65045fffd295a8fabff5279018cbf13aae203ac721990e0ad2125f216c87d9d8

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a7ed8e538e777fc54f567c243bb5000_NeikiAnalytics.exe
Size

352KB
MD5

5a7ed8e538e777fc54f567c243bb5000
SHA1

f707d35fdadd1e8e128a53577ca79db4d8c133ff
SHA256

65045fffd295a8fabff5279018cbf13aae203ac721990e0ad2125f216c87d9d8
SHA512

f62ba80d94e492d456e9d752722189e7eb2c59ba8475353510bcd5b6216445ac5e6c61e548ef377cabe920b657d1d64dba8f7e23a4730438d6fecb9565ab823e
SSDEEP

6144:uMskl/IinRd/LodoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R:uMsVy6t3XGCByvNv54B9f01ZmHByvNv5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe

Executes dropped EXE 64 IoCs

pid	Process
1584	Jcefno32.exe
1168	Jefbfgig.exe
3768	Jmmjgejj.exe
2732	Jlpkba32.exe
1184	Jcgbco32.exe
1524	Jfeopj32.exe
4364	Jidklf32.exe
2944	Jlbgha32.exe
4160	Jpnchp32.exe
2432	Jblpek32.exe
4448	Jeklag32.exe
1100	Jmbdbd32.exe
4344	Jlednamo.exe
460	Jcllonma.exe
1516	Kboljk32.exe
4460	Kemhff32.exe
2864	Kiidgeki.exe
4948	Kmdqgd32.exe
1032	Kpbmco32.exe
3616	Kdnidn32.exe
1916	Kbaipkbi.exe
4220	Kepelfam.exe
1928	Kmfmmcbo.exe
4388	Klimip32.exe
4088	Kdqejn32.exe
1012	Kbceejpf.exe
528	Kfoafi32.exe
5040	Kimnbd32.exe
3288	Kmijbcpl.exe
4216	Klljnp32.exe
1768	Kdcbom32.exe
3188	Kfankifm.exe
3500	Kedoge32.exe
1496	Klngdpdd.exe
4396	Kdeoemeg.exe
364	Kbhoqj32.exe
4820	Kfckahdj.exe
4404	Kibgmdcn.exe
4492	Kmncnb32.exe
2736	Kplpjn32.exe
3560	Kdgljmcd.exe
2856	Lffhfh32.exe
1908	Leihbeib.exe
1484	Lmppcbjd.exe
2888	Lpnlpnih.exe
4904	Ldjhpl32.exe
4992	Lfhdlh32.exe
4624	Lekehdgp.exe
2476	Lmbmibhb.exe
4616	Llemdo32.exe
4936	Ldleel32.exe
4420	Lboeaifi.exe
3924	Liimncmf.exe
1124	Lmdina32.exe
2340	Lpcfkm32.exe
3876	Lbabgh32.exe
2460	Lepncd32.exe
752	Lmgfda32.exe
3440	Lpebpm32.exe
2692	Lbdolh32.exe
1112	Lebkhc32.exe
1652	Lmiciaaj.exe
1808	Mpablkhc.exe
2784	Mcpnhfhf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Kiidgeki.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Klimip32.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Hledan32.dll	Kiidgeki.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Kboljk32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Jpnchp32.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Ngpccdlj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6832	6468	WerFault.exe	284

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nngokoej.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1584	4564	5a7ed8e538e777fc54f567c243bb5000_NeikiAnalytics.exe	84
PID 4564 wrote to memory of 1584	4564	5a7ed8e538e777fc54f567c243bb5000_NeikiAnalytics.exe	84
PID 4564 wrote to memory of 1584	4564	5a7ed8e538e777fc54f567c243bb5000_NeikiAnalytics.exe	84
PID 1584 wrote to memory of 1168	1584	Jcefno32.exe	85
PID 1584 wrote to memory of 1168	1584	Jcefno32.exe	85
PID 1584 wrote to memory of 1168	1584	Jcefno32.exe	85
PID 1168 wrote to memory of 3768	1168	Jefbfgig.exe	86
PID 1168 wrote to memory of 3768	1168	Jefbfgig.exe	86
PID 1168 wrote to memory of 3768	1168	Jefbfgig.exe	86
PID 3768 wrote to memory of 2732	3768	Jmmjgejj.exe	87
PID 3768 wrote to memory of 2732	3768	Jmmjgejj.exe	87
PID 3768 wrote to memory of 2732	3768	Jmmjgejj.exe	87
PID 2732 wrote to memory of 1184	2732	Jlpkba32.exe	88
PID 2732 wrote to memory of 1184	2732	Jlpkba32.exe	88
PID 2732 wrote to memory of 1184	2732	Jlpkba32.exe	88
PID 1184 wrote to memory of 1524	1184	Jcgbco32.exe	89
PID 1184 wrote to memory of 1524	1184	Jcgbco32.exe	89
PID 1184 wrote to memory of 1524	1184	Jcgbco32.exe	89
PID 1524 wrote to memory of 4364	1524	Jfeopj32.exe	90
PID 1524 wrote to memory of 4364	1524	Jfeopj32.exe	90
PID 1524 wrote to memory of 4364	1524	Jfeopj32.exe	90
PID 4364 wrote to memory of 2944	4364	Jidklf32.exe	91
PID 4364 wrote to memory of 2944	4364	Jidklf32.exe	91
PID 4364 wrote to memory of 2944	4364	Jidklf32.exe	91
PID 2944 wrote to memory of 4160	2944	Jlbgha32.exe	92
PID 2944 wrote to memory of 4160	2944	Jlbgha32.exe	92
PID 2944 wrote to memory of 4160	2944	Jlbgha32.exe	92
PID 4160 wrote to memory of 2432	4160	Jpnchp32.exe	93
PID 4160 wrote to memory of 2432	4160	Jpnchp32.exe	93
PID 4160 wrote to memory of 2432	4160	Jpnchp32.exe	93
PID 2432 wrote to memory of 4448	2432	Jblpek32.exe	94
PID 2432 wrote to memory of 4448	2432	Jblpek32.exe	94
PID 2432 wrote to memory of 4448	2432	Jblpek32.exe	94
PID 4448 wrote to memory of 1100	4448	Jeklag32.exe	95
PID 4448 wrote to memory of 1100	4448	Jeklag32.exe	95
PID 4448 wrote to memory of 1100	4448	Jeklag32.exe	95
PID 1100 wrote to memory of 4344	1100	Jmbdbd32.exe	96
PID 1100 wrote to memory of 4344	1100	Jmbdbd32.exe	96
PID 1100 wrote to memory of 4344	1100	Jmbdbd32.exe	96
PID 4344 wrote to memory of 460	4344	Jlednamo.exe	97
PID 4344 wrote to memory of 460	4344	Jlednamo.exe	97
PID 4344 wrote to memory of 460	4344	Jlednamo.exe	97
PID 460 wrote to memory of 1516	460	Jcllonma.exe	98
PID 460 wrote to memory of 1516	460	Jcllonma.exe	98
PID 460 wrote to memory of 1516	460	Jcllonma.exe	98
PID 1516 wrote to memory of 4460	1516	Kboljk32.exe	99
PID 1516 wrote to memory of 4460	1516	Kboljk32.exe	99
PID 1516 wrote to memory of 4460	1516	Kboljk32.exe	99
PID 4460 wrote to memory of 2864	4460	Kemhff32.exe	100
PID 4460 wrote to memory of 2864	4460	Kemhff32.exe	100
PID 4460 wrote to memory of 2864	4460	Kemhff32.exe	100
PID 2864 wrote to memory of 4948	2864	Kiidgeki.exe	101
PID 2864 wrote to memory of 4948	2864	Kiidgeki.exe	101
PID 2864 wrote to memory of 4948	2864	Kiidgeki.exe	101
PID 4948 wrote to memory of 1032	4948	Kmdqgd32.exe	102
PID 4948 wrote to memory of 1032	4948	Kmdqgd32.exe	102
PID 4948 wrote to memory of 1032	4948	Kmdqgd32.exe	102
PID 1032 wrote to memory of 3616	1032	Kpbmco32.exe	103
PID 1032 wrote to memory of 3616	1032	Kpbmco32.exe	103
PID 1032 wrote to memory of 3616	1032	Kpbmco32.exe	103
PID 3616 wrote to memory of 1916	3616	Kdnidn32.exe	104
PID 3616 wrote to memory of 1916	3616	Kdnidn32.exe	104
PID 3616 wrote to memory of 1916	3616	Kdnidn32.exe	104
PID 1916 wrote to memory of 4220	1916	Kbaipkbi.exe	105

C:\Users\Admin\AppData\Local\Temp\5a7ed8e538e777fc54f567c243bb5000_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a7ed8e538e777fc54f567c243bb5000_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\Jcefno32.exe
  C:\Windows\system32\Jcefno32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\Jefbfgig.exe
    C:\Windows\system32\Jefbfgig.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\Jmmjgejj.exe
      C:\Windows\system32\Jmmjgejj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        30⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        32⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        35⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        39⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        43⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        45⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        46⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        48⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        58⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        61⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        62⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        64⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4612
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        68⤵
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        69⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        71⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        72⤵
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        73⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        79⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        80⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        84⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        86⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        87⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        88⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        91⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        93⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        95⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        96⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        97⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        98⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4704
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        101⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        102⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        103⤵
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        107⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        109⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        110⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        111⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        112⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        113⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        114⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        115⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        116⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        117⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        118⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        121⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        122⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        124⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3384
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        126⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        127⤵
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2984
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        130⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        131⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4196
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        134⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        137⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2396
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        140⤵
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        141⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        142⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        143⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        146⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        147⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        149⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        150⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        151⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        152⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        156⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        157⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        158⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        159⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        160⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        162⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        164⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        165⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        167⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6536
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        169⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        170⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        172⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        175⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        177⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        178⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        179⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        180⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        181⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        182⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        183⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        186⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        187⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        188⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        191⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        192⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        194⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        195⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 408
        196⤵
        Program crash
        
        PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6468 -ip 6468
1⤵
PID:6688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
352KB

MD5
c9e831b6e111c55ee931390cfd41a4ff

SHA1
b66c8d80da9fe7be0d6e75bb658070fd79098b28

SHA256
e34415622a79cfaa162e3fd6685ccd2c8ff2e006f9e97d751c9bdadec4791add

SHA512
f8c1ac3ec72755fa3132500c37687b79ef82123cd02aadf4fd86750bcf84b675d84f0d46efff7740ccdfed489737bef0ff09f243e0146f0c9fe57c53701f9d54

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
352KB

MD5
1ed95dc517486ae5efc90c1053f5afb1

SHA1
695ec4da0681b62ca9a8bb9b412372c1d7fcbd68

SHA256
59bd16c2e19bb7f37738cac12cbd1564cd59b0daf4365122fc9c381dad64b274

SHA512
7614f2002869f14beb466bfd243cf245041d30afb164618f7ee92e3db892f8eac7f57b17f6282a8c989bb0ba771bdf4207d2f0b3ce30cace916110d81fc9a951

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
352KB

MD5
eace223c0a7f94cfcd04a7e757169fbd

SHA1
4ef7b3458e327086e81e321c4c0c501945e01aaf

SHA256
3948c6d37048f4b0d1f7622b6ed2f679001b359a853e29e1a45e4c48b7d69504

SHA512
065e0d291b9de56813595679c9269397ae4cebe467847c2bb9963abab71b7a6522e2765832370696120cb2676539f22203facc05ceb84f4afcf30d4a8697a362

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
352KB

MD5
dff634d5399560615aef0a25bfbb6f7d

SHA1
2e6b68a42773aa523c01723498d29144706e6d9a

SHA256
68b2f01a70af859ec13ba98af945f2cc49fc6809d38f80de9b745932e4fdda6d

SHA512
ac53432ea3dbcff2ffbd3f20ae773bbed72cb614d72fb0614278ac36ecda3bbb91d13a803bcbf9e236ef38d8d91573d35ea7dfadf160d5a3dff9c5120362b1b3

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
352KB

MD5
d30dfaf6a719d6c0b7c8ea63b6fd5c43

SHA1
c8345d47e716b6373b5af42cede564b0ccdfd4cb

SHA256
38d3f6d8309daa5f3b4c2a2363ff00be27e45604d85305c37149350cae96684e

SHA512
62bd3c7ba1f978a2f608ec024d1e43c30030a9ac748b11424e8561225c8d0c128e3859fc830608dd6066bec483edd4f581aef7991660567c52caf60873a9342c

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
352KB

MD5
ada34b4a1b3059e0acda845c2ceb2858

SHA1
30278e0ac32a5bdd829a57e4067a4243a22c4a17

SHA256
4682258677c914bbfd99e4ce4daed6e325e0d14363b8de4e6e34b653552bbac0

SHA512
7f021ea23b25ebe158d019c49bf4d4c33febd75c52a86927d370b9cc918e681599771546b6fd38cb37c2e3b56dfc4b50cc03310d8307e65ea4e872c003e7a710

Download Submit
C:\Windows\SysWOW64\Hfnhlp32.dll

Filesize
7KB

MD5
f30d885bb9b555e155ee1e9c6ccd43ce

SHA1
7f054833a281668945fd3800aa4161ca8c956873

SHA256
9810da63530954713d2f37a05e13040bd5a2426046c9520d9826697aaa110435

SHA512
89a113b58f8d1c55591bf3a0232abdf48718a0f24ba03a0bdf2fa612377be7b3686be4e8f714a528f504eb2e9b6bff18d5d7ec0304f3ed48c3f87e651f312b66

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
352KB

MD5
0f4aa6443f367e304f51cc7123cc37f4

SHA1
992c4facd156baf23bacf9f54a657a1548127b9a

SHA256
8108d6fb6921bb1f9f4c4bf7f719d5f91e9faae33e0abd617dfc89682f921b54

SHA512
e5cac1511b04a3da8f61fd0c9254b1e4e466754c06872fc14069580aa4e653d0baf6da6d81b58642aa1cffb703bb04b16d081518108e57657625347524e37674

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
352KB

MD5
6da976e15407483e08e839de472281e4

SHA1
6c9fc370856de907168a42a6bb874b8a9a209ccc

SHA256
f077e0e1bfc551863a408c275db7d435bae5c0a689a9c0be960722c5f1cd904b

SHA512
91eab9730bf0de52a379be33248bd5095c16b13d4d7e91d9d919484b1d8fea4c5cc5082421bef131abdb8bc09711a9559e4a877c9b8e31bc052c93a48bc7421f

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
352KB

MD5
c431b125f646b77907d7ca5a4f94c5a3

SHA1
13b0b1c72d91c66945cb03b1e537f7aa13669bc1

SHA256
8db8614ec8c26ef6b9fe6f2aab70b64abcb92dfc91707b8853048c291f447e10

SHA512
c0471273973b53a4308b06b8d0bdca04a4220f0b003235fe9e05db3fecc4d7dc25715ef1fd24d809fb9d2b18edf69172216e5e253af915e08ab295f290138d7a

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
352KB

MD5
fec4da6af884b28192985be2e795d288

SHA1
94b8c3be64f21847ea9e023700df5881018488f8

SHA256
9bf2ef6836753aa5a56a2dc31af8d18e2b6bf723f3113142506f93a024f340c1

SHA512
8eadbdfbe155873da849d2e213cb4c8420ed385f15e6c803f8752e57b972bb5b0b81532937d71ec1e1368a60a5a7e808c6f974979b90f0e2a5922ad9c3239de0

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
352KB

MD5
2c5a240d5cffdd53c8b6b9b35f20e0df

SHA1
5f5e67a2ec3476eabc49e54490595a1c899fa310

SHA256
4e207b277d539675bb6008dd547f9b56ae39bf1a9d4f7aea12af304accc8deeb

SHA512
1ab028180022f77b947ec547bd4ee6638c319896a8247f19c98c5d3a079b1541127598407d5c89527b089794ab2e667f4d3e12d4fc4382d6a9d03d1df7b131ef

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
352KB

MD5
8cea1467b4e02e86c603293110ee30a3

SHA1
175dc7204cae050a4eadc6cddee67902ce60aeb9

SHA256
29e60646b6df74d01312ae14c03b59879671f88984feb96f703d057640259e72

SHA512
a45de0b5d8a20e6b3745209f426187f8ebc29d0e7bfe84c87c07f3627c458318026393dc5ea0e37aab237ce03bb6dac285dc147dbc1b07da52e313e5c0d57114

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
352KB

MD5
53e79941a3d5fc68a50a4180e5027913

SHA1
833fbf07728853cdb9d8f6a867e76deffbfc1d20

SHA256
4698dab3ead304a10fa7039b905d4635952c7b82f1f2b1cbdacefe3a1b48f9bf

SHA512
7d046c3e5090383891fd603bb4d3bd3866f2f0de1ee6b125ae462bd4d2bc3bce72dc8a85d60988fd8e3e5376c7a7fb52cb45657c6935f371c08d61849b35f403

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
352KB

MD5
ed2c86e5cd31b2061e98daaf0a552a35

SHA1
0785159a58e45a9ae8d10da304d96675582c17e6

SHA256
566ef0cb1e4d48c5a441ada72be3758377ce96418c41566d09711bf3164283b2

SHA512
58276db45452eaea313c5aec06684f16f404224a8b4685420a76fa82d3143f2ec5fb0a6f81a27e9df05a90c6f3ec83408cfbac9fe025afcbf50f48534230c056

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
352KB

MD5
daf0609bbb56a5ece3d7ab38a09ab879

SHA1
f469ad6ab1a5685c5d13320508dce4b3f609e25a

SHA256
17fc87e75d6eb3e98d221ddd57358bc75258ce8d363057eabfcda5609ce7638e

SHA512
41e27ff1b45da5b5d2a982cd7b044314fadac89384c7ef804655fdfe2a0388f4c266872f10516f1c3cfb06d0da606c36772649f6976d98a09afafdee7015f8c9

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
352KB

MD5
a333f7f25a688e0f349e61bc4b9d92ed

SHA1
f856365212136480925022beb28724dd91ae5dbd

SHA256
6e052247267398b0e91ac98822ae04bc1484c47a9a71ca21adfa32f8470a2bb3

SHA512
72bf6beafe308d74046b0aa4cdd49cd4f96fc1c6bd6b2886e042c6a804f2434e3705a4cb02a7305c8519b83bac90ba7f3a66cb586353b4f757c705cd9f54416c

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
352KB

MD5
82f3078143b08d385002b35809a6ab88

SHA1
7f76f0b381fd885e95468f52fedbf6c9432ee974

SHA256
8d6e9dd86539fe2a1bcc8d590dc9d359185f33fa8ca71e4109644b82b97c6add

SHA512
4a3bb86b2d82bdf7c5248e77c19d50533aa2efcd458c13c5710bace02d8c1ff98490249779c63854ca561416a2f7f8855a37b641b4f8b60929d0765e0d57019d

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
352KB

MD5
9cd26305e1e960f6286a6d7104becf1f

SHA1
b0bd75f2a8eb5ed36a39b803a754850cdc308e29

SHA256
f063aa261455756c8024ae1a53f4b3cd78561738670f28c0adaa69e9f9583489

SHA512
ba0c9a2cf9ab456dd0b7ac5c7354deda1457ba20bec17ca24b1f0513e0f0e884df819126c3674d42d7e038571a7b94c087758e410f1c5bfed2875e088604618d

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
352KB

MD5
75b300b389b14989cd6eeffb64b6f65b

SHA1
f43e2ae93dda38ea771911e3e960bcdbb1b8cc3c

SHA256
4481b67bb97687016b8d5d25d6953f2770aef2d327655fcb12f98c28804bdc1e

SHA512
948e798951544146cf21ad38c735be518da5b9ba1aa9b4346fe2f06e6e0a7c644be4324e5b5b59022cf87eadb23f5abeca37f9ab44b715bca2f9d156ae264eb8

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
352KB

MD5
fdca1a1f860227018075458b2ff6a50e

SHA1
d3fe048cf09e7a380b8bee21cfa5642a2b2c75b6

SHA256
2b162391f0ad8fb733f63a008ae63eadb087e050d4c893060d0ec717e8b96ff2

SHA512
b5dc3c6d6712d89563ab5ca246a4dfd5ff33032400403ddae5e875649e6d5fcbe2cae4d1c88e8bcc7752db5d6f76e0c8aef1ac3941e53cb6894767a1bc29df36

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
352KB

MD5
97b40d5c27718cdd1d538b0bc51d3f74

SHA1
25fd2452d66ab31b293a219b6f1a2610b961dfdf

SHA256
6e0d058c47f01c7288840df1890f65ef5cc04b2c40939c22b9a00d5299e7354b

SHA512
e69bb156bb8989ea102701d89cddfbe6b0d54ed8d5400d5b49ef9b93b64fee72bd09d08246a69ee03646de5de6e543d824eebeb5bc40c26d6c380144606f23a6

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
352KB

MD5
5b9465730213dbee0cdca58927c0f02b

SHA1
db61ee9e204dbed42fbb4a4f8c3c99506d44e336

SHA256
a9a16ecf7239a6c376ee70288fded2cf48bdeb5448fac7e76ee06db1f2e5aa06

SHA512
88ac9572522107c073411d773975eaadc6bb5ec1206ac603aea28c429612da8681e4cd8fef93a47ea42bbd08d35745e17eab32243ae65057394d6e898f6c700f

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
352KB

MD5
4214248d7f564cb68a4d9d8b13bc468f

SHA1
a02791cfeb1d48060861bba1a40e2544918c8b7c

SHA256
d9b336104192425d2045af8337afcf9785a57f50558147e3899d2e5f8fd0134a

SHA512
28b88cc5acbca3d3102882dda9b9dc4c8acea52900a4da29d639f224740856a7f4fe38179080458d81155010560b4681b415b5774e485916b1043ecac0190b0b

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
352KB

MD5
67be8e5796527ae2acfed1fcaaeaea35

SHA1
cc56f558f21d4cb4d000eb38b21addeda0e141d5

SHA256
91572ac4568b3f5ab20558819e1fb6210c511e53424cddeb15d8822b69ff9d4b

SHA512
e6cea4a747702050fd3c1cde5fff7007e7b0da8a41912b09fe3423209ae81e39482b80c9d485b57237a5f5cbae802e867ca5a46d361cfbf9f1918ea47153b668

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
352KB

MD5
86dfcf941bdedf3f10703b131085d7d1

SHA1
8806d9ea542fcb976d0c44f76e1ca0301fb10598

SHA256
5cf87c13523bf6a1ea9c1a31ce7857183947ae0fa92c844ff76ef214fae9d4eb

SHA512
0d6a50b10a08ad13b58805201ee82b3e0729934233ad70178517d7928eb6c8a18bd69c2bdb21b232cfb1db85376850849267f7a89894b56bf1e0383620d851a1

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
352KB

MD5
17fd882f0eb8a8310c29af10ee149147

SHA1
dd7c8b490022b05191dea8ed6f7a9c3f749946f8

SHA256
e0d7a704e60583e730df9f4625a41d276ab7c2994365923f43624619feadf43c

SHA512
63b9539c4d494e96c71f23aef1bb9f1d5199d498683543aec089acd297ba142898757c1b4f37708346cd9fedba4c50e0b8826d8a9f7f313bacc8292c80848c03

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
352KB

MD5
25f4e1bb2c2335f2b556af4d50c30e33

SHA1
b9eed6abf46552d6aaea5c96bda69e00f7ed00c8

SHA256
c06f19a16b414261b100c2b0defd6b7cbbe9803750f801065220a40ab8395877

SHA512
386cf189deb603cd0c9718d68bb8a484ed469aba137c8ae41f8c34332d56de5b118d28c7de3cc4e5cf3e0a6844f9c4312709faf538d49fad2b8b87f6810f7441

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
352KB

MD5
f174675ae89938cc1373ef4d33218962

SHA1
0273160288048f04179c107ce43225fae9e99d14

SHA256
bf2505a4bbf24e723097d20ca79f2815993491e243f3aefa1c90dd7737990298

SHA512
2f810a291202d9bbd263bea827290ef81cd76cf960d1295996e73f17f9c5946629bfe257f1775d30929f11fd9e7bfb74dba21009c291ad921dd3ea3b06ac7faf

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
352KB

MD5
2468251e00fd2d9b9ce5997b91f24fba

SHA1
709ba59798b5af546ef22714777c41d546307e4d

SHA256
b4400cbf08fbfe7c28fe2efbd6d4fda5f067a9ef395a2e391fefcf151945f815

SHA512
d866fde84f3b30eaaae596da02667b66fc10cf35fd8b3f986681584b2f70a907bd2a1ec92b8a0e41d425e96da5b297b40a5d72113609acb99c7e53cb81c3097b

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
352KB

MD5
91a210372a40eb377d7dadc763c78611

SHA1
688287e336998bfb6eb1703b04d746d8ddb57826

SHA256
aa44ed4e860a72aba9524fbe27d2bdf30b39c6e22b1ed4a8ad5bdeabd1f7d1fc

SHA512
ee8b4dbe0e30311905bb19b2c5c22468b9537fa4f95b48c0ff02151a94c4b9c5e2ca01664a50229c8944706e8b8332884861e8f69ea2e512118098bbad521c22

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
352KB

MD5
b84f6cf32e6f83703d1cf12ecf6665de

SHA1
a34c59136b518e103eae214124299b997ce152b6

SHA256
f23fb242418a35448f22bb00c9b7d1a3bb869f9521d23d4e7c62dde08b26fdb0

SHA512
176a6cd2ecfe6d426456d8ba4ce963d458f938120bb7cbbf65ba1f30884f9b725f3bf19d08eb9a426acb27775569fdf4b159dd1eeac3f5949ade13c4f7404514

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
352KB

MD5
d5baa82858bee1685a20a8ee124575c4

SHA1
18260841214fe4c3488f92c89a7b483547ccf8f2

SHA256
6f0ba65f0888c1999df57c69b1594c9ca121c81c6ba41eba5d15a3cb258e1bb2

SHA512
9f5d7cc4ae68d845ee31ca6a998a2b06c820cfcbbe65aca0b665030c21f85f39b18e9908a1b037ed022812b5df48d6c1d037d60cf9e1775e46f13235ccae8f2c

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
352KB

MD5
c7b10ab5cdbc496ea02cc943a3db271d

SHA1
3d82b6bbe1f1cfb7c6d0c96e85ee50390c8ce435

SHA256
e1f85a99945f0e70f38f98b4686e6ed095c21211899777d4e8db47828d9d9b83

SHA512
23f7361da274e49b3068b43d49fd5402fb6f4ef4ac5592280ba58b3b349a99fb1207218b602df5fe36ebe00ee2194f0c048373d75249b6609ed601ced8742450

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
352KB

MD5
9bb99194886b5056e047862c496af8d8

SHA1
e1aeb9e2e769fd6503a19826ab42f2b6cf2eb00a

SHA256
4726c401b79be15171c87ff641b7a9111fc50d7ed1392998b33754e1b7140a96

SHA512
291f108ed644b67cba7cda659a97d78adfb68630acc1c6f92d034a8999650074cfdfa7df81aec378260985c89609095d7a6c2fb26ef2c04c0f9e5191bfc4ca74

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
352KB

MD5
3a4a23d00ff1f4f734d30f5b2c40ad03

SHA1
5fd4a7bf393216162bff9f78817475c0f495d125

SHA256
e421faf75d2ea11a595890e3a0a733f89930b70d32234cf738e044f3ac04c120

SHA512
a8d88af2cc54e1731642db5c6487e44086433ee7a4072d5a423e144ac7744c074d3435263b50fc49c509004470459d07cb936ada62df06124da773f3d5b94f7f

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
352KB

MD5
1b6c000e5621928b8fcb8a08212cb2f5

SHA1
c88ad5a50f128e2dd952011df5b3c4be3550c7d1

SHA256
a4c372fc8578a9a42634fbb7056c6815be0395e21a5d138a04b796edf0a563d5

SHA512
77a2595f7d69b2d5d246b9099b4ef43d89deef9173a8a75c917b5a6751f5ba9b1ac3d0a21da0328eff2bf8faaafb24a1696e8bd01a2e1462ba1a916791704e73

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
352KB

MD5
93d4498512b758b855ff6fd0f8ba2467

SHA1
24aa6e86d8d938c69c2fd5ac9d3cf6015c1c85e7

SHA256
7ec7aee9a2284d0563029dd6d215a1b65d1bff5e8aed49a2d2ac18440f55a189

SHA512
327ae101e34447e17f9ea51c7dd4633a1b4892c81dbdfc07344b02c50e3ed4bd316da9b41c960fb633bf095e134645e77c0d2359ea45a8a37725cbf4f1990708

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
352KB

MD5
c76702bfb206b5fa9192ada0fd56efb3

SHA1
aef7d78590374e7ad2ee02363b44acd5d310901a

SHA256
d222d566bab7be19ab7c3c550df2f771892481427d9d275608475328295ce4ad

SHA512
d80bfc20c82e1d5f04ee00be05d3b00d750e35e96e6544badcd239dd3e7bdef2a8ef972cdde910d69bd6a0512b1e7e3e7a62d3f18995938009244fb9ddf67104

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
352KB

MD5
3c81f7eb2fe61877dfe8ba903c0507ad

SHA1
ee5983a2a115e6dd516bf266bfafbdbcd0fefb6f

SHA256
299625fd6a0b81fab736d4ffbd34c8aed409ef1779339180effa6740271d4cb7

SHA512
4de0567357efd7d4de1ddf85ac6a9d73b9e97d46927101ef90ac5563be6b3a10a405793b720b97ed82ff2f4969c90f2018a77c0618c5b581e1e77d52e0324e4b

Download Submit
memory/364-409-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/460-387-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/528-400-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/540-528-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/752-431-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1012-399-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1032-392-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1100-385-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1112-434-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1124-427-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1168-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1184-378-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1484-417-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1496-407-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1516-388-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1524-379-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1584-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1652-521-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1768-404-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1808-522-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1908-416-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1916-394-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1928-396-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1980-532-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2148-533-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2176-577-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2340-428-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2432-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2444-526-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2460-430-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2476-422-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2692-433-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2732-377-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-413-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2784-523-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2856-415-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2864-390-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2888-418-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2944-381-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3020-536-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3188-405-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3288-402-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3440-432-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3500-406-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3560-414-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3616-393-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3768-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3876-429-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3924-426-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4088-398-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4156-534-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4160-382-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4216-403-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4220-395-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4344-386-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4364-380-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4388-397-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4396-408-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4404-411-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4420-425-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4448-384-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4460-389-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4480-525-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4492-412-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4496-537-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4564-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4612-524-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4616-423-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4624-421-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4820-410-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4904-419-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4936-424-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4948-391-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4992-420-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5040-401-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5140-578-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5180-579-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5212-581-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5252-582-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5284-618-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5368-623-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5412-583-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5444-584-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5484-585-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5520-586-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5552-587-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5592-592-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5624-613-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5668-625-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5740-626-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5784-615-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5820-616-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5856-617-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5888-627-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5948-628-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/6016-634-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads