f2844f7e00bb4df1271721be64585dd267bcb43240b34e56b221ca479a710b1a

Analysis

max time kernel
140s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

050b3ffd1b2b2a0dc9d20b50ee9704f0_NeikiAnalytics.exe
Size

94KB
MD5

050b3ffd1b2b2a0dc9d20b50ee9704f0
SHA1

b0cbe88c06c8a0a0d73c280d8c36566a15aeb612
SHA256

f2844f7e00bb4df1271721be64585dd267bcb43240b34e56b221ca479a710b1a
SHA512

3ea570f09ea26b42e851ef48f685312db8a8785c217aab3206d56cd0a5a8ba58c033f48f846b3cdf0cc6229b9ff9fdbdf91817ed7861bab80c22cff96209ca34
SSDEEP

1536:oOK381i/DFPoGcqybuP2LwaIZTJ+7LhkiB0MPiKeEAgv:oOioGMTwaMU7uihJ5v

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhaggp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlkdhnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckeimm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phigif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aefjii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejopl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geohklaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edionhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmeede32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnkfmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnipbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbjena32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnkfmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedgjgkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkdaepb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdjeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fndpmndl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejopl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfjcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geohklaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbpjaeoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnfmbmbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe

Executes dropped EXE 64 IoCs

pid	Process
496	Pknqoc32.exe
4496	Pdhbmh32.exe
2600	Phfjcf32.exe
556	Phigif32.exe
2172	Anmfbl32.exe
1852	Aefjii32.exe
2972	Adndoe32.exe
916	Bemqih32.exe
3996	Bedgjgkg.exe
1596	Bheplb32.exe
368	Ckeimm32.exe
4028	Cbdjeg32.exe
1352	Ddgplado.exe
4948	Dkceokii.exe
1732	Dbpjaeoc.exe
1504	Eiloco32.exe
2632	Enkdaepb.exe
1412	Fneggdhg.exe
2760	Fnipbc32.exe
1568	Fbgihaji.exe
3888	Fbjena32.exe
4532	Gejopl32.exe
224	Geohklaa.exe
3716	Gfodeohd.exe
32	Hipmfjee.exe
4392	Hplbickp.exe
3508	Hfhgkmpj.exe
3280	Hlglidlo.exe
940	Iplkpa32.exe
1472	Jmeede32.exe
4804	Johnamkm.exe
2808	Kgiiiidd.exe
4684	Kfpcoefj.exe
5116	Lgpoihnl.exe
1436	Lopmii32.exe
3156	Mcpcdg32.exe
1828	Mcbpjg32.exe
5112	Mnjqmpgg.exe
1700	Mmpmnl32.exe
2416	Nflkbanj.exe
4572	Onmfimga.exe
2372	Ojdgnn32.exe
3616	Ocohmc32.exe
3456	Ocaebc32.exe
1640	Pjpfjl32.exe
1156	Phcgcqab.exe
4688	Pjdpelnc.exe
4580	Pdmdnadc.exe
4560	Qhjmdp32.exe
4912	Qdaniq32.exe
2004	Aknbkjfh.exe
2996	Akpoaj32.exe
1720	Agimkk32.exe
2024	Boenhgdd.exe
2040	Bklomh32.exe
2980	Cpmapodj.exe
4180	Coegoe32.exe
5100	Cklhcfle.exe
4616	Dqnjgl32.exe
1428	Dnajppda.exe
4904	Dkekjdck.exe
2964	Dhikci32.exe
1740	Eqdpgk32.exe
880	Ekjded32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Johnamkm.exe	Jmeede32.exe
File created	C:\Windows\SysWOW64\Aobmce32.dll	Fnfmbmbi.exe
File created	C:\Windows\SysWOW64\Iamamcop.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Cdecba32.dll	Ddgplado.exe
File opened for modification	C:\Windows\SysWOW64\Iplkpa32.exe	Hlglidlo.exe
File opened for modification	C:\Windows\SysWOW64\Mcpcdg32.exe	Lopmii32.exe
File created	C:\Windows\SysWOW64\Jpehef32.dll	Geanfelc.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdjeg32.exe	Ckeimm32.exe
File created	C:\Windows\SysWOW64\Jkchlonc.dll	Ckeimm32.exe
File created	C:\Windows\SysWOW64\Bmgagk32.dll	Lopmii32.exe
File created	C:\Windows\SysWOW64\Bnnkgo32.dll	Johnamkm.exe
File created	C:\Windows\SysWOW64\Oqmhqapg.exe	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Coffgmig.dll	Gbnhoj32.exe
File created	C:\Windows\SysWOW64\Dahkpm32.dll	Iamamcop.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Cjgjmg32.dll	Hipmfjee.exe
File created	C:\Windows\SysWOW64\Ebjjgd32.dll	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Pfgbakef.dll	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Jahqiaeb.exe	Jbccge32.exe
File created	C:\Windows\SysWOW64\Ofblbapl.dll	Fndpmndl.exe
File opened for modification	C:\Windows\SysWOW64\Ipgkjlmg.exe	Iafkld32.exe
File created	C:\Windows\SysWOW64\Eeeaodnk.dll	Lpgmhg32.exe
File created	C:\Windows\SysWOW64\Lhnjoi32.dll	Fneggdhg.exe
File created	C:\Windows\SysWOW64\Ekjded32.exe	Eqdpgk32.exe
File created	C:\Windows\SysWOW64\Ehbnigjj.exe	Ehpadhll.exe
File opened for modification	C:\Windows\SysWOW64\Hfhgkmpj.exe	Hplbickp.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Pdmdnadc.exe
File created	C:\Windows\SysWOW64\Ondhkbee.dll	Ekjded32.exe
File created	C:\Windows\SysWOW64\Akcjcnpe.dll	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Nbphglbe.exe	Nbnlaldg.exe
File opened for modification	C:\Windows\SysWOW64\Fneggdhg.exe	Enkdaepb.exe
File created	C:\Windows\SysWOW64\Kgiiiidd.exe	Johnamkm.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Kefiopki.exe	Klndfj32.exe
File created	C:\Windows\SysWOW64\Oqhoeb32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Hnibokbd.exe	Geanfelc.exe
File created	C:\Windows\SysWOW64\Cqichhmn.dll	Pknqoc32.exe
File created	C:\Windows\SysWOW64\Oncelonn.dll	Ebdlangb.exe
File opened for modification	C:\Windows\SysWOW64\Gbnhoj32.exe	Gbkkik32.exe
File created	C:\Windows\SysWOW64\Lgpoihnl.exe	Kfpcoefj.exe
File opened for modification	C:\Windows\SysWOW64\Llnnmhfe.exe	Lpgmhg32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhoeb32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Agolng32.dll	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Kapceeje.dll	Fnipbc32.exe
File created	C:\Windows\SysWOW64\Flpoofmk.dll	Fgcjfbed.exe
File opened for modification	C:\Windows\SysWOW64\Jbccge32.exe	Jlbejloe.exe
File opened for modification	C:\Windows\SysWOW64\Lljdai32.exe	Kadpdp32.exe
File created	C:\Windows\SysWOW64\Ilnjmilq.dll	Mcdeeq32.exe
File opened for modification	C:\Windows\SysWOW64\Akpoaj32.exe	Aknbkjfh.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Lphdhn32.dll	Jlbejloe.exe
File created	C:\Windows\SysWOW64\Lcmodajm.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Cnokmj32.dll	Mbibfm32.exe
File opened for modification	C:\Windows\SysWOW64\Njjmni32.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Fckjejfe.dll	Gicgpelg.exe
File created	C:\Windows\SysWOW64\Kapfiqoj.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Phigif32.exe	Phfjcf32.exe
File created	C:\Windows\SysWOW64\Dqnjgl32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Gicgpelg.exe	Fgcjfbed.exe
File opened for modification	C:\Windows\SysWOW64\Mcoljagj.exe	Mjggal32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmlla32.exe	Ppikbm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6344	5360	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbpjaeoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll"	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lopmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanfno32.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pknqoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geanfelc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmcjnkq.dll"	Hpkknmgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll"	Bedgjgkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll"	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll"	Iiopca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpcdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqnjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoibcl32.dll"	Dkekjdck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmipm32.dll"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll"	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll"	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onmfimga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdoljdi.dll"	Mpclce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfjcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebdlangb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnhoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debcil32.dll"	Nblolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adndoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll"	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll"	Fnipbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	050b3ffd1b2b2a0dc9d20b50ee9704f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geohklaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnokmj32.dll"	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfpcoefj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edionhpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll"	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqmhqapg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 496	4992	050b3ffd1b2b2a0dc9d20b50ee9704f0_NeikiAnalytics.exe	92
PID 4992 wrote to memory of 496	4992	050b3ffd1b2b2a0dc9d20b50ee9704f0_NeikiAnalytics.exe	92
PID 4992 wrote to memory of 496	4992	050b3ffd1b2b2a0dc9d20b50ee9704f0_NeikiAnalytics.exe	92
PID 496 wrote to memory of 4496	496	Pknqoc32.exe	93
PID 496 wrote to memory of 4496	496	Pknqoc32.exe	93
PID 496 wrote to memory of 4496	496	Pknqoc32.exe	93
PID 4496 wrote to memory of 2600	4496	Pdhbmh32.exe	94
PID 4496 wrote to memory of 2600	4496	Pdhbmh32.exe	94
PID 4496 wrote to memory of 2600	4496	Pdhbmh32.exe	94
PID 2600 wrote to memory of 556	2600	Phfjcf32.exe	95
PID 2600 wrote to memory of 556	2600	Phfjcf32.exe	95
PID 2600 wrote to memory of 556	2600	Phfjcf32.exe	95
PID 556 wrote to memory of 2172	556	Phigif32.exe	96
PID 556 wrote to memory of 2172	556	Phigif32.exe	96
PID 556 wrote to memory of 2172	556	Phigif32.exe	96
PID 2172 wrote to memory of 1852	2172	Anmfbl32.exe	97
PID 2172 wrote to memory of 1852	2172	Anmfbl32.exe	97
PID 2172 wrote to memory of 1852	2172	Anmfbl32.exe	97
PID 1852 wrote to memory of 2972	1852	Aefjii32.exe	98
PID 1852 wrote to memory of 2972	1852	Aefjii32.exe	98
PID 1852 wrote to memory of 2972	1852	Aefjii32.exe	98
PID 2972 wrote to memory of 916	2972	Adndoe32.exe	99
PID 2972 wrote to memory of 916	2972	Adndoe32.exe	99
PID 2972 wrote to memory of 916	2972	Adndoe32.exe	99
PID 916 wrote to memory of 3996	916	Bemqih32.exe	100
PID 916 wrote to memory of 3996	916	Bemqih32.exe	100
PID 916 wrote to memory of 3996	916	Bemqih32.exe	100
PID 3996 wrote to memory of 1596	3996	Bedgjgkg.exe	101
PID 3996 wrote to memory of 1596	3996	Bedgjgkg.exe	101
PID 3996 wrote to memory of 1596	3996	Bedgjgkg.exe	101
PID 1596 wrote to memory of 368	1596	Bheplb32.exe	102
PID 1596 wrote to memory of 368	1596	Bheplb32.exe	102
PID 1596 wrote to memory of 368	1596	Bheplb32.exe	102
PID 368 wrote to memory of 4028	368	Ckeimm32.exe	103
PID 368 wrote to memory of 4028	368	Ckeimm32.exe	103
PID 368 wrote to memory of 4028	368	Ckeimm32.exe	103
PID 4028 wrote to memory of 1352	4028	Cbdjeg32.exe	104
PID 4028 wrote to memory of 1352	4028	Cbdjeg32.exe	104
PID 4028 wrote to memory of 1352	4028	Cbdjeg32.exe	104
PID 1352 wrote to memory of 4948	1352	Ddgplado.exe	105
PID 1352 wrote to memory of 4948	1352	Ddgplado.exe	105
PID 1352 wrote to memory of 4948	1352	Ddgplado.exe	105
PID 4948 wrote to memory of 1732	4948	Dkceokii.exe	106
PID 4948 wrote to memory of 1732	4948	Dkceokii.exe	106
PID 4948 wrote to memory of 1732	4948	Dkceokii.exe	106
PID 1732 wrote to memory of 1504	1732	Dbpjaeoc.exe	107
PID 1732 wrote to memory of 1504	1732	Dbpjaeoc.exe	107
PID 1732 wrote to memory of 1504	1732	Dbpjaeoc.exe	107
PID 1504 wrote to memory of 2632	1504	Eiloco32.exe	108
PID 1504 wrote to memory of 2632	1504	Eiloco32.exe	108
PID 1504 wrote to memory of 2632	1504	Eiloco32.exe	108
PID 2632 wrote to memory of 1412	2632	Enkdaepb.exe	109
PID 2632 wrote to memory of 1412	2632	Enkdaepb.exe	109
PID 2632 wrote to memory of 1412	2632	Enkdaepb.exe	109
PID 1412 wrote to memory of 2760	1412	Fneggdhg.exe	110
PID 1412 wrote to memory of 2760	1412	Fneggdhg.exe	110
PID 1412 wrote to memory of 2760	1412	Fneggdhg.exe	110
PID 2760 wrote to memory of 1568	2760	Fnipbc32.exe	111
PID 2760 wrote to memory of 1568	2760	Fnipbc32.exe	111
PID 2760 wrote to memory of 1568	2760	Fnipbc32.exe	111
PID 1568 wrote to memory of 3888	1568	Fbgihaji.exe	112
PID 1568 wrote to memory of 3888	1568	Fbgihaji.exe	112
PID 1568 wrote to memory of 3888	1568	Fbgihaji.exe	112
PID 3888 wrote to memory of 4532	3888	Fbjena32.exe	113

C:\Users\Admin\AppData\Local\Temp\050b3ffd1b2b2a0dc9d20b50ee9704f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\050b3ffd1b2b2a0dc9d20b50ee9704f0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\Pknqoc32.exe
  C:\Windows\system32\Pknqoc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\Pdhbmh32.exe
    C:\Windows\system32\Pdhbmh32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\Phfjcf32.exe
      C:\Windows\system32\Phfjcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\Phigif32.exe
        
        C:\Windows\system32\Phigif32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\SysWOW64\Anmfbl32.exe
        
        C:\Windows\system32\Anmfbl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Aefjii32.exe
        
        C:\Windows\system32\Aefjii32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Adndoe32.exe
        
        C:\Windows\system32\Adndoe32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Bemqih32.exe
        
        C:\Windows\system32\Bemqih32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Bedgjgkg.exe
        
        C:\Windows\system32\Bedgjgkg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ckeimm32.exe
        
        C:\Windows\system32\Ckeimm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        25⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        28⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        30⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        38⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        39⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        43⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        44⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        51⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        53⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        58⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4908
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        68⤵
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        69⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2096
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Fkjmlaac.exe
        
        C:\Windows\system32\Fkjmlaac.exe
        74⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        75⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Fnkfmm32.exe
        
        C:\Windows\system32\Fnkfmm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4420
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        79⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        81⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        83⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3676
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        85⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        86⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        87⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        88⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        89⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        90⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        92⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        93⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        94⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        99⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        101⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        105⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        110⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        113⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        117⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        119⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        120⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        124⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        128⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        131⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        132⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        133⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        138⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        139⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 400
        140⤵
        Program crash
        
        PID:6344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5360 -ip 5360
1⤵
PID:6200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:6796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adndoe32.exe

Filesize
94KB

MD5
5a10a366c89203c8861101912f26548c

SHA1
551a8c7f8d2ad69695699a7864c9012ac6feac46

SHA256
29a9ec7fbaa8119ac60fa41cc68816cb55c2c6ff216061ca01b6fad217aeacd9

SHA512
e0ada28ec29dd69f09b262988dea87f9d95a82195aea5de5a9fe1bf0910ad5b1b9eddba7412de238b1825e5e3db35bc8608823681105d6a7c73ed20ca83b04e3

Download Submit
C:\Windows\SysWOW64\Aefjii32.exe

Filesize
94KB

MD5
80cc632907411842a64645d4df1a3a91

SHA1
3f1ddb2ab007bdc76509f5579aba1c7ceedefad8

SHA256
06c55fcb26b9746f1b5595ba33d685da3f375cd19aa66986f46727a1f12daf06

SHA512
5d138cfd2b61de8e95a178e14bcc86885ef915816c93020aad40e3aacf4c6927ef55823d06793a2b870e8bd372b691acc26ed20095ab1f3d27aebb0490023f05

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
94KB

MD5
2ba2dd5b78f0b38ac7ecdc96f76b0a37

SHA1
e8e95a5d1ec407b938651375e26c8253beca76b9

SHA256
175b85891b20ef184c43cef3a4580efd5a4b65ce89a449cb8a00e2915bb68061

SHA512
7f7599f1b19ff4b3b54e312dc12a98f27295c643d23c3155b59de61d1479a67c5b3e88e3759ae6da673326bb48f04d2c772a057b5c26b06c9e76c5b0cb8d9bb1

Download Submit
C:\Windows\SysWOW64\Anmfbl32.exe

Filesize
94KB

MD5
653fb498deea4e3c624c9080b268a12a

SHA1
21c6b00aa62cd8f87aec693fdf9b7389e1138f21

SHA256
a714271dff0cfcfcd88c3e560e5ef93bbf7e54bfee2197700b0bd3a8716a0eba

SHA512
835d1cdbe526803012de58bb6a045e9b6580ac1991b11f7e38ce1c49a837cd51fa92bd59ceca36b3b33e4de74e0db8742a336297034ccbfff6ce4368085e013d

Download Submit
C:\Windows\SysWOW64\Bedgjgkg.exe

Filesize
94KB

MD5
515a3cbb62d4ce028ac07c48d796699a

SHA1
948640779bbfe52d09e68aa38d858c505cb9fc9b

SHA256
3b57caa79000c30e963f450d5401575049ff148664f40673c36d2f2c64b02cdc

SHA512
5ebf6ca2f9852b1c19a3ff68eacaf84fd39d130d8ade49c3869d0f5001b6f653e7fa5a27fc6e561834d83b068b72d9369f88a442f193593028b7332d01651326

Download Submit
C:\Windows\SysWOW64\Bemqih32.exe

Filesize
94KB

MD5
98d25145aa7141598e6cf70eba901d69

SHA1
cc64b1bfd1d499e09ee82f402cbeba79426a8449

SHA256
8c640f18bb8252cac7c14cc07ad22378f99e4eb1629d65b944de388bb5ecc15d

SHA512
508fb5c480fa38632769223eadad76d62c272a7640e6ea0e74a6f0249fc54f20c1a596788f05211751192b5e68f97bb47b43aee9908deadce412a210133fe55e

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
94KB

MD5
73aec1de0fb1b65e73eb69ebcc5b0d15

SHA1
0f349ae4571e273939ab40a08f5d348750e9b440

SHA256
a54a7ce61ba715d66a5579942aad777af08d9378f373bf4e6ad36b3eabca92b7

SHA512
646a850dc037725976054c23ccf8ad2496373567e5c81cc9d7113e187bef0aad6c07d21092dfb1ccecb0740ea43a0c17d5815d58abdbe1d726c1086e1740783f

Download Submit
C:\Windows\SysWOW64\Cbdjeg32.exe

Filesize
94KB

MD5
169e156d523791075aca3e0f9acef8ac

SHA1
54bf8e810e24c75133d798f94a16d4fd122340f6

SHA256
6257b97231383b071b466e4b6f88950b84d5d2aef4b58c0c6133eaa811c24589

SHA512
9d8d486e5e920cd37cd78de3892e710145060fcfdd02de90e4f6483297cd39287b6fe82d971d28b39919512bf07da2b824b6a49e31378a85b63c75dbc9766186

Download Submit
C:\Windows\SysWOW64\Ckeimm32.exe

Filesize
94KB

MD5
1d57d34520b34aaeefaabbae64412f1b

SHA1
2579d17911423bfb2c1f23460c4dde2d057384a8

SHA256
427ff06aa55ea88b5a06916970ba61f5805702a421c800a2c21ca97059e03f9e

SHA512
d765e2fa07b627d1615b5861791fb07c6ef73c9949998408caea70ccbae4994e10a32deee2a3049ba2b66db5ce25b92a62e80b66c56689598c615e42ae956fd5

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
94KB

MD5
88ed48aa3c043c32189e3b69170a6205

SHA1
a96f4ffd591b561e92d06637fa8d452805ff380e

SHA256
b4d79d36f5485dac8128450ae019dc15e1f83d2446910327ba7c790e44c1f577

SHA512
cb60ce537d536bbbd2d7db54ec618bedcb20e818308e8707d46299d6bfe07dfca67b613e4cd33e5e22ff557d89d6437e4834af43766c1f726e5625a465865587

Download Submit
C:\Windows\SysWOW64\Dbpjaeoc.exe

Filesize
94KB

MD5
9ed2c6b38a0690f4fae8893f77fa0c85

SHA1
b7ab7dfeabb0014c373573d27b690b305b4ee15a

SHA256
141660d341393ced25b4afab2653313ac95daf64b63e66438d6b6bd1edad2691

SHA512
24a126c0a7cebe1584f8b3f19701a0973815d17ac15618268327c3c31d8344fe7a7c90e72609227a3466934628f466a377f2c7b83a8b1c10f315fdc500cc74e0

Download Submit
C:\Windows\SysWOW64\Ddgplado.exe

Filesize
94KB

MD5
f041ed0c5799432011979d84c66d3f36

SHA1
a2fb9fdd3c54494b7b58045e570cbb74d93f0ef5

SHA256
190a1ea075eaa59be9895edf500e22b6785a70f3180a3b018ca201cbee5ace72

SHA512
95adb51e2c28b061f9b68ff20c9f2fb3379dde4705d0991dd8c42a61e74f7d604c4bd9d3a1006074dffc2fc9c1c44a857be620420118b4607217b9a8efdf2b3c

Download Submit
C:\Windows\SysWOW64\Dkceokii.exe

Filesize
94KB

MD5
e0eb3a03e5c4e0c73239a5687f518c72

SHA1
375746e7529f36ddf8fb6857cc76caf1173905c7

SHA256
0d0f103f3b21a403b6d13c991e1099fdf2f9237d0aa4fc0ce124e198963ee520

SHA512
0dffeddbb4aa012d5a82d2ae0a736e201d98cd13793586e48e0c90fa95bcc8762217380a27d2642ea6c30f049ae1fbfdedce4bea5f73d90c9898c39aab095965

Download Submit
C:\Windows\SysWOW64\Dqnjgl32.exe

Filesize
94KB

MD5
49fe37c188ebc1f4b3974ef82eea8ff6

SHA1
2cac50ab0aa7d4a6fdddb82b2a79a13fb258dbdd

SHA256
0f670176eb4707649098b7d836697937aadc86cd9b0505eb8ce5842ed08bebf5

SHA512
5d53c6a3575e3de5c4f02faaf9c663efd88702235c8b82e606391f577eed0bbbd955981786ff8bf27d9e23e50d99057aecac1b412488dea76a36cd5443ed3dff

Download Submit
C:\Windows\SysWOW64\Ehbnigjj.exe

Filesize
94KB

MD5
a02ea670e1eed9e465bf5eafbbec09b3

SHA1
29801f89c8507cdf261ed9e6f45995bc85ca2ef3

SHA256
7e02b144b233ec24778a6eef2a1731767fcd0b83bb9e7729e2e15f4d34a838c3

SHA512
bbcbeb30d75da45503f236e32b47638e9c1f1b79865a7d2af9a7068d8a348321911fdc174584225086fc158e3bf65b49b8c79ae04c735a94eca1c49f9d15c591

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
94KB

MD5
aa2e42f38a9a2920f09b9514ab9301f4

SHA1
5d5dc131d1babf279b37b74fbee85c7fa9cb22e0

SHA256
3253759084ac87f4ff906eead99dbf5bf4db1b769242412583e3840463789297

SHA512
9f0bfb9fb29d5e391e7c98460baeb147a9c8651fff27f4bf59497c22cb01842a8e26aa4b2a5e08d5c7d8a198bd98e43d012914809df98b8067b0198b82acadf7

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
94KB

MD5
c118078e033c6baaa0e8751556256945

SHA1
5044f3eb7aa1d34743e90878ab5511081a370a53

SHA256
6609be6ac7568be73aee01c78f3ed5324f06246bbdefce269135b53437a0b592

SHA512
82ad54d0e7f578394f2ba96f9aa25974881f639e5e77b3c14988a79d2fab268dba3efea046a57d3c6cd4cdd6778bb5549d28d8cf11929c7871279183ac7a8672

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
94KB

MD5
ed2e60fe19cdb68964d04aaeae82383a

SHA1
4e744435c833550efc02436606b505e7bc515a44

SHA256
69e91ae6ce0686a648aecde57eba9c4a55ea9acd0095f3f3777f8ff82bdf7409

SHA512
fd318d71468d0a2cc36728111878ba4b76d14d509e331d201090e20c28f8b8b068b1ae2807fb34a6343ff632938beab1dd59a2f925671c57303dcc31c501932a

Download Submit
C:\Windows\SysWOW64\Fbjena32.exe

Filesize
94KB

MD5
88793ce7192c921de96e9006a6a661ba

SHA1
6257a6e9e65f5088d23e0f782a625a60e64b5c64

SHA256
30c2e88208bb61c87a195e0c1883e93018a49eec105323fd38e121f048195c8f

SHA512
f32516821ff9f86acf153895de73f47a0f7085111c2961ddb2590be4397070651bcdc3c9da3e267e0ed48aaacdf353ec8df4f90aa84aef1aaea9140be82cc6e4

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
94KB

MD5
0b79ea5e25e95a1057daa7ee56c91370

SHA1
6f05c25178cc1d7aba49031006d1134e046b171c

SHA256
23244a144f9211558598e2a9ec99f6a1305bbf82893d600786c1472b70de7b7d

SHA512
338671c29168904ef239c34ac6c907b8b9a5353c3225cded816bec9769963b2036ff67ab93b87e67afdae38beae1e0bb4cbcd874746852e3821b5c4b3bfa3f37

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
94KB

MD5
eb6456b5bc832ca30264ecebc65112ef

SHA1
d9622cd50028ad6545461c4cb732af7174b3d935

SHA256
23ffe29335242e5592f95d36e597da89c76d4af994872f5e3231cb82ffa0ab3d

SHA512
e7fddeb3eed1d7fa3e1a18b4ed83887a8fcba5bc3a12017b4350a34f9a57562012010382a8f863b4b6d2b71caba4440745f4158008f9b86dcfdca18a4dd89742

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
94KB

MD5
5a4d3c9489706cd1d171f62d57e6a61b

SHA1
66534c6adc85aaca42e960d72e07e54643776e7f

SHA256
aac64ae020e54855a9b28d88bfb8d1930477905e48be770359b3769dd77c3092

SHA512
172edbe2d409be173a641077804e60a496cd5f0aa569dd87706dda0ead8b136dce65b69e26aa0bdbb696d6f51d227a3c5866c523b899d8205399d40f55383e09

Download Submit
C:\Windows\SysWOW64\Fnkfmm32.exe

Filesize
94KB

MD5
549533ab4aea91266af4d901bb7b363b

SHA1
5b47f2863704366916b554e131c396003c7fc77e

SHA256
0956f9d825bfea300e8a59e30eceb23a3e4a738a8e5dffa1c60dd621ddf90252

SHA512
e9e862dcefe42157325467c674bade1bf6c9feb65a83e65485f3b4264ec80e9f1492162e660d1ba6c8318e64ec6829c8b605b0d7dbb4ed47b73e4eacc3d36ff7

Download Submit
C:\Windows\SysWOW64\Gbpedjnb.exe

Filesize
94KB

MD5
fd10624a28492de21564849e4ce189d2

SHA1
aa4fab588af56b7b633655332803974cd54bdad3

SHA256
3ace5bed340b7738b20d719ef09fa7d49d9af36feb1ba65bd73fb72964dee1a9

SHA512
7e60dc6ce06bb541046939476bbb56cf9c6e4b47e75e42eb2a076f33db611a1236903785738fe57b6984fccf87c84e2dc35c10afa36e9eab64a8b3cb61b7d507

Download Submit
C:\Windows\SysWOW64\Gejopl32.exe

Filesize
94KB

MD5
f68a24643456db4f2c0459477071f62b

SHA1
014ca2642acc3e0195711c49698efc454924be9f

SHA256
973c2ba854dc4f04d42799c243cffff6a0d1830e8f6d07688ca0f63c1a4838d7

SHA512
cfc5f1f5aaa2899304dc22a7d634a3cab066401874a0fff8bee8fcd11d2911a9f3e2fb943511915e33ce30058c7d5dc166db9357e64953554ef53da965204b3b

Download Submit
C:\Windows\SysWOW64\Geohklaa.exe

Filesize
94KB

MD5
6029b638b0ddf62d009d320d0d352bcc

SHA1
1a555fa4fc30a43b409b73dc4e22e738b796ff87

SHA256
0020a84a592a85cb6f815cdaa99e71b2a05edd12546abe21d7ca3d523aa5aec6

SHA512
bfd661ace7563b8115701201cc55975d3efd40a106e9c0f497c446d4707a0af075e9645c32bc3dc7a9c64b4680ae7e51858ae95ce87622467396916aa959914f

Download Submit
C:\Windows\SysWOW64\Gfodeohd.exe

Filesize
94KB

MD5
da0e70e947a4cc91786b6edba46c89f9

SHA1
e5ac920070c425112a9a355f4ddb756ca79c2e26

SHA256
354f6e12489482936fc968548f2c9cbd34dfaa2c4f4d604d2309ab9db3766206

SHA512
a3d2bcf1170117053c7c285bacd12117b917bd2c7791f339a2ccee0d17b1f93e2db29333912616354e262f83d7801d13fcf9436fccf0e634edb0ab0e2cd54865

Download Submit
C:\Windows\SysWOW64\Gicgpelg.exe

Filesize
94KB

MD5
cc1102f4613c516a49d92f0625a82f2c

SHA1
86b661b4881538343dcacb0e7b946d06aa74450e

SHA256
1facc5e16170ec2057caf1d730a057990608ca7dbe1bb955f74405a05ae8396e

SHA512
d1d523370aa8f961ceb478b213a51e71003163caad8cd1f21125ca5f2bc5e7dcc415d6d04f25026aca238122c47d66612f40a35c2706ebeb5a886c2a332063c0

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe

Filesize
94KB

MD5
1926724c235230f92bc1c4e19f6ec66b

SHA1
2ceef631fab85aab720c7b4542297e373ba6b943

SHA256
df81804d001b9d08e69cbcd3406da8fa6613457ec28caf5bfbf11ac3018d4a47

SHA512
ad1a24564e0bcd5053c28a2febb094be5d794c655762a472e645e95c33f0ed49d30cd075e4fadda0a9cfff41c038f0e9226c4dd850913c15f290dd91f1cdee70

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
94KB

MD5
f1c7a90e6e997cff7c93252761d0086c

SHA1
be1752bf96d32407a17c630753922d2d5be7ad2c

SHA256
0eb11c4015752c61fce2d2f21e8e8242187c197bc288c12dcceacb5eb2d272c5

SHA512
39962b212ff01e44d91697946a6401a4d5c3445df23e2987f97df51fc35dc02bb5a3bcff53c8b33d716851c954cb5a2d07996a9e8e400cf166ef4b886df5d49f

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
94KB

MD5
b823e43b7f2ef1e0e2b6b16f65cf0cdf

SHA1
d55c037a710177732c2ed1f4a80b309454c257eb

SHA256
3a60d7f59fcf4a5d82e7d9688597061c13866641db07f42f10385dc8f88249f1

SHA512
9671111055716047a7ee77f3ad38ff83e29427a86f1f910b8fe20d3ba5099e46b7fec26d6362d187828e7bb7037a8f6716e60e67eae35ae6ee90550575ea1409

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
94KB

MD5
44026e47732ab673307178938957b94c

SHA1
70d77a679ec987e5452d50b70392f2854e239e00

SHA256
8f9ac5267c27d6f8aa36859b11adb6ae0a6144c1b3d4e168b17a4220957cb414

SHA512
3686e5e6dae7f695f1b917f15ffcb771cddd096fa514755ed89fba3cebfe1f16a75cc187ba402fc7c8b13d43b0ac74e749299bfe58cb90ce456c49af92273e1b

Download Submit
C:\Windows\SysWOW64\Hnibokbd.exe

Filesize
94KB

MD5
957accdf2c4f1227a202a48d379dbe36

SHA1
29342efa88a6f3fe98a6296727c9daca2015089a

SHA256
3d8f491424ed001bd40ab6017ba63f8052a795f5f68e3e1a2cef74d51ea326b7

SHA512
53f5748b1799738419c9f20b9acb48af4a6093c97be77e83fc3fa9e03fcfe8dd3cbe394aedd0e3ce681883220a0509d5476478acf7d73e37524c4b69b34959b2

Download Submit
C:\Windows\SysWOW64\Hplbickp.exe

Filesize
94KB

MD5
60177bd9f6c644aa263534032d23df82

SHA1
f0419529a94b752e0a3180f1ede90ec563566607

SHA256
10b010e98aac8a161acc67fa9acd0d3655e409d9df8d302e62ad5fc308560191

SHA512
240ee4f4b64c8b1cc16c337662578d829e373d93242f7a917437aeb5a433568ff1b39e4dbe465a9ab0c4055782dedec087dc62028af6e7cc9ba5a2f7131dac96

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
94KB

MD5
602614d1180e841b9ce24e1473c97307

SHA1
def4d5c9af7c1f4c4bb1167018cf3b5047b0739d

SHA256
0c04e2d12865d51f34f7cbaae21d93e38bd6318248389e511449c7797de13556

SHA512
77a36ecf7fa1b5bfd49e41b1510ecd4ffa9421544a746f5a28561ab480f95c4367e6e80c53a77af243ecc07a1a783dabaa61cbd37134f3baf8443f508787a903

Download Submit
C:\Windows\SysWOW64\Iplkpa32.exe

Filesize
94KB

MD5
55cf7de26f87d69747b560586bf12830

SHA1
fd99934e0e2f098cdf161ccfaf12c5ddab4cb6b4

SHA256
83a903c09753f79cc865fc56a001ff5d52876064a2b7533f918f4eeb66f4115b

SHA512
af5b48c3a919d65f2f5b84a8224258df5fd9467d58a5d86fa65a6915ed14b16ee1d6861d47456528c0c16455adfff28f70f46b0061ca61a87de8a4e80f252094

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
94KB

MD5
955e75b95ac07946cc8d12e1dd0436ab

SHA1
cf1247708cd324b333c6c5dba590a25783ba0e86

SHA256
add1344b1320945d0bb18c7ab2c8bfa6cc6f22eb056e65161ed1b869cf8243ba

SHA512
1b0d8c0ba4651588ed98f07b6e7a08ee662a648ecdce129caaa3d3c58df3c47c6613b7289bb2fc8c22b596820aee1d8c4aad179001a542a95c0934195a1ed857

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
94KB

MD5
131eaed291f5bdb5c4a7c834c653d179

SHA1
421a921e53f27524d379002d2ffe88dd8b858e37

SHA256
1575ae9a3a772232830f0cf7f03a3c65989b5fc32831c9cc97c3c37fd2b55be6

SHA512
f2414635dfd873728472154b9085a2c0de53630394ee30f8bd797e8e07f31de10caaef1f414e68f3ca3efc81c91caeb9e1dfd23717eec0a0404850565dc642d5

Download Submit
C:\Windows\SysWOW64\Jmeede32.exe

Filesize
94KB

MD5
2bc4dd3c319d2638772485f31b2205a8

SHA1
62a5fe4805fb9003520b0df0694e4b221f1e5e75

SHA256
07215d8479e8705e54f9d8374f3ecf3ecde81dd8c77dc3bec7131890de90a4b7

SHA512
54eabebfb4f5261afe057faa878621844aca3c486f71a8655ec28be6327c0dc76338615b89754415f8f435ab046e78d5af41998fac0c3d67d73e8345a9e0fc70

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
94KB

MD5
e63dcd95da802d4f1df2db56cee03594

SHA1
479feb9d06bd17389af437b13a810e4ae216371a

SHA256
22cd58a3cf74764e1b18b954b90a5a3984e0b6258c77a2cbabbd6ed623fe087d

SHA512
f8d67a2262ab8e074195f62b0625ab7b8191eb7d172706f9d39edf331859bdc0c38cdb753d3eaf2091ea9a39043cec388d1c882d3859fbe9d5cd0f06b369cf99

Download Submit
C:\Windows\SysWOW64\Keifdpif.exe

Filesize
94KB

MD5
ac336a592a28e48ec54cfc5c7dc671e3

SHA1
98b40c3f6454d42e6212b84acfd3164e8433505c

SHA256
0bf0bd80141b8ded04fc95e8e20b6bf9bbdb925eb3a6cdac8e8c1158150be433

SHA512
00fc05fb5a88e222303f887961e875c92bac836c88cc1ad1732b5157a577446aba66fc352db0fd5e36502b79a3e1c1787d6a1a99172a6dacfb64e112ea6397df

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
94KB

MD5
55dc01709451a2e0edcb11f01d5a7905

SHA1
ab2b09368a92994df331755f11241073cd4c8ee7

SHA256
041d7b67cd1b8d601188c51996fa9c5ce5f076ff49b5ba297a5a6c4dc6783419

SHA512
4d1379c5717c1f472c788dae1e3ac4583816639b58f9195674bff554bcf549d18a2b6ea454a812a33f98902d1b4155fe5d9e27bbc6d40817989cd914e9289d8b

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
64KB

MD5
d21a6ca184f9583d61dd715d365b0b95

SHA1
51522088e02dc92d1e06056786d7b45118f4c6df

SHA256
f15b710b32a086a02926acb36dcc932005dde8d944cac33f3a98a3bad138d542

SHA512
22ef0568658d0f3150e9151f2d9ea0a1e87ff66c11e7136dab3da89dc75e0f12525bbd2b3719ee50cbc906bee39de0508f6d40ba28ae097b3d3a5a443a5f0d41

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
94KB

MD5
30e367f5b18eb95e2eb92786a5517061

SHA1
ffc31d66d3841904a81131667e20013e623af87e

SHA256
40cd4794a0f73a4ec67c9a062fc62fe46cbac14feb2251ffbca995e717c999a1

SHA512
1913fb716864cc3192f506ba0f73e7312f17a41071f59f376be4b1f8c34313fa21a4ac8e10715154e40cabedd097d6e3df26c3f346f6abda087ac54a98133d30

Download Submit
C:\Windows\SysWOW64\Mpclce32.exe

Filesize
94KB

MD5
bce68909d8e66a9a879cd800dad90d21

SHA1
3682c7ce7992c3eeb29f9a3f5404b96d6976d450

SHA256
7f476676c44b7c9eb0a56f157fc4f09c1b559187e751795a3e1664d10769106e

SHA512
c9851d759309580d019c45629843d27e4b88893cf74d1a253cf3e47949ea0528fe05929eed4dcce47561d7abe1cdcd98dd43dfebf5bb45bab70619f6aee12375

Download Submit
C:\Windows\SysWOW64\Nblolm32.exe

Filesize
94KB

MD5
5f8950e55f1f062189d8a52489c8c7f1

SHA1
b129ddab6c98671355b1e99a104e12be63bfa5eb

SHA256
57b1fc48e0b3daad05bcf9d59b34629fc550777f64483e47dbb2ae85b5095773

SHA512
d69dbcc344f20d675607fa52b772a12d2086f1e32699a648e09028c8280cb1c425aecda36894ef889a39d5807c8ce14dd2596a9203003949885829e1ba3a14f3

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
94KB

MD5
122e3004adffa1a5f22747b90844aebe

SHA1
ff92425b166bf4edd86687c2cf0b99d94659c11c

SHA256
c49e4da23fb925e0791122fe4e4e4e79be559d0d54365e904ea283406270ef11

SHA512
c2dcbfd4cff3b2ab240baaa97df94dae24a5714a7734a2b72728051bbac102d5fa1e1f05e862d96c2e6e1c82fea419ab03e8d19f404b69f9382bb4ed628598db

Download Submit
C:\Windows\SysWOW64\Njjmni32.exe

Filesize
94KB

MD5
e09d85efdf3b71505ead765d58a7b15e

SHA1
0c4af10caefdf332f9c29605265dbdc60ff67f7a

SHA256
baf9c627a87e1b2e154622525c9cf557ad0216bc578b43cccc212df6808d7137

SHA512
d561405517f24ed4d4fc5b3030270ff9b1d250c32178840b53b7758a4e81a6a287f122ce31ec2c0d404f8dcc09e8eec6f84d68cc73103ff7d0fddd8e45d43f35

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
94KB

MD5
e1af0d2669a689b583d36f936e55c341

SHA1
770b3224fe5914288c7163c76c270dade8bab1bb

SHA256
475d6b9318f4c1483c3903b2ceb306de8283c3a8956f41774cb0dd02e040ab90

SHA512
99c328ad7e1e9ac473cf478a0fd230e59448898e457565aeb8433950f1bfec136634274127586036007015a74ebde27c9eaff294c4d6691eac05e59b4ef0fa61

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
94KB

MD5
8513da1a25fb43c347716a29c63c2f7c

SHA1
77fa607f3c8dadea5ade80fd6bfcae3232506a67

SHA256
82b5b8d20f8658fb2e94032fc1475de869203ffa01db3532ec95504fb67cd679

SHA512
f5a89a184d6c19b46923c5f75331cb2e6280b272149d143d58e3a3e5d8f719faeccf9ad6f1de2f9163618cc6cfa3d8d86e52b57e30f933b4af380b2dec2f3fa8

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
94KB

MD5
c48cb0d900c5a6d20fd162cd69a929bb

SHA1
8bcfdd9157fe87f2d5f25d948afe5197289717d0

SHA256
6cd9190df2a36acf2a426d2fcfbebca7fae2080e3ae837ba46cb9b60fbb535b1

SHA512
4a85754534d2f0fed130767e70e17d136d7cbf9abf10a1f04d4141fa09c59d2a14b7930f6c6da67f54d85bf21c75c3d9f39fe772c32f48fd7cca6a52603b9e2e

Download Submit
C:\Windows\SysWOW64\Pdhbmh32.exe

Filesize
94KB

MD5
33729799fbdbd959b17a781807dfefea

SHA1
d61c0a03a5099b969a2a40f20c23e6ad65100b26

SHA256
f2d8a5e714234a41be64aecba53686867f7582147aa3c4748309da8d370da228

SHA512
2e20afead57688fc1e49e54c5ee5e6ca0d925780360f1c2c66056d19b26ac19fdec84cc84148766082148d58357a693c8cfcc59bc03bbdecce3708b311e4d4bc

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
94KB

MD5
3f9ba928a4b891f31f7066cbc910e98d

SHA1
1708bd2e20564b5240f4f20718d349aa5260783c

SHA256
1918e731030dfc3da95312f36d0810e207ced239f3d36a48cd7dbbe36a99ceba

SHA512
7c34bdb0dd796441715e4790671c3ba1aec9355f7837457aa8b401a3cd72dc413e14b49f07ed7b0ac9e1c78f9c5eec1758e8c461df7e834e60159b1e0b319e4c

Download Submit
C:\Windows\SysWOW64\Phfjcf32.exe

Filesize
94KB

MD5
f973a9355c299ba58ed4011bf645d41c

SHA1
fbff792642ae935388a7d5c4a32d358acff19c73

SHA256
d1baac54149d37beb15c982b769cd7d2270bf073ab77663e658c9ef8fa390780

SHA512
3821f8f533514873e1557a76267fbc9e747b749ee5ac8f3e690528b819bcdfedfa4905286c527262bc864a933171cb2fa669175b212776b8d9312131363b7f52

Download Submit
C:\Windows\SysWOW64\Phigif32.exe

Filesize
94KB

MD5
236e677925dc5e964e49e448a0c6b01c

SHA1
24cda35b5eea8a818c921847829fe06f48a06464

SHA256
ac55150b2ccaf6b47d7c41061434a380db5c3c6323f14d2293a9fdd7e4717b93

SHA512
30397453bfd73633fc4e6a3365c77947d664f0de0bdb15276ca95859c8643fb63c2f2e12ca40d6d592586a66d4753ca2b5ba06a2a5d75f8f8b59bead723c3e74

Download Submit
C:\Windows\SysWOW64\Pknqoc32.exe

Filesize
94KB

MD5
60e52774f96885def2f8ae5e1d223ca0

SHA1
1e1286d59eaaa0361f130cab9ce33118ca1ad5a9

SHA256
9e0c1e820beb749bf42cf27b92cdc48195e56628bf144a5c66e3b44eb66ea276

SHA512
3cc432e6afaf6a7a13212f4eac82b20ab4ec7183f81940071cce224e08a2355715048839461565e64eb3a791f1dccb4bbb10ad8afb0c8ad54f0227343c821d1d

Download Submit
C:\Windows\SysWOW64\Pmmlla32.exe

Filesize
94KB

MD5
d3151220439f8b8aa6b3a9cbd103666c

SHA1
9b69b0184166760f3c7967e39f79bfe79038bcec

SHA256
bff885210395657df2827f37fcff86b6bbecb6c0736191815ad0df1d3bbbcc92

SHA512
d88455c0cd7a66529158a4e03994ac101254c2c0318f9057be9f4f447c49d54d02ab463cef11b453c23b3bbc64fa5400652aa7058ee91bcbf2b4bbd5c30b9391

Download Submit
memory/32-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/32-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/224-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/224-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/368-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/368-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/496-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/496-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/916-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/940-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/940-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1412-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1412-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1436-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1436-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1700-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1700-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1828-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1828-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2172-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2172-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2416-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2416-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2600-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2600-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2760-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3156-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3156-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3280-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3616-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3888-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4028-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4560-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4572-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4572-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4912-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5112-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5112-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads