0b494277da35eb3564c22d5269712594a88335b54948fc6d625a9194b506cb8c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52aba701937a4296f83b5cd58bf33a0_NeikiAnalytics.exe
Size

255KB
MD5

e52aba701937a4296f83b5cd58bf33a0
SHA1

8a2ba36de41247bc20ce4763396c0d5b141c7721
SHA256

0b494277da35eb3564c22d5269712594a88335b54948fc6d625a9194b506cb8c
SHA512

00529cdbe7a07aa22261d914b2ebaace323efd1a1a7f954d7895493babb9a294388dd7d475bf83839117a2b52ce000f76c3893fcd46dcfd49dddae0290cfe7fc
SSDEEP

6144:B0KY+vnrXeWFnTE2xUS6UJjwszeXmDZUH8aiGaEP:DrXeWFrj6YjzZUH8awEP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe

Executes dropped EXE 64 IoCs

pid	Process
3048	Kmfmmcbo.exe
3668	Kdqejn32.exe
4328	Kbceejpf.exe
1040	Kfoafi32.exe
972	Kimnbd32.exe
2840	Kmijbcpl.exe
3220	Klljnp32.exe
5004	Kpgfooop.exe
1608	Kdcbom32.exe
544	Kbfbkj32.exe
1152	Kfankifm.exe
2364	Kedoge32.exe
3116	Kipkhdeq.exe
2728	Kmkfhc32.exe
1372	Klngdpdd.exe
2428	Kdeoemeg.exe
4728	Kbhoqj32.exe
4388	Kfckahdj.exe
4692	Kefkme32.exe
3396	Kibgmdcn.exe
4936	Kmncnb32.exe
2400	Klqcioba.exe
3244	Kplpjn32.exe
2132	Lbjlfi32.exe
4312	Lffhfh32.exe
4376	Leihbeib.exe
4056	Liddbc32.exe
4480	Lmppcbjd.exe
1868	Llcpoo32.exe
1212	Lpnlpnih.exe
4804	Ldjhpl32.exe
4892	Lbmhlihl.exe
2808	Lfhdlh32.exe
3032	Lekehdgp.exe
1264	Ligqhc32.exe
732	Lmbmibhb.exe
4792	Llemdo32.exe
768	Lpqiemge.exe
1196	Ldleel32.exe
3992	Lfkaag32.exe
4160	Lenamdem.exe
4452	Liimncmf.exe
3088	Lpcfkm32.exe
3644	Ldoaklml.exe
1880	Lbabgh32.exe
1112	Lgmngglp.exe
5092	Lepncd32.exe
4788	Likjcbkc.exe
1932	Lmgfda32.exe
2176	Lljfpnjg.exe
4844	Ldanqkki.exe
1776	Lbdolh32.exe
2020	Lgokmgjm.exe
3500	Lebkhc32.exe
4180	Lingibiq.exe
3672	Lmiciaaj.exe
2904	Lllcen32.exe
5048	Lphoelqn.exe
4948	Mdckfk32.exe
4292	Mbfkbhpa.exe
2920	Mgagbf32.exe
4300	Medgncoe.exe
4028	Mipcob32.exe
3664	Mlopkm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lepncd32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kefkme32.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Lepncd32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7264	7180	WerFault.exe	289

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3048	3380	e52aba701937a4296f83b5cd58bf33a0_NeikiAnalytics.exe	82
PID 3380 wrote to memory of 3048	3380	e52aba701937a4296f83b5cd58bf33a0_NeikiAnalytics.exe	82
PID 3380 wrote to memory of 3048	3380	e52aba701937a4296f83b5cd58bf33a0_NeikiAnalytics.exe	82
PID 3048 wrote to memory of 3668	3048	Kmfmmcbo.exe	83
PID 3048 wrote to memory of 3668	3048	Kmfmmcbo.exe	83
PID 3048 wrote to memory of 3668	3048	Kmfmmcbo.exe	83
PID 3668 wrote to memory of 4328	3668	Kdqejn32.exe	84
PID 3668 wrote to memory of 4328	3668	Kdqejn32.exe	84
PID 3668 wrote to memory of 4328	3668	Kdqejn32.exe	84
PID 4328 wrote to memory of 1040	4328	Kbceejpf.exe	85
PID 4328 wrote to memory of 1040	4328	Kbceejpf.exe	85
PID 4328 wrote to memory of 1040	4328	Kbceejpf.exe	85
PID 1040 wrote to memory of 972	1040	Kfoafi32.exe	86
PID 1040 wrote to memory of 972	1040	Kfoafi32.exe	86
PID 1040 wrote to memory of 972	1040	Kfoafi32.exe	86
PID 972 wrote to memory of 2840	972	Kimnbd32.exe	87
PID 972 wrote to memory of 2840	972	Kimnbd32.exe	87
PID 972 wrote to memory of 2840	972	Kimnbd32.exe	87
PID 2840 wrote to memory of 3220	2840	Kmijbcpl.exe	88
PID 2840 wrote to memory of 3220	2840	Kmijbcpl.exe	88
PID 2840 wrote to memory of 3220	2840	Kmijbcpl.exe	88
PID 3220 wrote to memory of 5004	3220	Klljnp32.exe	89
PID 3220 wrote to memory of 5004	3220	Klljnp32.exe	89
PID 3220 wrote to memory of 5004	3220	Klljnp32.exe	89
PID 5004 wrote to memory of 1608	5004	Kpgfooop.exe	90
PID 5004 wrote to memory of 1608	5004	Kpgfooop.exe	90
PID 5004 wrote to memory of 1608	5004	Kpgfooop.exe	90
PID 1608 wrote to memory of 544	1608	Kdcbom32.exe	91
PID 1608 wrote to memory of 544	1608	Kdcbom32.exe	91
PID 1608 wrote to memory of 544	1608	Kdcbom32.exe	91
PID 544 wrote to memory of 1152	544	Kbfbkj32.exe	92
PID 544 wrote to memory of 1152	544	Kbfbkj32.exe	92
PID 544 wrote to memory of 1152	544	Kbfbkj32.exe	92
PID 1152 wrote to memory of 2364	1152	Kfankifm.exe	93
PID 1152 wrote to memory of 2364	1152	Kfankifm.exe	93
PID 1152 wrote to memory of 2364	1152	Kfankifm.exe	93
PID 2364 wrote to memory of 3116	2364	Kedoge32.exe	94
PID 2364 wrote to memory of 3116	2364	Kedoge32.exe	94
PID 2364 wrote to memory of 3116	2364	Kedoge32.exe	94
PID 3116 wrote to memory of 2728	3116	Kipkhdeq.exe	95
PID 3116 wrote to memory of 2728	3116	Kipkhdeq.exe	95
PID 3116 wrote to memory of 2728	3116	Kipkhdeq.exe	95
PID 2728 wrote to memory of 1372	2728	Kmkfhc32.exe	96
PID 2728 wrote to memory of 1372	2728	Kmkfhc32.exe	96
PID 2728 wrote to memory of 1372	2728	Kmkfhc32.exe	96
PID 1372 wrote to memory of 2428	1372	Klngdpdd.exe	97
PID 1372 wrote to memory of 2428	1372	Klngdpdd.exe	97
PID 1372 wrote to memory of 2428	1372	Klngdpdd.exe	97
PID 2428 wrote to memory of 4728	2428	Kdeoemeg.exe	98
PID 2428 wrote to memory of 4728	2428	Kdeoemeg.exe	98
PID 2428 wrote to memory of 4728	2428	Kdeoemeg.exe	98
PID 4728 wrote to memory of 4388	4728	Kbhoqj32.exe	99
PID 4728 wrote to memory of 4388	4728	Kbhoqj32.exe	99
PID 4728 wrote to memory of 4388	4728	Kbhoqj32.exe	99
PID 4388 wrote to memory of 4692	4388	Kfckahdj.exe	100
PID 4388 wrote to memory of 4692	4388	Kfckahdj.exe	100
PID 4388 wrote to memory of 4692	4388	Kfckahdj.exe	100
PID 4692 wrote to memory of 3396	4692	Kefkme32.exe	101
PID 4692 wrote to memory of 3396	4692	Kefkme32.exe	101
PID 4692 wrote to memory of 3396	4692	Kefkme32.exe	101
PID 3396 wrote to memory of 4936	3396	Kibgmdcn.exe	102
PID 3396 wrote to memory of 4936	3396	Kibgmdcn.exe	102
PID 3396 wrote to memory of 4936	3396	Kibgmdcn.exe	102
PID 4936 wrote to memory of 2400	4936	Kmncnb32.exe	103

C:\Users\Admin\AppData\Local\Temp\e52aba701937a4296f83b5cd58bf33a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e52aba701937a4296f83b5cd58bf33a0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\Kmfmmcbo.exe
  C:\Windows\system32\Kmfmmcbo.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\Kdqejn32.exe
    C:\Windows\system32\Kdqejn32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\Kbceejpf.exe
      C:\Windows\system32\Kbceejpf.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        25⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        30⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        33⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        34⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        36⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        37⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        38⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        40⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        41⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        50⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        53⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        56⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        57⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        58⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        65⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4832
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        68⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        69⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3608
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        72⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        73⤵
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        74⤵
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        75⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1984
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        80⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        82⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        85⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        87⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4076
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        89⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:184
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        91⤵
        Drops file in System32 directory
        
        PID:824
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        92⤵
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        94⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        95⤵
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        96⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        97⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        100⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        103⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        104⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        107⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        108⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        109⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        110⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        111⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        112⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        114⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        115⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        116⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        118⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        119⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        120⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        121⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        123⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        124⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        126⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        127⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        130⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        131⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        132⤵
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        134⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        136⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        137⤵
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        138⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        139⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        140⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        141⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        143⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        144⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        145⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        146⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        147⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        149⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        151⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        154⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        155⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        158⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        159⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        161⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        163⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        165⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        170⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        172⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        176⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        177⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        178⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        181⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        184⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        186⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        187⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        188⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        189⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        190⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        191⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        192⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        193⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        195⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        199⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        200⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        201⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7180 -s 396
        202⤵
        Program crash
        
        PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7180 -ip 7180
1⤵
PID:7240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
255KB

MD5
109dedf24480807d522ea13396b9c5d3

SHA1
4e84d45c050e2af66e0bda679366bcac0137a2b0

SHA256
ba7ddfb2f2d2678306c843f774c22e43d94d24b4d7a9b4d5e0e1499c578e5ebb

SHA512
7717b68e3c6d5a774afe2892127368cee22cebafc90fd8f2f023e77e2764125b8dd5f3021c93bac83efd3cd96e2b988ddea0c9b4a2af56cc3d6a45aebd82b9bb

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
255KB

MD5
e9a0ff896e55a32a1d500e2d5a1bfdc1

SHA1
5520c354a5f35983fe328558dbe71d53305ba8a4

SHA256
806c3e137d6061114d3b69f031a1814f01f91362aa35d1185e7467d6a1f3426c

SHA512
e590a84fc371de913b4a9fe131f284593258a00559e19f742b560a978922797e359ee96b89f047cfcafc2e1cf75b7ad62ac790f661f45575e82f8b4f4f383a83

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
255KB

MD5
c046e9e10a8f68900f53568d17fb228c

SHA1
bf1bdaee1e7fc73fe9e6a88c08e0dd0b76ba4139

SHA256
4c1601566eaa164b1cd055fa854423755d8204fcad9a0a552001d95f76e82575

SHA512
f40ec3444abc2229b8dda0749afa837f98567aeb8ed9114c9dea590aae67c6868e9fa71152a3bc7bea2b8c56c462021fa89fa98c90f0baa6e9cb832e5ebb96b6

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
255KB

MD5
8a49549dbe6e28d58b7e2e33da280bce

SHA1
71c4332f00df4508d3ca47a4a326e804e04fbb48

SHA256
11d700aba0d2dbf13007590ce641c78e76416e969b898c14063d607995b850a3

SHA512
c7a97ad848157ea4327f81cc7ea21af3a8f08cf3c71f204cd7a20a73cf325fda5c85ddae45afa1d2014db00eb97b28ac08d5c4d4634e973765287eca47573cec

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
255KB

MD5
87fc26625bf871d50919adb427218ec6

SHA1
74503e8d6804ed6a4849a89c5df12046356b06c1

SHA256
a703dbac550cfc31565ab0c76c3fb9ffee5e348b5df3580b438bc4f6e2d65afd

SHA512
a4f6dcb74848b5452e1d06a0e7e741a88742a33554808759b286e2b0f7468ee96885f841df63be2c555cd8f119f31ab0923c016b52b84ff7c5eb193ce15a80eb

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
255KB

MD5
1b5ea3eef53e009c2d02090d8c434fe6

SHA1
b816208f6356e1c6cb072978fcff2f6f6afba8ed

SHA256
d99adf91489e416b2ba52207980015f9ac885216f8a21686da861ea56c9dd2b2

SHA512
c4394c389bd59c7013f33456066318efb2ab65e0b0ebdbe40f5c442584d4c3a9652893c43476588d3387a63ded9c20f2e9d0c165db7d2cde5d74557e969c1fe7

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
255KB

MD5
704686cc75a772397792bee8104b4c05

SHA1
618cc738123eceec3b53f734bd9c1cd5771e3efe

SHA256
3adb25b6cbcc0ed1d7ca4541bb50a0d3b0f08bd91e10c278c913cc1f6ebbe7b2

SHA512
790dee00dd3037478c4a2295e139c95e60a126954bc2c4a2d6d4879608dc1ca4b825932ee91ba59ea0871453f37f0efc382ca6b1288aefc424b7f36670a98bf4

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
255KB

MD5
4bfb894032043b1411d9d991e5b25326

SHA1
dec01638371b7c24437980a99257cb78e722e6a6

SHA256
2fe8e803a40be8afa5c3fe8500e1ce09207d2df50a3c124a3d302da4759801c9

SHA512
2ee723bf7a907545051704e05ab3eb02d477786b94075999894b037a91b45af11f973b321099e8eaeb617e869a8ce42d5c14c86348bcb1113aab2eaa8038d9d9

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
255KB

MD5
c2cfece13a62703728985f96648a8591

SHA1
f72f4890c7c540afb37ddfec5c51295b7188c893

SHA256
39b688915c6417ad3eeec97f7829a8353073b47de7758915f8cda62e335d903c

SHA512
5172dc50ca71c6e1058a0d33591158f24ee767ead0a79993819a8a94021a60b692512959b91b4993932d6775d7d53cd422e4efde78c7497e6fc3c0155c04a7c8

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
255KB

MD5
2b1c9404ae484bd1d2ebc86a2ff62504

SHA1
919960bf06ffcf3a595116d8197a2331ab7b17a0

SHA256
5db206e755672428d162eaa49bd7e969f5235955bb5506916d5d1ebf645c00f9

SHA512
0ccf1a659d4a53631267b364a72371c9c883bc011a62fb4b5a266bfab00517fd516dbdcbd822d0207cd734e1301d7ed963ddb1cb768c59157ab4bce2daaef9ac

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
255KB

MD5
fe33370be73dcab3f9f4d40eadcf030d

SHA1
5f6b1660afe6cd7f02387e75321b1d3372c38f98

SHA256
e60f000de3e180ccfb575032013a67fddaefbf211ff041be56ec3178b9f6135c

SHA512
b96c1d03ef78706e5c419bfe75ed660026d2af4ddb393154e54a3a939d71a16b9552fc164a9da28152dabfa5ff64acda12c4c3bd68d7fb2c42f675cf01d02a12

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
255KB

MD5
cd7e76b8722c4b6ad7e8d6708c14b89c

SHA1
b296b3a742eed9ea143278ea685c1adf771f4ea2

SHA256
7b6edd3a2157525c05d384f2afb6c695474e95c012df3fe9efcf8b2d65f61cc7

SHA512
7fda5d098fef94ae41e211109f3c470333c6d233f8b9f244016fefdeb0309ac7658169d26ddda49b67f9390e0a7016bdecb3dc32f62fa230d2d684a8d109a9da

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
255KB

MD5
4781f1a96473a209041d59948db5da1d

SHA1
d045db40dd13d318675f9c49b61d11784655a24e

SHA256
15392d6f8abb7e0f03c459bb2045152afd765f3ef4a11c3fbb3424bd2be578f9

SHA512
fb1bc40a54ab62fe6d56cbeb7575db61ae8ee31e040f5461a82e15ac4f294bf6a102296db89955fa335806293b239857eb52ff8ec234cfb1c35b726b973ffdd9

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
255KB

MD5
b1ebce927158cf7c94e702a2d80ca91f

SHA1
c0088b83d35424b2f4196ec31a7d5e44f55f3f1c

SHA256
38e1df32139e12f466e0cbcce84cd1e1e36c185463a15ac54aae8977bfb61a4a

SHA512
f602e0d893623efe239cd974a7dc0be49c1a622c3abd50955b349784763e6c589346ccec52ed87c82b9a1b118159ab82d5cb0cdfa1b0d0117dd7fa11c7dbb407

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
255KB

MD5
3da4e0993a7205007fd6fa61900b43e3

SHA1
5595a4be9c064d4b5f84544b9da6e7e06f99663a

SHA256
b8074349b22ba4194c92b17dbcc4d97c05c82b49c444228c00730a34823807ad

SHA512
fc30a90d4fa67203f1fcf04437be51d5ba4c53d6c9577c6b17b6a2ac0aaad431a9f109a0b0b12cda74668a85a92bdf34a5390e91ccb81c6919b36fd702fd9176

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
255KB

MD5
ea9fcc6f838e16659b0a58a5d79febe1

SHA1
9a8a9a87084e4fc951f6a0507e3c2178cb3229f1

SHA256
0e8bb016efc2b8101a6ce9728862efe0fcddb5569021e23f046ec715b13505ea

SHA512
9b2e9ea243694e07438a2b64af38bd277a040f61fa51b8554643be02569c72043fa4826219e2a53355e00d25729dc8e69697e963da7f7f90ee2b4ab54fcf32c4

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
255KB

MD5
49af827f67f6e4c90897148e5d0c2a88

SHA1
c49176684c30c7a57e75284eb4ad0757fdf8aa58

SHA256
add103d05426e81f0268e79f90461af74cb5f6267cb95a10240e68a983e6e959

SHA512
ae7025be937dd5a51c9ffe151b21b44dc175c81a6b5dd062164f96517812b40f95b4d5ac2c6dfdc690862447c984580799fa1262b3f0e451e52e220da26ea4e2

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
255KB

MD5
6c2c75ae370a4d23568833e7aece368a

SHA1
2ef191baa22305c0459a3d30a662e4b06c8d5632

SHA256
a2776697249f21d61415fb990434802bbc28f22552a603a4cae83970c5a15e20

SHA512
e00617c31901bf6be631caf0f3b5cb40a0bdbc3f6327f3561779610f4fa8a2739a7d4c74ad4274afe565e962a40caa05552148e077a7449a5a7ae5757b97633a

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
255KB

MD5
8e34f252921c0de1de62d770869c51df

SHA1
a77f919569b7bf3da501864696d495ac1e62524e

SHA256
8432590789e411f0155a5dbdaa83836b250e5d392ec962341c779473431de86d

SHA512
7d86e4e3fb5e58d613ef94c85d45e4304c7d58520cd113a13676039a28fd085ac1d6b47398a17083bf9d5cc0d8b6abb5d99607906bc9cc7c2f10ad1b7aa7bfd7

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
255KB

MD5
10675ba49f87592a92925349bb454582

SHA1
cf75d4e63cf7bbc00d1e52ad2c9e216d8f637bcc

SHA256
03d4432a9c2ebda5b1afd54943f2a7dd48a08da9adae0f82d5bdabe288ac171c

SHA512
3b3044a41a38fabc5d9bd86f6cafa9daae249f5f72eab22491608e7fa0a0deddb7c9d462979cdfa94a4461857f46be455890d3fd418d2d1e37e2129354262e8e

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
255KB

MD5
c9fab6c6e97934c06053ecb5495546be

SHA1
5c1c99ddc5a635e85e94c72045191e04e4c8e2fe

SHA256
fee5695b8c280d3dc4d33494ac5f37d170577864ade10a0e1fccc6fee1d393b5

SHA512
6094be20c1583dcf08df4447cdfd866d6ac5c71f179c53591d295eea9ead0d84909bfcb8c7913d22e7d1f4d9e28cdd29921267b0f5dc1cca2a74816b0e1a45ae

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
255KB

MD5
386deda7e7bb545eaaa050872ae86d97

SHA1
d4531d9902ca2f43f697ae728717747266f56eb5

SHA256
a46a6451d784ae121c14eb55d4d35e4728929bebd3b8865810dd36db40e8328e

SHA512
6f08a6922a2c7fbb1c01b5d4fe08ddf9f91b205ce9b694d7393a5d769dc61c76effc8f19819da8c6028565bcb1a52d731268d284492effffa1e6d715558893f5

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
255KB

MD5
7c82b4c99cffadebe7ffcf6b5841051c

SHA1
3c3d5d295c0ab048e9892360b671d2554e063de9

SHA256
59364b96d3b5673be2367633c00072fcfb5a91a602152ba1dd37ee9f668d9645

SHA512
98fe619ba622a622104b3be27613284420e803191a617fd4793376319d3becc3af6064b1528a0bedb640f55e0b59af05674be876f1189ce8e80671ea9f1dd0db

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
255KB

MD5
10da195557329b0ee797f7e6e46f48af

SHA1
bee31127d5236e7afded833ef26779a3a9781658

SHA256
e549bffa85618c0b886a0038d95ee88420aa3a117f90fc38ba8080e21e56e3c7

SHA512
b14b590afa0daea5feb5ed087754aa6f2e1f6ec3280d4fc7c083d4563272c25b11168907509db447e18841fd59654b7ff27cc4b3b2aac5ea759f0ded396ee2ac

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
255KB

MD5
d226b57e48bc5b8bf0c3daf560ce82a2

SHA1
d69b96b03296ebc4d54c0b7291c369b79a8487e1

SHA256
b7eb1c06dc5fcd5c2eecd4345e5be10c11b97342782b607dcff51410e3842e48

SHA512
a12b1122b0c6909f6eacd9c53fba2c36b03ab450c55d7cf1a80ed578c9757127f4966f0b4c66c301b4fd86ff2f85c060fa3a879a09d6b9c23f93fed87efbd2dc

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
255KB

MD5
4ad5167763837e678c7eb402f846a3a1

SHA1
9e34b34553dc3b4edc4eb6e04b4e98648b5e1595

SHA256
0ee50e568287eea5ca32fc642abb6093ae841740076814e90007cc5bfa195bb4

SHA512
fbd0f05b9338c2212ef3a4241b86451d9c34fb349e560cdac855e3001a7c086ca60190ce55e5cd7fc499e86785a201ed4dffc1974fa55458a77c93f35a1494d2

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
255KB

MD5
955bf807c75c94f5ab87f1dc481831dc

SHA1
5403922a739fde12ec4ef79098f380154f4763ec

SHA256
d46cb236a739fe3a43a1ae0dee6654a0145270a16a0b091b0de4bdcc12573199

SHA512
f1f39a282a2e1c9f7a6a501611ca03035ec3c646d79a97fd27369d694988c9ebac3ca0a23b60b0fd0e0501d0b42c53cc14193652b87415bae14c9cec35191813

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
255KB

MD5
bb244021ed61349e3d9e6374d495ee29

SHA1
6c5f3fae92649465ae51d2a047531905aea91a76

SHA256
24aa17b96b53450a5306b97369b8fab3dabf6e865b56efa0f8e3463f3a593099

SHA512
d1f32320f379c3e63fe82071b85a440305886c8b9e8b4f1556be3102089864a69d75e6495b5f63897963647382ab7eeec0e02e1be9fec1c5faa76cdd36e0465f

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
255KB

MD5
990548038c4bd9e580d31391b092bc06

SHA1
bda40d829d6a6c01d8e233fa6a5ead6672ad2dbe

SHA256
8f3f14cf557b454f0b95d3d1720001df6e23e74af27b8f1b16ef1ff45f23298a

SHA512
67793e6bea25e6809416ba6385b2cf222eb0a766127d2c1abc3e36177d79a28b863ed45bed09db93ad1dc885344d52bbe4212e764314d8325c6c218273944993

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
255KB

MD5
28638ff3f8208090bada2cc0564e9972

SHA1
87f3a6bcbf07bfd300a51b5335ce68443d66dff2

SHA256
e039b8e369c85f8dd120cac889805596f17ab9ea66d8879e3d34866c02c4b6cb

SHA512
6b5a92a7a86a72fe55d5c352d72f63b3f59d4a97de3e6439697cf8649036bff73055c001fde12033a9bd75db3146e71b1a58d3cf48f391b85355b9a8ffb2582e

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
255KB

MD5
db924cfb645f8120e23d9c9e1f43edd1

SHA1
16e88cbc80460893a94cbd2e63bceb59549eb9ac

SHA256
47f70dab557567026cf61ba80de2207d445d5c80ff3793b73886767628c040fe

SHA512
523b6a8cce55bbfd7d888e4c7127642c9e4d5dd43551588f796131d2f287412c99a537884b00e57102a0197e82477a360a44485573322e118559df13dbead3ab

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
255KB

MD5
1bf4c009436d83a9aef04baa49c70fd1

SHA1
6a7f5eececa99e75b8cd77150c863dd80c4838ce

SHA256
6a666de2ca16debbafe286683f81d2f43af7122cfca325e4247d9f007e1f6a6e

SHA512
b8b993a5e2503aecf3b6dc52aa80884b2a592c107d41291ee1ef31387fd83baf4ebe10f58f37c18da980c593a9ada5d1ee3c7a960926f2cb628e93d1d98ef006

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
255KB

MD5
7b55b58b329b1cf53640e13dd98d035d

SHA1
3e40f1ba64037ffb26d20a405320ec8e2c3470ff

SHA256
bad7c64ac3c3d3f7891176614d98626d4f9e94ce587a165bd4dbbbf69ea20041

SHA512
7aef09166f7d60efc7107b9238185287f155aea35d01b15eb29d1a269a26e422d5ac2097ec2d128abd95ddcf2d471ee7b621f06036695bcba6357562dc6e94bf

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
255KB

MD5
674186e49d27f4b108bea40572497ea4

SHA1
ea2332b6a66fb880bae4af890ae3bd18d7e8e94f

SHA256
117988bb1744f7a5c834a3fe1026051eb6974f802b5f050e6886f87df37fcfba

SHA512
2f6b5f3cf9eafb72a0370f7c567cc19cf0d436730048c9d1d8e317fd94bedc8b461af55c15e5178e76f3241b82e0c7f263372f2bff1ad7f0955dc4b6c4db8bb8

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
255KB

MD5
ff79175f619d4e0a88b92f271660fcca

SHA1
1b22ca6fbdfdb3ef81cd6063ca86857af1bc7c53

SHA256
e0111116980941a9eb63476a7a11761e4094e41b51f7097a73685c3fa598f2a6

SHA512
428e46b5ed710ab61e3bd2af0a99f834710ebc8c04ae93efcbcdfc5d1a252c9a132542e21ccc3a33cf5c4c04fbad3106d81fb736efefe9b9d479a7391967111b

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
255KB

MD5
aa913f70d80bbf47a93aab4b04c8c0d1

SHA1
8dbf0dd391957fbf281053710ec1a9cb6df0352f

SHA256
6cea90eae3e2313ac27782ed722eeb3537fc0cee39ce41c30b57e3db76f6929a

SHA512
846ad3e85799c75a3c3cd3a6edeeb0b3adf2ac5b71ce3f6bb1f0513eb1f303660080d23976b2f437041b1f9528a47442ada9b5cc100dacf14ea60a93d1d1a09e

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
255KB

MD5
c848b6b0ff05048a0e58a5a6ac2d2e96

SHA1
c8d88f5fc19fec66bfa57ab8a3454f285fe9f512

SHA256
9aa3d9843118413566f7653e915f7d3548d8fd790710d43e58959af642e9c76d

SHA512
759f756cfdfb934b65c58246e0759069c8bf84608e50ee18e86223562ba28b04142fdfeca921bd06ec90826b4b7a037a918019a753851854329ae044965b8b04

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
255KB

MD5
d7eee7cd44bff9c023729d91eff9d840

SHA1
7a53804a1f9ae765907c9bc63aa7085121dd7ec4

SHA256
b9a1f7cf689ea260a4f2e79f87eed36417df6b537b31e7b4183d744550488fa9

SHA512
d6718826cae3ee59b2aac9b4f60209ad8c66de01bd889a67590bbbcfee0a718da0b8e2226b8b6f72abc959438c1fbaf624c5af2ca31eb07282075308963f4b04

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
255KB

MD5
d0c8609e7022c7f36e9c5b11af1c1030

SHA1
a85e4dc54c8acd02505418cce4a9200dfe0c318f

SHA256
58e8b6856c24210ed8f5aae6c1ce1722f67c757ce53ca0d73f84e92bdcbfd0ad

SHA512
57344e12bfc7c78181d2ced8062aa21070326a817dcbf9f90d197eff69fd38c243363d188a8a76f352c6f3ed615559776d10dee660fa0c9a57d538836321ec69

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
255KB

MD5
cd0a600c558279b3f28de44413a3d01b

SHA1
dd606737513daaab881469460032bc0cd222d35f

SHA256
cce7920045d085280e6290c805adfb530363b268a4d96125b9c13df4e21f3ff7

SHA512
b47497d7df6cac2a922544b766726c27e4c0425bd10bbbbd452259de77ed01a5350d2ef96d68d1adb642e9957adb354a222a031374986bc940e922ef6b041ffc

Download Submit
memory/184-601-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/376-616-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/544-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-543-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/732-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/768-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/792-531-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/824-610-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1112-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1152-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1196-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1212-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1264-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1372-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-519-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1608-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1776-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1868-433-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1880-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1984-537-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2364-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-568-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2400-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2428-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2488-628-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2732-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2808-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2904-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2920-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3032-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3164-471-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-547-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3200-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3220-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3380-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3380-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3396-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3440-574-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3500-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3544-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3592-501-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3664-469-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3672-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3992-444-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-525-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-468-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4076-591-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4088-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4092-621-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-445-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4180-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4196-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4300-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4312-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4328-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4388-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4452-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-432-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-489-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4692-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-421-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-575-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4748-633-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4832-470-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4844-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4936-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-462-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads