113d59773eaca238679a14deb67230f10ab0ae5034866cbe7534ff4df96c4789

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b912cabb82a2efbf48eaaf71e58120_NeikiAnalytics.exe
Size

96KB
MD5

75b912cabb82a2efbf48eaaf71e58120
SHA1

73f2fe918b132dc4a7842a4762ae2ce343229c86
SHA256

113d59773eaca238679a14deb67230f10ab0ae5034866cbe7534ff4df96c4789
SHA512

b755944587cf284dfe265f8fe191e051a90a335345c02651f2125d558f87705cd500dbfd709b2af241c5f34a0ceee40ba6a6d6706635f8fd5d6bd2056c45bcc5
SSDEEP

1536:2dIjGqEo4I2jl63z+HVbWIqAetRADajkFduV9jojTIvjrH:2d89vQ6HAMRoajkFd69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beppmmoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnadfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cafpanem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clihig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baaggo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cojqkbdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doccaall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafpanem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfnnlffc.exe

Executes dropped EXE 64 IoCs

pid	Process
2804	Bbjmpb32.exe
408	Bpnnig32.exe
3148	Baojaoke.exe
1020	Bhibni32.exe
3472	Bockjc32.exe
3280	Baaggo32.exe
3544	Bhlocipo.exe
1532	Bpcgdfaa.exe
2620	Beppmmoi.exe
2832	Clihig32.exe
2040	Cafpanem.exe
3456	Cimhckeo.exe
3440	Cojqkbdf.exe
4368	Cedihl32.exe
684	Clnadfbp.exe
4352	Cakjmm32.exe
4332	Cpljkdig.exe
1016	Cidncj32.exe
2528	Coagla32.exe
4420	Digkijmd.exe
3052	Doccaall.exe
1952	Dhlhjf32.exe
1180	Dofpgqji.exe
748	Dephckaf.exe
3396	Dljqpd32.exe
3564	Dcdimopp.exe
3160	Djnaji32.exe
3636	Dcfebonm.exe
4936	Djpnohej.exe
4360	Domfgpca.exe
1164	Efgodj32.exe
1488	Epmcab32.exe
2560	Ebnoikqb.exe
2924	Ehhgfdho.exe
5108	Ebploj32.exe
3524	Eflhoigi.exe
4748	Eqalmafo.exe
2608	Ebbidj32.exe
4708	Eofinnkf.exe
3640	Ebeejijj.exe
4992	Ejlmkgkl.exe
2568	Emjjgbjp.exe
2640	Ffbnph32.exe
2892	Fmmfmbhn.exe
1504	Fcikolnh.exe
2572	Fjcclf32.exe
3232	Fmapha32.exe
364	Fckhdk32.exe
4092	Ffjdqg32.exe
2636	Fihqmb32.exe
4056	Fqohnp32.exe
1176	Fcnejk32.exe
4276	Fjhmgeao.exe
3080	Fmficqpc.exe
5020	Fodeolof.exe
4072	Gfnnlffc.exe
3708	Gimjhafg.exe
3140	Gogbdl32.exe
4284	Gjlfbd32.exe
4596	Gqfooodg.exe
1600	Goiojk32.exe
4684	Gjocgdkg.exe
4344	Gmmocpjk.exe
4112	Gcggpj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cojqkbdf.exe	Cimhckeo.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Dephckaf.exe	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Nokakckp.dll	Doccaall.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Ebnoikqb.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Cidncj32.exe	Cpljkdig.exe
File created	C:\Windows\SysWOW64\Gibgla32.dll	Coagla32.exe
File created	C:\Windows\SysWOW64\Efgodj32.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Dljqpd32.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Cimhckeo.exe	Cafpanem.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Clnadfbp.exe	Cedihl32.exe
File created	C:\Windows\SysWOW64\Ncjcpe32.dll	Cpljkdig.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Fllceb32.dll	Dephckaf.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Baojaoke.exe	Bpnnig32.exe
File created	C:\Windows\SysWOW64\Dcdimopp.exe	Dljqpd32.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hbckbepg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7004	6856	WerFault.exe	271

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppmkg32.dll"	Bhibni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cedihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppbgjd.dll"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjcpe32.dll"	Cpljkdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdgmn32.dll"	Baaggo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cedihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cakjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2804	4860	75b912cabb82a2efbf48eaaf71e58120_NeikiAnalytics.exe	82
PID 4860 wrote to memory of 2804	4860	75b912cabb82a2efbf48eaaf71e58120_NeikiAnalytics.exe	82
PID 4860 wrote to memory of 2804	4860	75b912cabb82a2efbf48eaaf71e58120_NeikiAnalytics.exe	82
PID 2804 wrote to memory of 408	2804	Bbjmpb32.exe	83
PID 2804 wrote to memory of 408	2804	Bbjmpb32.exe	83
PID 2804 wrote to memory of 408	2804	Bbjmpb32.exe	83
PID 408 wrote to memory of 3148	408	Bpnnig32.exe	84
PID 408 wrote to memory of 3148	408	Bpnnig32.exe	84
PID 408 wrote to memory of 3148	408	Bpnnig32.exe	84
PID 3148 wrote to memory of 1020	3148	Baojaoke.exe	85
PID 3148 wrote to memory of 1020	3148	Baojaoke.exe	85
PID 3148 wrote to memory of 1020	3148	Baojaoke.exe	85
PID 1020 wrote to memory of 3472	1020	Bhibni32.exe	86
PID 1020 wrote to memory of 3472	1020	Bhibni32.exe	86
PID 1020 wrote to memory of 3472	1020	Bhibni32.exe	86
PID 3472 wrote to memory of 3280	3472	Bockjc32.exe	87
PID 3472 wrote to memory of 3280	3472	Bockjc32.exe	87
PID 3472 wrote to memory of 3280	3472	Bockjc32.exe	87
PID 3280 wrote to memory of 3544	3280	Baaggo32.exe	88
PID 3280 wrote to memory of 3544	3280	Baaggo32.exe	88
PID 3280 wrote to memory of 3544	3280	Baaggo32.exe	88
PID 3544 wrote to memory of 1532	3544	Bhlocipo.exe	89
PID 3544 wrote to memory of 1532	3544	Bhlocipo.exe	89
PID 3544 wrote to memory of 1532	3544	Bhlocipo.exe	89
PID 1532 wrote to memory of 2620	1532	Bpcgdfaa.exe	90
PID 1532 wrote to memory of 2620	1532	Bpcgdfaa.exe	90
PID 1532 wrote to memory of 2620	1532	Bpcgdfaa.exe	90
PID 2620 wrote to memory of 2832	2620	Beppmmoi.exe	91
PID 2620 wrote to memory of 2832	2620	Beppmmoi.exe	91
PID 2620 wrote to memory of 2832	2620	Beppmmoi.exe	91
PID 2832 wrote to memory of 2040	2832	Clihig32.exe	92
PID 2832 wrote to memory of 2040	2832	Clihig32.exe	92
PID 2832 wrote to memory of 2040	2832	Clihig32.exe	92
PID 2040 wrote to memory of 3456	2040	Cafpanem.exe	94
PID 2040 wrote to memory of 3456	2040	Cafpanem.exe	94
PID 2040 wrote to memory of 3456	2040	Cafpanem.exe	94
PID 3456 wrote to memory of 3440	3456	Cimhckeo.exe	95
PID 3456 wrote to memory of 3440	3456	Cimhckeo.exe	95
PID 3456 wrote to memory of 3440	3456	Cimhckeo.exe	95
PID 3440 wrote to memory of 4368	3440	Cojqkbdf.exe	96
PID 3440 wrote to memory of 4368	3440	Cojqkbdf.exe	96
PID 3440 wrote to memory of 4368	3440	Cojqkbdf.exe	96
PID 4368 wrote to memory of 684	4368	Cedihl32.exe	97
PID 4368 wrote to memory of 684	4368	Cedihl32.exe	97
PID 4368 wrote to memory of 684	4368	Cedihl32.exe	97
PID 684 wrote to memory of 4352	684	Clnadfbp.exe	98
PID 684 wrote to memory of 4352	684	Clnadfbp.exe	98
PID 684 wrote to memory of 4352	684	Clnadfbp.exe	98
PID 4352 wrote to memory of 4332	4352	Cakjmm32.exe	100
PID 4352 wrote to memory of 4332	4352	Cakjmm32.exe	100
PID 4352 wrote to memory of 4332	4352	Cakjmm32.exe	100
PID 4332 wrote to memory of 1016	4332	Cpljkdig.exe	101
PID 4332 wrote to memory of 1016	4332	Cpljkdig.exe	101
PID 4332 wrote to memory of 1016	4332	Cpljkdig.exe	101
PID 1016 wrote to memory of 2528	1016	Cidncj32.exe	102
PID 1016 wrote to memory of 2528	1016	Cidncj32.exe	102
PID 1016 wrote to memory of 2528	1016	Cidncj32.exe	102
PID 2528 wrote to memory of 4420	2528	Coagla32.exe	103
PID 2528 wrote to memory of 4420	2528	Coagla32.exe	103
PID 2528 wrote to memory of 4420	2528	Coagla32.exe	103
PID 4420 wrote to memory of 3052	4420	Digkijmd.exe	104
PID 4420 wrote to memory of 3052	4420	Digkijmd.exe	104
PID 4420 wrote to memory of 3052	4420	Digkijmd.exe	104
PID 3052 wrote to memory of 1952	3052	Doccaall.exe	105

C:\Users\Admin\AppData\Local\Temp\75b912cabb82a2efbf48eaaf71e58120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\75b912cabb82a2efbf48eaaf71e58120_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\Bbjmpb32.exe
  C:\Windows\system32\Bbjmpb32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\Bpnnig32.exe
    C:\Windows\system32\Bpnnig32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\Baojaoke.exe
      C:\Windows\system32\Baojaoke.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\SysWOW64\Bhibni32.exe
        
        C:\Windows\system32\Bhibni32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\SysWOW64\Bockjc32.exe
        
        C:\Windows\system32\Bockjc32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Baaggo32.exe
        
        C:\Windows\system32\Baaggo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Bhlocipo.exe
        
        C:\Windows\system32\Bhlocipo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Beppmmoi.exe
        
        C:\Windows\system32\Beppmmoi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        28⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        33⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        35⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        36⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        37⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        40⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        44⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        46⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        48⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        49⤵
        Executes dropped EXE
        
        PID:364
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        50⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        53⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        54⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        59⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        64⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        65⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        66⤵
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        67⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        68⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        69⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3352
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5100
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        72⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        74⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        75⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        76⤵
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5076
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        78⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4040
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2392
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        85⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        87⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        88⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        89⤵
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        90⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        92⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        94⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        96⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        97⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        98⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        99⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        100⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        101⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        102⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        106⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        107⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        108⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        110⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        112⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        113⤵
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        115⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        117⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        119⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        121⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        123⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        125⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        126⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        127⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        130⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        131⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        132⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        133⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        134⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        135⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        137⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        139⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        140⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        144⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        146⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        147⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        148⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        149⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        152⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        154⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        157⤵
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        159⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        160⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        161⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        166⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        167⤵
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        168⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        169⤵
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        170⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        171⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        172⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        173⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        174⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        175⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        177⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        178⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        182⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        183⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 412
        184⤵
        Program crash
        
        PID:7004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6856 -ip 6856
1⤵
PID:6960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baaggo32.exe

Filesize
96KB

MD5
dc1cc10e8d9056c0c1912925572ce01d

SHA1
ae209c49b23460213120e172100f3af6c5c98c49

SHA256
6cfee58091360b1f499826898e64e64007166e13b0f54376ee784b05091b1b7d

SHA512
a2bfbc886dac96daed2f9d5a9cb341df44c7943377d16785540db9578160298ec37f713e995a9d86d491383c1cf2724ea2fe67ab877b24f19640692d8cf78e27

Download Submit
C:\Windows\SysWOW64\Baojaoke.exe

Filesize
96KB

MD5
43f596965e10d6fae10e81104f2c79a7

SHA1
eee1ae62f1a99a46d786589d796d181582433b89

SHA256
bdf97f6c3610a223713a4ea5ca350bf1ddd1e28acb36754c0976eac4b10fae62

SHA512
382fe14d182df494fecaa50bfa3e6656e064cdae2eead27d94416f18c46d6e07c67d319f078e22876a925196c86ef07d35d90e9ddecca143107b34194b0a6044

Download Submit
C:\Windows\SysWOW64\Bbjmpb32.exe

Filesize
96KB

MD5
d423d8bddc14b6a64b038880005417df

SHA1
d4f096b614cf94b54c652d2252cc71cbb4cc2646

SHA256
63a4c835bea20326aec3d0b7b121610365c3bb397bed52058334be341a84f029

SHA512
5fe0eec0780c5ecc059edb8a308eac4856ea51bf414f799009aaf593542469993570d003fc656c929d9d8f860e75bcb376907c45d3db5f57ebb92c9e28c06610

Download Submit
C:\Windows\SysWOW64\Beppmmoi.exe

Filesize
96KB

MD5
51463a9d72289d070ca3925a7cfbfb1c

SHA1
0a6baa459b35cc6a467d5b2922bca10c9b91be5c

SHA256
b34fec271e8ae8037cdbea3264d84adb41f4a2b969441840ac93cb6863947231

SHA512
44bffe88511d7019693bdac21f2c96fe496c304b65bccc9dde4e98cb51bb4ee07c94fb2ad9eb4a893bd537e33d03fbf5990180d5663190f1a0fc624ec9783582

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
96KB

MD5
8820f43761c1c66c9417e4eaf7f896c8

SHA1
d35ad14ff1e7523d9eeaa5153d5174e53f5c44df

SHA256
04457d364c8dda54644756256017ac1b4fe77a48a07d415f3e307644a88a4a97

SHA512
3d6c40621eb1cd1648c54269a4d80ed5032bf90755ec7583246561d4f616719f1aa15a4629b61b823442094f76bc1192e107fe2ccb2ab75803c245d16591ca47

Download Submit
C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
96KB

MD5
a2a091985bfa3169ed77f0f013141da3

SHA1
0ab75d2d0d90e6f2bc1af5818455645ff228ecbf

SHA256
b1dc7bc0bf8d9b1b32c36242d31cabd24b84a2a856de34a2179786ed5553778c

SHA512
e582942bc96ec9d26bb9bad5cfa681326e45137858db4a0df866f74e9f1bfe77a73fdbe4784e260d9381054d1313486dcc7f5c8f5997f03d14be7d7db32de91f

Download Submit
C:\Windows\SysWOW64\Bockjc32.exe

Filesize
96KB

MD5
7424e69b60d8989fac07a2fc1409a0cd

SHA1
0279d2a006a46830a3a62cb878456ef805269d99

SHA256
ed92156f6e4a828ac6309e1313fc9902dd2826548ce959bb15945ad7cb6b58a4

SHA512
ab7a1639c3ae29e466293b4ec3af9af43c30809b7569cde5625e384bd355551f49f91e80f0b4aaf8b801f0bf9e267d74d6eece15183b498e217bbf68ee54165a

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
96KB

MD5
ca22078dd22a262c7a125a2996f4ba8a

SHA1
0b6e9fbc9996465b6bd966b45189e8be54b0471e

SHA256
bc91179de2ecce9ea330b7f1ce3318ebba5b4d0716e21787a5115b8534f5c1d4

SHA512
79924e828c6d6d5f083940cafac4b36c1748ab780e901baa07b15f360682ae6d08313e242588d809219d1406b45d445b7b005d2f4967c9aa6cc0d53ad65d6e1c

Download Submit
C:\Windows\SysWOW64\Bpnnig32.exe

Filesize
96KB

MD5
c0f45cd43119df6e62a860f6b848e744

SHA1
3705d23ff380f16a50c2105e62fce77c05c4a629

SHA256
916eb918d4592432026dc9e7af0259e42843d3a710ab5ca0e32e30ee7a7c4683

SHA512
89c4ed8d030c28df35e08ca55a05b08de482cd7f5bd8a1fe93e8fc79fbb3cbc568e94ed2f2ecdfc27bfa0db034b19393648b009fb957d3001d4e21cef67408b4

Download Submit
C:\Windows\SysWOW64\Cafpanem.exe

Filesize
96KB

MD5
dde306a1b76c4730e1100a716f9e0b55

SHA1
736b1f250dec06865ac4d15abfba05e0ee4ab9da

SHA256
744a9cd7815e25527032022ae165c2f5d2b0e860de242978f8325fbf3b9501e0

SHA512
2e64588bf15bd90870a3dd5d92dd1d56f36e7dfd2fdeea4a9a45f2f71b7f0d8e60e76ced4fad9f6dbb5d0090637db32ded62b35e7b7238dffa52e8b62400fd3a

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
96KB

MD5
3e6e32673019a9eb56258e307484decb

SHA1
87815aa4a885850435d3d1f5e5fe6c683cbe4a09

SHA256
45e63d7f84889c05508e2b786cf5e35aabb185a7e83f4a8378709d059f39e232

SHA512
39dc95ec089ab99bc133b50a8ea54761ea63e361ae7236b816d1df9df61d0f7e0fc3f9225837b28a83cfe812dff3f6de2ec2695d90091842a4db4857a1307b4e

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
96KB

MD5
32a538c85663f449ebb5fcfc23c8fc2e

SHA1
c2a3000df59ab7e5780220d27b479f02fdd0b3dc

SHA256
273fe924975f931c6932823638d6311e5cc93d657f8d8b63d59f73497ec50657

SHA512
1332d2e6d09c3de10fc363e4217172407492789143d65d3f94b819cbf3f3a384af09a0652e3de0c870010a525d9302ee52de1a78ff948581ce2bb1dcdb805ac7

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
96KB

MD5
c5ff00d52353b174854d4cb98142cd03

SHA1
4909cfdb4095be87e08c01a3a8070d8f28904345

SHA256
d8b92565e42761d3748db878d6ac451c85d31be90ff9bdd99d205eb1c7e90e35

SHA512
8d4b241eef1f4b3d1851c5422829c2529ec4b46792804c1c201ca971e1a3fa4ffba47d41f8013af51874ca166123b44166cc8f16315096ce2fac0fe588237186

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
96KB

MD5
826f511462e1ff1108b2a6baafe3d2bb

SHA1
d4c5be9710dedf14081c51ddb327ed5601fcfc3c

SHA256
b160bdd1de9b18997fb0a3eafc28feb327bd2593c726970e2dcbfb925a48c3aa

SHA512
6fed4724e9f52eafc076bba6900c454ad0485b5328aaf99364e01436dccba45e6bfa552651763788b83f7d9a5ef4a9d4dc94d9626155cf5fbdd78c9f07ac9147

Download Submit
C:\Windows\SysWOW64\Clihig32.exe

Filesize
96KB

MD5
83775adf6f21a71b58a476d9b7ce6b13

SHA1
2ad815928a750fe5f99338a9f590ab49ad4b11db

SHA256
9a917a53e2d15cb0a15a86e57513e9cfcdcb4abecfe3e156a593d6bb13ef7888

SHA512
d20c4303cf61c2f05ff34487b9a015c8edebb0c5fd33a93abd4f64a9ff3f41193ff9209a70d8a4e52b532bc4bfe8b8302edcc21b9507565f294dafc18a319a97

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
96KB

MD5
d4df26d512311f98cd47d4b40ae928fb

SHA1
63d109c10921d3baddbbe380e3bd1683d72e4739

SHA256
2c3fcc0f8121981fd552c5598a5e813b27cb1bd8123023bd0eff3b957c44081c

SHA512
290fd95a22b0dccbb4ee3635baebb225f265cdadeea39406eb83577d5951b0c28bc66069b063f03f20bda8da87399ad8cd508798b3d34a846bcf0eff8d54dceb

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
96KB

MD5
497f0684e3b3e46159bd3c65a6f048d6

SHA1
b71a60cdce12223eea6257dcfac88b8aa9349e57

SHA256
f75f05d6a1265ff8fc7d8e734dccfc80578203eb964cfd421611350bfc9a15d3

SHA512
98bf29c5f80d5319bbf6de3fbbeba250d206d22baa0c6e2d7a99193af06fbebbcee6261c4d7c78b4891c1d3b0d55854b76959bf8aeffafe659894b0910542349

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
96KB

MD5
afb2f8da576ec8765cc2b4be36614364

SHA1
39dea74aa44b32abcbb39a61c51ad0c5c8341779

SHA256
37b40fd7a188579966dd15cf66a427f3518a7ebeadd66b67a52bc93e709a7ced

SHA512
287adabe9e959f9a997438ce27140a133662cce53d05170b87227ebeec1edb8b2e407af64bf6ea7d53239f508a6c5051c88dd8c1e3f52089487f621206d81dd5

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
96KB

MD5
ba5342c30be44aee244c05b5a48ddffa

SHA1
a74619171dd05c898293b87dfb6baad40dd2d776

SHA256
dfe27f91529eae17e12c21029a4114e4fec4f877593c608fbf851bd9bed7a07e

SHA512
305a117b8aa49bb91efd957c6708cde1458080350d3a00faf13baf8a8cb75ee9f1cf6fccbaa6dc9c69c1a0c07f24b00d62d8a695d91a980c9c6f1ad1a61e8543

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
96KB

MD5
f9214538eb173c2b179604c6ca992a8e

SHA1
3db423e35e91690ca5bd3e7cb39134b9b0c4f1f3

SHA256
68a38109f1ebfe6109c83a44b82db6ef94f8234f5d26cfa071b0915d2eaa6e20

SHA512
147ca0815b9ba983261d4e4f2646835c30640b55019c6a3415bc10eea0425c65e9c722b67b632a557cfd12771a18135d484cee10b483e407c8ec204e86a52b19

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
96KB

MD5
16052a24524ff37f640da634153ddb7c

SHA1
d28ecc49fb38293ae00f94ef2c6e1ec188e29795

SHA256
e89d047f3553030664afe4aee6d5ce7f55118facbaa661f242d2d792cc70786f

SHA512
cb46ceacadafe783e7b5a7c3b0eeae94404ba0f76840386d92f951d6e52c846fb41420bda43640e4ba873bdb800b2019ce76a21b44d84cbc66dc02bd6d22acf7

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
96KB

MD5
0d52a26da0ba0a4958340ddd206ba336

SHA1
36900929bceb8e4dfd9e056f98208e0d7e5ac282

SHA256
11be81e826da21a322d423a269dc758f1693c452a2ae5fbae7d47f4a67415763

SHA512
1a501f33d06ab64a9645050c440c3400117e0c918e24155e6bcebfc7b7fe91eaac8803df638e474f1ec3a5d42b9a023a7d63034f3852493e155c7162a92d57ee

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
96KB

MD5
86494e62254d82b10147ae1f950c58ff

SHA1
85f9354346f810404772fa2f1f4cff82b567ba9d

SHA256
7f7f7d5a7c6bb2ed3d2dcbec8673453bfec489781c12acd5f8a6fe000b82d870

SHA512
e3a68bc5283a8b54c95d16b3323ffac71356e2e2a8f3c34ad0cbf42e11cda119934720640514a7d346f34d4e9292f06a15b0b22243f702df36db49951a1b3050

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
96KB

MD5
ca14ada83763a47d6d5d6c9ed8cb79e9

SHA1
6ad16abdec72c801c5984dec5ab2fd153e87cd7a

SHA256
6da2db7dd268cbc1d8942e65a20bd0e603e61146014028e29577eaf785588710

SHA512
835c445bab51eba3cec3400ccf8f32fa5c40c6f6d197aad7447a724033ec895990fa91659916223cf4c3899f72b99a9e0963ff571d995885256fe44b7c443b30

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
96KB

MD5
1196cefb9affb11d0b027abd88132993

SHA1
ae008048e5e4bd1ff2310c4fe60e90a5784ad07f

SHA256
a78377f1e308f2b6132d98ed7f752ad6dab2d427acb58a979e21c9c41266c6b7

SHA512
20e596d557acb6e8dc6a65474a7936bedddbc49a17a336189dfd4451a2b4bf01c7563070651ad5e601a6a9b1435c064afb740cfdd6162eb0ae20d17e8a885024

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
96KB

MD5
75fececd7339b36841084bc6406a3251

SHA1
0a2272a4f4a900a0ca118b9c349ea6d5de259ad2

SHA256
c3a1273c665fcb70bf7d0e9e15cbf6a87bc4caba6d5256b2e56d68ff21d87910

SHA512
5044370ddd13f9bcd3c9c2d680a3567601c39360e2503600149d9f2b9c64e4c578c44bbe76a4e75841d217dfb06118bb54855f2ceb99bd3aad8fe3531df8515d

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
96KB

MD5
ee3bd0425601fb24a54c7c7eaafe46a1

SHA1
6504dae720decced29d349e315d45ca173165ba2

SHA256
04c9f46491378d3f38e57f74a212b7cb3f2c55c82a7b4846e2ec3212dc516554

SHA512
71f58d72337c3b3d94c7769b819633334db88792cecdcf3baa3dab9a60739c978f114be6ccd8e52cb67653038a44a7cbd89e269fd809c27f16e7bef59a94d035

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
96KB

MD5
1d18a4c5dae1ad4ca69dd5cdd8cb33f5

SHA1
987874528b34c2a69804ce7c74987a775d6ae58f

SHA256
926e33244c2e320eb069731120b6a3f9a433f7e3f32e80d5357ea9084ba1ba2d

SHA512
4a5eca7a29a55cfb9fcf741d21107fc1703619fb3f65f8e6a729ae079228d65709e126740deae0d27e57e4a7a589af8bd1a8ea299173c4141dbf5d3f1c92276d

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
96KB

MD5
4bb82ca0bcb5b563dfe4919f445cb5ce

SHA1
857fdf9021b8b29bb26dfb444b5b1aef6ef55740

SHA256
8822eb1aa2929dd4e6cd67c432ef0db79eec3563a1eeeff8f7dbb1e6cb9d036a

SHA512
384b06d3cee1f5d1550a0e1dad69b2370458c98ef677f45475825a586e7d36fcee0a27d2988c110f057b490895523f1cac9588d698b866e0dbd085979e33db63

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
96KB

MD5
0825c4c301362c9fc99996ab02f21df5

SHA1
b6c770c0a8fb7b6e45d06aa6056829e5bca2a7ee

SHA256
28ec05b20a0091e629038622e2675f4ad6f8718b6f278ddbfd546970fe7569ff

SHA512
bf9fd07031bc2687fce73e5b87f808769f357b67fa2efeb552d7e58dd59430af6591c8452d8ce3cad2c17ec39dc7a8c29837b275394e46f97492ff8c8929357e

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
96KB

MD5
7381739f970da9896930fbae18f464ed

SHA1
e2d30b6367e5af3100852df9439ba122114dfed1

SHA256
bfcb39bdae88e32c2ed660db26c5c04d987d780e3d7edc6e618edd6658edbf67

SHA512
5aa027dda0a328e47b1e030eea4a1c7d2139e5a237ee79938e5c86a749e7c5b167c05f1df1383bde8808434d990c8c7716b86cda95417dd023ada1d9631b5879

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
96KB

MD5
87e7bd2fd83e80ea9f7063e9eb7b32b1

SHA1
cd91c1d83ca16f96b0410bfa16f3f2bc8f219fdf

SHA256
016b4216b48a47069b19d4d1d169db806bb93a44c95cce59e36bc42aa9d33954

SHA512
96cb30cc992829995df70b671a3f99f5e526dd8a5c928b0687c20516aaf3cf4e47958ab3976b15f76929e5d241261fe91ef625c28fe348afaa2ed7c9fe12e8a1

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
96KB

MD5
d21e907c3bf29d15ac2ee2b6e195732e

SHA1
0bb27288f04881797cc508f0e8dcf4f1fe5dc654

SHA256
8e4bc586c01eada0be8c87afdf7b08b57346cda9a15fd189213f37773580297a

SHA512
fd42ab92224476077a59e37cbdc6f60d7e762105d41aa5eaf3eea84f41a1863800f802efcd97b0fae2ee18b922c731e4d35f44e96e04ef67bc2996e15d18f3e5

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
96KB

MD5
036bc0a11076eb277ad7259bd7cb409b

SHA1
14bdc0656a1f47ea3d57559cae3ae0c3f1b9cda2

SHA256
88554ee41a7aef7a8ba1fc10e58f7e5fee5f7d81abec1240a14004b0c2286830

SHA512
0c9d472e48dc04a353bef7687e692c252caa32f79183b851bb953038a279ffe88689559be7b2f7f568ffe8221a2d120d1d4738e85595d7f279b6ba8d0c6bea31

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
96KB

MD5
2576bfeb03d7efb9e0840f3dfa971546

SHA1
a1e67b698b40f8675656726b9259c15f8f6cb085

SHA256
37d6ca5816a1a2cb441a3c97925b8232fa66e8bf23eff5aedd2fb8faf41133c3

SHA512
af0c8fa605da56ba074d61824099cea46b1dca1bf259502457eebd58da249a073bed8c80e9e3945b6f8f59b890024288a1a5f0c601d2263e38e801e6e4fd50fd

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
96KB

MD5
2aa6b774ac50bcf76d227dbbcc351c34

SHA1
6dc528090807844f2b73ce590da6b00719c706ae

SHA256
ef6bc6d1939c8111af83bbeef80cbe57cb4af8acccb13c4841a14f2458fc50c2

SHA512
6d4acf24f87bd59219cd6a0bf9d300a6197f6459ad1d61ff29240f00973bb952a4c15cc3ea36a030a5eaf332b765dad70cdcb59141313662b75c0bb05e2668df

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
96KB

MD5
708e44e48d1f0a319a36a8a37f884719

SHA1
363e26249c960fd0c4637a17fae9593d826cb1a2

SHA256
a56be291413979fd969ddb7d7673066084edceb63bb58661a20de11f1b645cb1

SHA512
64414fcd6e23ba02218f63549327514487c2c8ed4cb9b20850fc1800a9a75e8c205d51a145b2d8185ace377bb844db4e8d63d74b2771559e93aad35327377177

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
96KB

MD5
af11e168bb0a64978954ab1de3abfc36

SHA1
eafe1c1874d477134f4b6048c141a9996394dcd6

SHA256
9a952a1cf9aa058b8e0192c477cdbdf7a5d569e24a3ad9654d020e3c64c2ca4c

SHA512
84254d5d274e4878695284b9362aaa7d75127fa4b13f3c50cf84d3ed59c751a30c51b42e9fb0ab125dbe674d4c73632064cb048ef634d4fe16327e7de83b30a7

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
96KB

MD5
3ba22fa54dc7b237a86757ecd109522f

SHA1
db336f121b9ac4671e5deb57777b263616152482

SHA256
d001c43c1632fbbb9f74a5186f4c7999caf70aeaf3d58c8a178da1bab2326f98

SHA512
47018da3b111d2d84961c2cc69065bd3719a301749cbf9457262685befba083ef57d7107e339a4644c61164019f9ae3d68ce83bbf6e5654e6df9513de59a97ed

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
96KB

MD5
6f6ed4714725d3fb049d4aafacb24c59

SHA1
5ce10cc0bc3e7cadca8f28edbba67afb59d414fa

SHA256
214080afe4be666d00858f5e60a19c0b8fca4f258951e9a9eeab80d841392c2f

SHA512
0354d4a6f9d2ddf2d3827a0c40f6143851c9f1d2dcebabd9c841cd1310cb034af22db912009c3d18bade3d78481150840bcbc0fee849340b3a1328b5d823aa42

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
e1ebd40ec3ecd2d3d1d4d5392c894664

SHA1
fc6737f2db802c3fa3f56e40192ab57c062b4564

SHA256
884d0c40c8114abc48db037225ee474cde7ff3058d499ba28215a012e7841fed

SHA512
0e995684a20afc1c42f5b897d7d7d736b591238e9ffa3bde7a1a0450835596c243f876f3db06d5a954397d07039bb0193831e5c56064f47210b2c88655e4ba13

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
96KB

MD5
2d4653414401a12a8ce71aa8d735112b

SHA1
63b44c5843af7718ce511cdee653aa7f31e96caa

SHA256
f7909f74db65168783422365f706c37ecce03b43579472444c74a6cced8e8f06

SHA512
e8470d69c74447e2b62ce008c6524046642db0665e818483d8dc586c173b982835fc599b15d975a6422210dfc7b45a2021f777b37b6c15129522d1edb1af3842

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
96KB

MD5
cb99e8380b2d8ecbae69010b51257f56

SHA1
30a6df3b0918349253a546f043605645dcb92e8f

SHA256
9fcfe4b6dd03c3c13f4894804e79449eecf8cab1e1caa55e0fd5d1ff1e61a809

SHA512
70d34687951838717c059cca4f25017a130ab443cb9057d8aa1a013186b6a615e5c48472e1b2f233a95b2ff6694a24eb6186a33dbd664da6970179af9122105c

Download Submit
C:\Windows\SysWOW64\Nppmkg32.dll

Filesize
7KB

MD5
728a14bd9ea5f9993dc7ebfbe3ff5a14

SHA1
7ddeaeb0a650256bde0699d255015d26e903359f

SHA256
f49fda6bdc04f78421e295a3bd9d252bd682a825ebbffd0a1cda7306166b7df0

SHA512
b7a680f0ec27eceec8cc2dec206cb71aa3c661d056087b1c11d585c5bcd591f81dccdb03f4157b211cdcf59fd3dc4fe68b55030eb8cfdf828aee7b75f4a2ff0f

Download Submit
memory/64-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/364-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/408-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/408-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/748-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1016-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1164-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1180-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1504-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1600-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2040-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2136-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-563-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2392-556-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2560-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2636-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2704-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2892-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3080-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3140-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3148-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3148-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3160-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3280-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3280-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3352-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3440-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3456-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3472-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3524-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3544-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3544-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3564-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3636-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3708-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-570-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4040-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4056-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4092-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4112-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4140-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4276-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4284-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4332-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4344-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4476-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-597-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4596-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4684-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4708-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5076-525-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5108-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads