb7381f570e3ccecd16df0ea6b5791951d193185e069f07b0c0350172c75

SHA512
2451bd61ff975b9614f0422cbf4ad02fa6dfc70c0589366ede92017186e7cba3050b4b6a67b9d309c360bdc93d3d3c1c4d0d21238acf1a7f02b3290a55e71836

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
264KB

MD5
4eb2155b047ca92461c68388da79d693

SHA1
0139b703ddc281fab135c6ce6a4ff938a6ede81c

SHA256
aaa9b59db9cdaf0638e81aa257f51986b35ac4a3ffbcfdbef8ee1a3f3fea145b

SHA512
13282f059de0208e339f84712e06bc71fadfcc5456d1b8efb604dd23d4fbfa4d88ab919d87515d7990a282365223ef32d0b6051fceb33317e1e85047ceebede3

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
264KB

MD5
e32cb9a3d15c87fe2e63d6845349ffae

SHA1
6a350be1dd3c6badc8c161a30ba13ca6293d3ecb

SHA256
77dfbb5b3f9b3bc971c72a2bc7d0ff1a4f8884d72b528e648f468f7c0c13e7f9

SHA512
e62048df9d90304c3c3096343f1d5467765500198617e4079690c5f17ff2a9784bfcee4a576a5b82e151e4ce591602124efff32026adcc6a0cbadc9246a8511f

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
264KB

MD5
af00a7e4509409f8fed229b67f07fa8f

SHA1
c1909859f966c990dc14851d7f94bf94561ffaa3

SHA256
11fb7178991ef783af47bc13ec3cfaf7eade7cfbb69178baa786961fe5ec4447

SHA512
053f46a9db7df1fd8f0c751b51929382b7ab157c43ce5db1b8c3ed6728f987af5dc63ebcf710c2fafd7f0c82751c47d7fed8ae87ae3f6093d93ee594b9f64b68

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
264KB

MD5
70f53059d4a4b1576fdbf01f7f773c28

SHA1
4f9d328a1f38312edd0b0fb9c6df187e875815dc

SHA256
f7a1a7b131b4900844f7a3a00f314a0de13a634e17d9c495cebaae9402af518e

SHA512
4c7b9d50540b6e3e9cd3f01c39760a2235aac9c32210661a4ad701303069f9219b2821f30611628169a40bd5620c505ae7177c0a712d60f1d928f13174016bdb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
264KB

MD5
663c9e8dc7f1de52bc6a9edcf5336326

SHA1
2e70e69eecbfb22f25f51602c62f1d68060caeb4

SHA256
42f4016e9de66a79ad00ceef1fcc76bd3ae1819ba0b6be7e7dbd9d2539c61903

SHA512
7f6e259de0e99a463f534f70e11c7b7653ea000dc76697bedd3d20a7175175346f2c8e31a74f6f615924896506b154a491bd674f46e9ae8cdcc74756c4697cc9

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
264KB

MD5
88073b01449ca198065823d69b8c7459

SHA1
9fd0bb34e4bb40806d463866f010a5d6f6aba027

SHA256
72b343e20310143518045611d96ef8c162e7561bd0214b72762eac913a824873

SHA512
3eba908fe3d42945e1f7d767c5022869e5d579f6b013fa49a47f010a66f2487d2a71dc9abf5fab370adbd66a99a7afc789876041e81045edc4b4012a17e46378

Download Submit
C:\Windows\SysWOW64\Knkkfojb.dll

Filesize
7KB

MD5
d9eff0624009e215728d08c448b0ae51

SHA1
ef1cb920344d03260659f7f29b39e69ba10c3fa4

SHA256
40d9ea42e3311186a5b7932a2a8cecc8d04a8f033721a1a597640da7ea13c953

SHA512
86818d3fc742796c00032a4733d7e1b0d4d3b802584d3df6d478e992310c43f0e1ac4c8e7313d496669b5805520cd1a7d8cacf1aa5b3dce101d409cf794abc0a

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
264KB

MD5
95e8c5c1699d603507717c11243aa1ce

SHA1
0a6cdeb6764ed6400c6298b23c0afbdb8d051296

SHA256
efc334e07835cb9b97b5733c6d7e486b0b1e1e2bd41ddbba8bbcc669f11b1865

SHA512
a31954d52d50fb38681e28774c09ae634c21a7438a63d47dc59dde78bbdb4079b93b2624475a9b3b54c055b360764732d68d67052615c1e126f5ced58a1613fc

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
264KB

MD5
9ce4952163ccd6d801c31e27e6022f51

SHA1
2f0e1289a5bc76e6922c7a7fea21b3dd3a919824

SHA256
57b23e335fa0805b8645ff6eac1f0b03c17ca6106e2740e599cba23b2bf76a54

SHA512
d7d6f6e2b9708870dd64fe6381ea46ebe3e394dc50a2debeca61e1a731ae17c125d447fb5a12326fd759518e614f68e03f279056bb27b720b18a2bd2276bf8d1

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
264KB

MD5
6e425da7cd10fc7c5a62a2dece65cdde

SHA1
14b6692c95ec45a7ae2c325ce87263cb8c87efeb

SHA256
e2e57301347c30971df60f21b471214c0666105e18ab5a9c0a5d190b4ea318c0

SHA512
5675fda09a97e8f27c49461c846803c8e6189c1a5c851673fbb25e4de2db5c109b1d5a6626157fbba3a6261fb35e6076ef6552f2783378f09529c089c065217e

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
264KB

MD5
0b62c02bbc87fdc2dd0a0199c97b1385

SHA1
356cb038d081604e6717f0edd5c2d6b00d823269

SHA256
9150539df990c50a0d01e0d63d74bc432ca2ec4a1df421a61068951a3e901633

SHA512
e335345938a8f7fe31cea1cdf9c34911f6a5c457ec50970f5cd1fe62f3eb67da9b95999a71e0ace96cf6bbe8959f9b37af41e04897236409717b9989c34dbfea

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
264KB

MD5
5b0a54fd75ee4ef437a79e495f45c1df

SHA1
4881ee993bcb771f5e19dcb2d4ed557ab30a85ff

SHA256
41529763dba4af35608c806cb9b9cd11d28de118baca046dbb28c3a8e6568e62

SHA512
fe3ec9ef4ca3eedc0b17eb4210fd1a55819b2084861a4631dc997050b05eb458a2bc62e833e9e723a16b07759ad13d1a0c1b300b205d2d00ed4dd54e7af1c81a

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
264KB

MD5
1225a40f2d91deb9ebd7964024f62dbb

SHA1
741cc59fca00b2c9613255e83789495c85ce5033

SHA256
befb8e237518de9281412c718dc1d2297c1b910517fd6bab054e86fa0fbb25f3

SHA512
ed112fa4cedf2550601b625f04d90a5edf216ed1e3d99789743116d178aef6609f9da8c9000e07a2b6bbb2c0c520cc5b40c97bbb6a768fa573827103d810d81f

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
264KB

MD5
4913486bfff5e9faa96e0d93fbdaaa04

SHA1
6a7a426d3f36a1e2b50fdc90a26d17fcca420338

SHA256
c6eda0dff3a80195f8c5ee2c3c1850852eceb2c3b6cd450c6e64695bc7292bda

SHA512
a488813338ad9f6534c65ba78337916ac56a5d22b2d82c617648d0dff4d96edbed179fde193e325e76f9831f06ad38e603a2fcf0c36c4e03786a17ac3430705f

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
264KB

MD5
333fb242684984181d297e1868315203

SHA1
5734e0be46c2b05b4e04657b43665bebda1c67fa

SHA256
8628d56ce1b438aa58f349cb4a3e7026b03f8a2a8d62e8f22423f1f1c6150ecf

SHA512
7a6c6b7c8ae315952e4c48f2030be616f1276cd3118213444b92ccf4e2946cfc73333208e7eccd90047b2f519aee227b565f4a1c194005dfc61f6373cfefe1d2

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
264KB

MD5
b923329d67dba6106226e9a1af155de4

SHA1
333104e55cb1726c6e389b72482e796ed3a318ab

SHA256
c326127492358136cf104afb4a83f9f9067029b50de39e720ae4dde78d5a9adc

SHA512
0758b477a371274d73b0d8fba4a5a7c4e6602acae240661890051e7ddf09ba0f3335e950f8167178233654ba79996fad94962c72e644b01234d83fdd5ac14211

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
264KB

MD5
04f23c7edd5abf6911ed9f742155d762

SHA1
c40e337f7ab8186449a5ac7d0ade9934bfc7919e

SHA256
ed07e0dfb74c1b15ad0c8aa09b0d2dfc5bb07b2a2fd093ff27499e2d9461c626

SHA512
8cb536517d734e110ee6b1e95fbfb46efaf2883efbe1559afecbfc513ddee13483dfe190796a0310327b25f483b406eb2654af5de780b98d8a53623a1f19e582

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
264KB

MD5
382830cba71bd237359a4ed7caa18018

SHA1
f91146eba35b34146fe95a2fa14fdc8e4c42f7f9

SHA256
35665cb11554544c22941184e144f0b61a119643f8c7d6660b84a86423b7fc69

SHA512
50704964b9b5fd1927e8cf29a6cfd9caac5480d74b9638d0c09300aef08c5206a3474be49dc434c25affd7dba8e7ab524d2b307df7444faf6fd54853ac968515

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
264KB

MD5
1b05798657a09184583296ca797efb83

SHA1
5ef3ca570da46e7021526d5d5d89e9fc26981cdd

SHA256
81c2526582672f9d62d3339ad291019810d79d5071ecc6901a647ed57996b956

SHA512
8f6bb3346c25e83932c72d75ba17e8d8b48290d39c76a6dabcae7acf331651e0f6d319b85443573bd620ef1ea2c48348d6f40fa58fa53c009c632e96ddca21f9

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
264KB

MD5
62a5c592fe30b9a4632307abbfab716a

SHA1
55aca6a9ce288c37078ea7ed9fa613f2d8e34d0f

SHA256
b62b9f93dbcffe1e2b6eb4e2647d3b47de3bfb9c89041397dab7d19c6b6f5dad

SHA512
f5b1749c345081d25a4bf99f2a66489a4f8c845963e32c94e5e2c5318cb7f4f62d14cafad6c254568cf85c0a50fbbf527dcf4a685649990bcecb36dd157a3cdd

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
264KB

MD5
a18ff14c6c6848d3d7ac93c1412fd9af

SHA1
b83ef8ff28761e1d147ce8c1b461d8720ea60204

SHA256
128865af756c27dbe3a35ccdb8f588dcfa38a23018b3eb8118d1d6e73941b718

SHA512
d01a543b966526f445b1552cbd8c5f33a08fe1f43222b93c88a64f5d9f2d21e5d5ed2ab0c8b5daf979c920343dc23d457aec9aba8fdf67a6f2295843885c9a3c

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
264KB

MD5
3d1b75e35350e9ea365fc24169e44ed2

SHA1
9890cbaf41965bc64503041e41441989d5f3e68a

SHA256
7252bdd02ccce204d9b001dc882d5fd82f85840b5f414d6737eb2aaaff905013

SHA512
449f61f53dc5b85ba8d703b3f71c9244fa9bd9cf62b34b1f792fa6d8d4d8af227d407fe7c475067a2006daa7e7e921fd8f0d7108e0381c1278e795cfd85ec126

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
264KB

MD5
9b5e7bdc64feb6cf87b70e200d68a28b

SHA1
75f4d92df0e75bcfcf4af6fb8f287c9098b86010

SHA256
c28466610959efb336e22adc85cbbf60fb1a6a04ad2ebc2c3d9e62615411b61a

SHA512
6577ec19241af33c32e03cd3b1476dc6863663c419f9ff162a75d2574f3f2a44706717ab9faf8ee6cf7056b7ef4696018f9c3e8dad494f8d233137443a08e6bc

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
264KB

MD5
dd8a4d88a8e2ad436b0df1516efa0362

SHA1
5a5664e061dceaa243212058f1d12fedee29bd1c

SHA256
9449559a8c33bc67f1281e15547bfa7531ef518b38dbdb55ac9d144df30a407c

SHA512
e82dc932975684a6b70dd5722bcdd54d9b325e24a0a468b939cd653445d7bb5d367eec41c9cbd817fb9cac47ad94bce45fbffe3e32c78a24cee60087ccfbd3a1

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
264KB

MD5
c6b04f297bbbeaf2f9ac011e11948688

SHA1
412165e1d6ff3a49d7430e55ea8dbce2a6a4aa0e

SHA256
4740e59fd1afea964d17e985c64f82b8d10fd360149bc62592252a4ff322e6ee

SHA512
8f3795da365475148222101cba5de079bf2fb4adfabe31767780e68224613f131a80acd75d2e64ac556685727bfa7ef235bd80af7b51979e9336f4f24c288cf1

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
264KB

MD5
7694a71bc5976248ac9dd0ae9c0d7050

SHA1
91db51236719cc2e65444b9e2d3f179745c182f3

SHA256
af0ade58c0b42ec14f38a389edd44a367a3f66ee5bc5df732321f692149dd080

SHA512
805b970802daaa777a168d07733f78da9f4f9ba198b0760d030ec1effd6e9bc901ab3282ca1fde4faacdaeea137d17e68cc6cc5cf4e63b07a89ef281e724bdde

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
264KB

MD5
54617b71ce0bbaa32f231cf2b205f6e2

SHA1
479d9ecf60ea7c761fea8847c6655cbdfdc7528e

SHA256
08589e17efae675a7d2b5c7db2eea3bc47f1b8061bba5124efa886fb6bff6a8a

SHA512
e46cb64acdaa1933556236d3dfe9a5f74513580652831cf57fd9a96a57a20be430beca15e4b179443b47774ec76023d26c2a0f8f418e1d4c639f262cb134e1e7

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
264KB

MD5
880917e7e2d0c12dcca6bf0d8947f602

SHA1
52aad70988bc33f0eaf3552c18703958df93a737

SHA256
5beb66c38764067f5a7e0c6d7d73ae9cebc0d99025d12c49400115e462eafdaa

SHA512
206e08479eecf6155863ee462e9b4748d0ab15d21b1d40b4127845c90480feca4cbaa8449af8e9a571c42c1aaaa49c5f3f38d0c1b8554c82958fa98ac22b931e

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
264KB

MD5
8404969a3f10a621a1a6e761ff64ef28

SHA1
f4312e2075a9d3030798b015eb31215d460dbf70

SHA256
2ee920b14e759590e39918761fbf6ffb8367458aacd649f856242a63a423227b

SHA512
9a80249e54de8875a06c4edf40aa450fa80882eb0db9d68dcad6e4356ce1889ef5cc8fda51b5326f7fd9f646b4c8f1655b85a57f57e79db1139ea24b7f3f4740

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
264KB

MD5
08036fd16c23bdd103f4670b15e54495

SHA1
cb216ce63c2c99576bf511230d7e540fc4c5634d

SHA256
b06066bcec36e8a88f1d73c65f75e0dcb6edec2670bc4009c0e62c60cdf8a90f

SHA512
f5fd3374376ab54ec5bf2a7fa1eb8057c4135db202ca10a5fbc26a2af5f3bdb4aa9f277143867c50f62ffd55ebcf7176a10c2f3af72daf93eec76f8703581cd6

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
264KB

MD5
23435115d2fc49b12efe78ece3905e11

SHA1
9e51e80532b8194c9ea71d5642e2fc9b6be0d9d5

SHA256
8ac66d93c3e68f0aeb6c3ecbd9cf1c4e290740c988c9e45d7470de1a2471d4a9

SHA512
ba6307d06b6b04110ab5f361eb8d51075a8c50c1fa32dead9a3b35452ea2a3a5f2b273dfc03dab4abf1926764faf37af6f490f62a548209439ac40f65770a07a

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
264KB

MD5
9f5f95fb2c1747a6d18ad6885ce6ccc3

SHA1
e78c32df1a41bd6ce2acace0aca9ceb3be015a55

SHA256
34c80d31b6a3892fbe75549c566b2119e921501b2de662604cb4ef79999be5cc

SHA512
a28a1284762b1b1da8df210913ab74ce3c433eb87944d915e1b0e4f5939efc20caa868dcacde2b80fd056b1ed2a59a7c503b88c72762df922afd77483120d7d0

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
264KB

MD5
46d83f3ec54f20e441571e2d629ee877

SHA1
fb05c864339f8cab7b045af85819af0d3d800a82

SHA256
6c36c54fbfc5c7e18150c6e2a86825ca1b685c321ab191e7bc4e8caa6b5ab464

SHA512
2d06be7abf92161f1f74cea721cbabc058813eb2f219e9b42f734cd4b25e438dd62bf0bc8111cac66be8531f253d92b2a53d1b97432c4170ad7a57bc4dd5cab0

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
264KB

MD5
bf26c74fd4aa1bc9829acb059190aab4

SHA1
be1e120c9f30fe8cef4683726d7725223380dd1f

SHA256
123cdacbe68f005f7a86187e8d55ccfb6a1cab307f4f871215dde11c0f89eb23

SHA512
bbea70afa550ff895daf3adb0f8968a41132f664054deca56a1484a3f857b92e1135074df6182504aa8b396f512dadf2c33c4860c9836a2a7456d9a0538f3c82

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
264KB

MD5
a42e5590a765cf65b96bde8fac85b914

SHA1
1beedb6176ae8d8e3c37852e034f0b23e03b386c

SHA256
08c430a30a7a7c5005cd2ce5bc08cedbd0856950b8ff019292ae883d86e99dd7

SHA512
886c185e8248964855424c16723acab94d8ea543c6ae1f161747b8ffd2e6d9673dd5abd4c37a219663f15cf65a42a4335a8bbe4d693cea33d7d200284669b575

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
264KB

MD5
ec0c3875eba591f4736642ada807d8a4

SHA1
aba15e863c417270caca2aa41e57d0205a89fc0c

SHA256
d8c2804206a0c5b3edec8d733e1868add26758b4c51f5cdfd22a41cf6b76aff3

SHA512
58d43b4fb0ea85eb6c1b09405f9b59d34278f183720b1cd977f7703c56e2cd35c90960eb877adecfcbae8c6b968593b05e3251944d89cfe46093d0c5b73f36c9

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
264KB

MD5
57a268d285b81d899fe8c7a5187954bd

SHA1
13bd7e872b8dc2bd52e6685074afc51494d7519d

SHA256
dd0c6975a753769fcea6737e0fb74491abcf27a0c4a9a3c52d86e24c2bc98b4f

SHA512
0942044a022a434eaac0dfe820020d28bb1910342d781bf5dbee6020aa55ee8fc7b96bb3eb7c4a321cb18e298e8e1027904e340755a189aa04af6df061d2dec2

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
264KB

MD5
b5a0b52e1d430522dc16a21e93f9925a

SHA1
0f0b23955859c33a2fcd6b2ff0b5aa7c27a34d70

SHA256
5cbfb90e23a5880d10d2077683ddf2a3eba1d7071ccac4d92edebca3ecb0bd81

SHA512
2d3b9259a2bfb27f7a604acbd00c2161a5ad13ee931e76840eb01fb358a49647f6062655d398ebc15ed7ce1675698d34a6343a2c5d928c9fee973ec5ef43151e

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
264KB

MD5
13fe326664964c248c0b5beb1586b24f

SHA1
a038934e2cb70af235ab91d4d7daacc6a8cf5c31

SHA256
cf93254313f4d4dbc3bd9661c180bc46dc7ac687437b1152094ac9fd35491479

SHA512
becce1f9371ec117740a450f67f75e4bce47c90ca9102b8b23f8b844688630e43053213bb363a6cda09f9d25fe12ecaf01b12b27821b1ca5a1cdfb65c725e9d8

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
264KB

MD5
143d96ff2b3050242d89e9a13e7976cf

SHA1
e6878ba9afbe54492819204d611af3c6d5f82ace

SHA256
b032acc9609ca68a813b82c04baaba4767e51f88049e45ea991eb010a9c16e41

SHA512
38066e12704c692d4e3e898b320034cfd9e5ccb75d72decffafca20995a1ee51080b24a91e40769bbdc39db46e3d2b2fb990dcd0b4b61274ee0d2d62457caf7c

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
264KB

MD5
e33c58ef1b9a818535e4048494284855

SHA1
528b599883e388a2560211f621c0ea56846941a2

SHA256
289c1a103aa64cb59a8c3c644645822c53f13b218656ca08c58b4f9094d4b2ff

SHA512
e5a0735d240176dad2c0f54639dfac43a9dfec2bd114d8249a119d4a929372197d483db5623158aebe194c80eb6c97e718dd2171194e6e21a77c29bc0e0d83af

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
264KB

MD5
90ff757aeae6cfc834563ee06f88f039

SHA1
e63ad16732a127096929b259665bd4e6866ab79f

SHA256
5013da2c389102c832f0a75459d3a6e25011aabaeb9f8fde50860d24cde5891b

SHA512
ed8a0c2e6f3860e0f6c2fcf45e54c355a5d3e45977e3c76b141d8642e26f0bf95d25a2b8293beb01007459cb2eaa33456f6d1b8ef197b9904303965969db0b9c

Download Submit
memory/408-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5160-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5264-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5388-737-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-750-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads