018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe
Size

96KB
MD5

438201ebbb94256a3be566e18dec4a10
SHA1

cb435163632db4c3c494185cee05eb0c91e1aba2
SHA256

018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973
SHA512

cab674b7c2e71a8d85d5e2fbf6cba1fc719c80743850127387d483da5d75dc0b73797096d86834cac1c01e885e62ccf400c101305dd6cc489555daf02ace8c43
SSDEEP

1536:faK6UddXXuH9eQZfYhfxCKP6y4O7zCRrmYduV9jojTIvjrH:f16UddXXW9HAhfxZPqRKYd69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ippggbck.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibnccmbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe

Executes dropped EXE 64 IoCs

pid	Process
448	Iefioj32.exe
4988	Ikpaldog.exe
2680	Ipknlb32.exe
3632	Iehfdi32.exe
1164	Imoneg32.exe
1912	Iblfnn32.exe
1176	Iejcji32.exe
3472	Ippggbck.exe
1332	Ibnccmbo.exe
2848	Iihkpg32.exe
3824	Ilghlc32.exe
4256	Icnpmp32.exe
2032	Ifllil32.exe
4116	Imfdff32.exe
4656	Icplcpgo.exe
8	Jimekgff.exe
2668	Jmhale32.exe
228	Jcbihpel.exe
4268	Jioaqfcc.exe
4204	Jlnnmb32.exe
3996	Jcefno32.exe
3752	Jefbfgig.exe
2084	Jlpkba32.exe
4584	Jbjcolha.exe
2756	Jehokgge.exe
3768	Jpnchp32.exe
2516	Jcioiood.exe
2228	Jeklag32.exe
3980	Jlednamo.exe
1784	Jcllonma.exe
1368	Kemhff32.exe
3040	Klgqcqkl.exe
3204	Kdnidn32.exe
3048	Kfmepi32.exe
2380	Kikame32.exe
3348	Klimip32.exe
5072	Kebbafoj.exe
3060	Kmijbcpl.exe
2572	Kdcbom32.exe
3536	Kfankifm.exe
3336	Kmkfhc32.exe
876	Kpjcdn32.exe
2448	Kbhoqj32.exe
4008	Kefkme32.exe
640	Kmncnb32.exe
1808	Kplpjn32.exe
4808	Lffhfh32.exe
548	Lmppcbjd.exe
3628	Lpnlpnih.exe
1256	Lbmhlihl.exe
1316	Lfhdlh32.exe
3724	Lmbmibhb.exe
1556	Ldleel32.exe
4888	Lfkaag32.exe
852	Liimncmf.exe
4416	Lmdina32.exe
5028	Lbabgh32.exe
3808	Lgmngglp.exe
3304	Lljfpnjg.exe
3020	Lbdolh32.exe
2592	Lebkhc32.exe
2244	Lmiciaaj.exe
3196	Mdckfk32.exe
1628	Mgagbf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Imfdff32.exe	Ifllil32.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Jcllonma.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Ihoofe32.dll	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Jbjcolha.exe	Jlpkba32.exe
File opened for modification	C:\Windows\SysWOW64\Jlednamo.exe	Jeklag32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Lbabgh32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Iefioj32.exe	018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kbceejpf.exe
File opened for modification	C:\Windows\SysWOW64\Kpjcdn32.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Jcllonma.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Jcbihpel.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Jcioiood.exe	Jpnchp32.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Lpnlpnih.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6708	6628	WerFault.exe	268

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifllil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll"	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilghlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glccbn32.dll"	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iblfnn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 448	776	018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe	81
PID 776 wrote to memory of 448	776	018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe	81
PID 776 wrote to memory of 448	776	018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe	81
PID 448 wrote to memory of 4988	448	Iefioj32.exe	82
PID 448 wrote to memory of 4988	448	Iefioj32.exe	82
PID 448 wrote to memory of 4988	448	Iefioj32.exe	82
PID 4988 wrote to memory of 2680	4988	Ikpaldog.exe	83
PID 4988 wrote to memory of 2680	4988	Ikpaldog.exe	83
PID 4988 wrote to memory of 2680	4988	Ikpaldog.exe	83
PID 2680 wrote to memory of 3632	2680	Ipknlb32.exe	84
PID 2680 wrote to memory of 3632	2680	Ipknlb32.exe	84
PID 2680 wrote to memory of 3632	2680	Ipknlb32.exe	84
PID 3632 wrote to memory of 1164	3632	Iehfdi32.exe	85
PID 3632 wrote to memory of 1164	3632	Iehfdi32.exe	85
PID 3632 wrote to memory of 1164	3632	Iehfdi32.exe	85
PID 1164 wrote to memory of 1912	1164	Imoneg32.exe	87
PID 1164 wrote to memory of 1912	1164	Imoneg32.exe	87
PID 1164 wrote to memory of 1912	1164	Imoneg32.exe	87
PID 1912 wrote to memory of 1176	1912	Iblfnn32.exe	88
PID 1912 wrote to memory of 1176	1912	Iblfnn32.exe	88
PID 1912 wrote to memory of 1176	1912	Iblfnn32.exe	88
PID 1176 wrote to memory of 3472	1176	Iejcji32.exe	89
PID 1176 wrote to memory of 3472	1176	Iejcji32.exe	89
PID 1176 wrote to memory of 3472	1176	Iejcji32.exe	89
PID 3472 wrote to memory of 1332	3472	Ippggbck.exe	91
PID 3472 wrote to memory of 1332	3472	Ippggbck.exe	91
PID 3472 wrote to memory of 1332	3472	Ippggbck.exe	91
PID 1332 wrote to memory of 2848	1332	Ibnccmbo.exe	92
PID 1332 wrote to memory of 2848	1332	Ibnccmbo.exe	92
PID 1332 wrote to memory of 2848	1332	Ibnccmbo.exe	92
PID 2848 wrote to memory of 3824	2848	Iihkpg32.exe	93
PID 2848 wrote to memory of 3824	2848	Iihkpg32.exe	93
PID 2848 wrote to memory of 3824	2848	Iihkpg32.exe	93
PID 3824 wrote to memory of 4256	3824	Ilghlc32.exe	94
PID 3824 wrote to memory of 4256	3824	Ilghlc32.exe	94
PID 3824 wrote to memory of 4256	3824	Ilghlc32.exe	94
PID 4256 wrote to memory of 2032	4256	Icnpmp32.exe	95
PID 4256 wrote to memory of 2032	4256	Icnpmp32.exe	95
PID 4256 wrote to memory of 2032	4256	Icnpmp32.exe	95
PID 2032 wrote to memory of 4116	2032	Ifllil32.exe	96
PID 2032 wrote to memory of 4116	2032	Ifllil32.exe	96
PID 2032 wrote to memory of 4116	2032	Ifllil32.exe	96
PID 4116 wrote to memory of 4656	4116	Imfdff32.exe	97
PID 4116 wrote to memory of 4656	4116	Imfdff32.exe	97
PID 4116 wrote to memory of 4656	4116	Imfdff32.exe	97
PID 4656 wrote to memory of 8	4656	Icplcpgo.exe	99
PID 4656 wrote to memory of 8	4656	Icplcpgo.exe	99
PID 4656 wrote to memory of 8	4656	Icplcpgo.exe	99
PID 8 wrote to memory of 2668	8	Jimekgff.exe	100
PID 8 wrote to memory of 2668	8	Jimekgff.exe	100
PID 8 wrote to memory of 2668	8	Jimekgff.exe	100
PID 2668 wrote to memory of 228	2668	Jmhale32.exe	101
PID 2668 wrote to memory of 228	2668	Jmhale32.exe	101
PID 2668 wrote to memory of 228	2668	Jmhale32.exe	101
PID 228 wrote to memory of 4268	228	Jcbihpel.exe	102
PID 228 wrote to memory of 4268	228	Jcbihpel.exe	102
PID 228 wrote to memory of 4268	228	Jcbihpel.exe	102
PID 4268 wrote to memory of 4204	4268	Jioaqfcc.exe	103
PID 4268 wrote to memory of 4204	4268	Jioaqfcc.exe	103
PID 4268 wrote to memory of 4204	4268	Jioaqfcc.exe	103
PID 4204 wrote to memory of 3996	4204	Jlnnmb32.exe	104
PID 4204 wrote to memory of 3996	4204	Jlnnmb32.exe	104
PID 4204 wrote to memory of 3996	4204	Jlnnmb32.exe	104
PID 3996 wrote to memory of 3752	3996	Jcefno32.exe	105

C:\Users\Admin\AppData\Local\Temp\018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\018622e4f1d0db890d1a296324aea8cba3a80b4733af00399c8791eb433ca973_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\Iefioj32.exe
  C:\Windows\system32\Iefioj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\Ikpaldog.exe
    C:\Windows\system32\Ikpaldog.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\Ipknlb32.exe
      C:\Windows\system32\Ipknlb32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
      - C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        25⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        32⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        34⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        37⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        38⤵
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        42⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        44⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        50⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        53⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        60⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        64⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        67⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        69⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        70⤵
        
        PID:896
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        71⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        72⤵
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        73⤵
        
        PID:728
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5004
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        75⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        77⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        78⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        82⤵
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        83⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3840
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        86⤵
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        88⤵
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        89⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        91⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        92⤵
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        93⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        95⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        96⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        97⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4140
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3128
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        100⤵
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        101⤵
        
        PID:788
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        102⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        103⤵
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        105⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        106⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        107⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        108⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1084
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        111⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        112⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        115⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        116⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        117⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        118⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        120⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        123⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        125⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        126⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        128⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        129⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        130⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        131⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        133⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        134⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        135⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        136⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        137⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        139⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        140⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        142⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        146⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        147⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        150⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        151⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3144
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        153⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        155⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        158⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        159⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        160⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2700
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        163⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        164⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        165⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        167⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        168⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        169⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        171⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        174⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        175⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        177⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        178⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        179⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        181⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        182⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        185⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        186⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 408
        187⤵
        Program crash
        
        PID:6708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6628 -ip 6628
1⤵
PID:6684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
d3804a4bf62bdf70fffca3a541bc7e20

SHA1
08c89d0e1438bffc6cbf58dcf92b75ac23b7b6ac

SHA256
41b30ecf2b4af86a64d3709f28c399e54940d5f6da43526e0a23cddcffd82261

SHA512
055f7ea90d7e82c85357d2c69771ec1e438b828ab8f596e4666a5c2e4a4919fc6bc025d441dedf7598b2991beab9f77b2931a36c047db2fcecc3900390ec7e9b

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
bec2032e2b1f98aaf2ecae8f15674b1f

SHA1
25320c756dd65e0120d51a8521c0d7e941babf58

SHA256
19c0143a51b5b7337469bf756bb969c8fdb641170f13bd8304b4743646478a6c

SHA512
460957bb477e33e885210d5dff5c826d82ebb546a3c369d87c633d8ebc3a128be127bb83b67868543eae6d0141d49a1e425e5e5e7fc3628be090febe02817a5a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
96KB

MD5
130cd4991fb8778805ea200caa8ea248

SHA1
b78ca81d1a769f157f0c50907e34fa7081764d27

SHA256
5ae937c80d823a994d052e1e4584a706c6b6f3885430bbbd9e0fdfc16eb1d856

SHA512
47dbbb85d4439a26e1e968563572fe7fb1bf539897cdd23c1992e56532df42d80455ea15c71422b5cf713d3049ef74ce6d6bd8b33c1bfe78a9b90add430f971a

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
bd002d42657380cefe33c1574001a587

SHA1
0f7ef4336d4ca53f11d448ecca2da576f125085a

SHA256
a0a3312e97f6a22c73506a1b48f222f1b8f97717c8d73bdc582541abae88532f

SHA512
c2625d6ed59e6d1d516f16e49044f009961a10685c2c7f36aa2e2708539e5922dd3018ed84727a79debe9f068094863b2d2cd58d002e5485edf845ab4088ec82

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
442b57484686ce07d5cf83942ba4530f

SHA1
f873ffcbeb900a2153d4924b658e6dd33ea7a583

SHA256
73bd30f5c49bc1b36392dcde0908ecce862d53f88a5b673cccca82e66b19e61f

SHA512
d114071f285e5a16241c4640c06e2df7cf39d0a5ec2076f2dfc9669e61ed1d4f6dc5f7384d6a54ba8ba33c4513661256064a70a2b13f7bdbc774cc3918c089db

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
99df93a5f1144e584309f97f7655c078

SHA1
d919e6b37068472757899e50f3dae13ff874014d

SHA256
fb405a11d939601fa37feae88fe0bc99ad7e716cd1e9fd5344ce4a4399fdf309

SHA512
7c346cfbf240c7e6f6c6031afa6712102f6830e967479ef3a37f2a911ea11dc5153df041fc28063c5448a483149b9c6348751244db515bf31b938cebb6162ae5

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
7dedcd3418bbaba9b8b481e4966fb8a9

SHA1
17cdbcb85b13033b4ced168d1be11cfba9a3c446

SHA256
cd406052fdb584917c3fc0847711696ce84c53c94323e4e6e7d29fb6a69eae14

SHA512
531a7d8a1fbf5e8063fa350a86462e9efb39896109439b251e36714f0a3b1fcef169b79e106352780f0d7088427a99c7520f384313d52b2f5a6e9f3dc078ee67

Download Submit
C:\Windows\SysWOW64\Glccbn32.dll

Filesize
7KB

MD5
717810e61e348be54e058554331e8e50

SHA1
f8a8d8f54288b483e1405632bf2cc73b9ac4eb4d

SHA256
8bd7776262e08aab6da993da63f1451a95eda4368c22626685f62082c83d2e5e

SHA512
43573ce14e55db5a378d1815256401d36d5185f1e37c386837b9cb83969702660540c7596d0716e4427e6ee2b731a457a5b83ebdbf91b6db1022d74a75ba565e

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
96KB

MD5
ff58d0059ede082bfe62923164eeefc7

SHA1
7df19b3fb1a52932f0b229fc950184b72270fa6e

SHA256
c4be66060eea6cc1381c06a37e57338c3dc143856db5127d8b7a4d477eb5b1c8

SHA512
ce8dfa858d7dd0eed65dfc8ab3eb0132c264bdde6a6e532d2674fddf91b0445ab94da205862fc620b4533a60423c881c8a9fb43cbaf57b6e545d14a9ae540276

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
96KB

MD5
109373a7c641fe9541f13d38ca754101

SHA1
6b4de78568f15d8d377569eb4596295293ca5aeb

SHA256
229c2650011ec48fbe083884b47f6996c5b87e5f0627761b5bdac2e5ba1ccc37

SHA512
ba534cc849381cc1f7cdf36b01a899531cf91f08f5968e0bd17542b6cf1530c5a817c62a89957d4f6fcfc0601f20c74206a966279b2ac888f58df5409ddfd22f

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
96KB

MD5
92b2e5876fd2cbbd00af6ff0cae0f2ae

SHA1
48b9e352f037b8fa56ab7f90f6eedebfbfa7d740

SHA256
6a02696a4a9f9417553077ca07f82c73ae4da1b02be3dd4a6b3a12afe1090cc1

SHA512
44ba0159c7978848b5f48eab9598fc696d2a834377297c87000c1907383c96b0b0e948ac0a21120ec2cde91d6a17911b7a6dd75af047ff203cc74326f4eee690

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
96KB

MD5
f2958612317c01b89ec598b8d58a3958

SHA1
0100371642e2f252d724882b3e8b60e8ba467dec

SHA256
54b595350cbf85507663cd7987ab290f42e7e5e459be1c74d27ef98c2aeb1fdd

SHA512
45632ef960bc5d9d4b627d2f9b176518e2d3e4bb5023c159b9bb4d1d9bdd7f3ffe4eff285e819bf4dcb378a762edf29893feb7876658d7e27f3da8d613f46fa0

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
96KB

MD5
4bf18186c4aa3914f1431cabc264b598

SHA1
89554d94f3bf05c29a5e5fc2ba5bb7b499a43ad1

SHA256
591a98259847e3bad35412cf394b52224a952fc60bec75a6150efd380590e924

SHA512
065b37c4a2e81d50569f628f71397437ee2309b35e5d0ba9940035773ae658528edfb7b0f90417c2e04c3317444257dfc71f75cf98ff03d6eb3be2831d64992d

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
96KB

MD5
bf339b251f4bcf4add76352d621b8710

SHA1
7e1adc27a1c1ff2b3cb6b440b9a3a608fe773477

SHA256
b0a26a3c25389449631eb79fca30ddd113201dbc40b874c66b5aae5475c48d52

SHA512
8207381457ac2fd52d664089b0e796cedc09a436a732978bd1b42ebc010ef96bea8f013752681be3bb7780524772d5f8ab9d34766c3932b844e616abfa651bb9

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
96KB

MD5
9545afbcf6cb4c039f0e2e3a5671c60c

SHA1
f42f0a17f096b51b7a9f50aaeb381ec97dd10d5d

SHA256
3876d4dfd024a8348ae83fb47f37f7a2de9145b3c5948c4d21727c9aea59e4b3

SHA512
b1385dda6478e55756f6378e70ed4ef13832183136c8c9d4c1646cd25d471edb6b08a87e2035d3fb1c4185674ca81e2d0ffa13dc733f45bd6a6d797c36722984

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
96KB

MD5
192f424b6aca18d4a084446fbebd5791

SHA1
58abd08a36fcd485ff368796fa6f240af2574d89

SHA256
2ddd9682e04dd366d669b864555f7500cd9239d614e6c0a917fdc284fedd5595

SHA512
38d0e00c9a40b0d3a1cd51cf914b544d206354c40c3c739a200e48b220c9070ea971c4bdeee9bc2a5e13ed547a9d5830bf2b26193feafc5d8700d781209287ab

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
96KB

MD5
3c43cd6ab445b5fbac797852c9ca72ad

SHA1
d5e2ecd4696fd609ee1f299b34e5ebdb6f9521bd

SHA256
bd840861b191cac1754baabcf3dcdfae06452a2d7e5106187cfb4004244a1a0e

SHA512
1e22e872fe73ea18d6eee3d5f031d3c445507db8884b43717295c305a24546839ac3a9d405ca02e8620ebbfefe0008d96848c56210f6ee3f0877ee7c1ecbde49

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
96KB

MD5
8a50e234272f7b13a720593bf3839204

SHA1
9164616ca2bacd56440196ee6b85bb863de73cec

SHA256
a302149559d66ca4f132989086cef7c489cde80df56f46d5a6467cff85381082

SHA512
549d539c390afe4cc05e3e6d59d6b2e67df14cbfaf7003f92be59b729f542bde481e551e1f73b89c6da0785f168d48a81dfa6da8add1f33bc58233be97fa41bb

Download Submit
C:\Windows\SysWOW64\Ilghlc32.exe

Filesize
96KB

MD5
2bd67cb51b5cada14551e8b06b4be9bc

SHA1
b4fd62dba65a401c6507355bcf6454b90a339301

SHA256
6bdb5ff7b586fdfc5ca37f43f9d02a5d45517526eb19f52b993f1208f9108658

SHA512
a400ef2a0b5468bc31f708dbed6908130bd1b7ab790e3ccdb6a5142f14d370ed9bf2fdef971fcb3ae2ee5bff47d7d343d61fdfefa3a1c4cf1802f10d599061e2

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
96KB

MD5
42ff6397a54e8fca9e7a1c73c4e31248

SHA1
d42248e65941cf3f289a98e3270a22fab27d9e11

SHA256
c220c6b726f4839ed81aeca75134c1c8732ca5cdddee85992b7f4ae1bedbc6ed

SHA512
0ad0c97201058a0bb43c852a28b3e593ea5ba4418b9a251ccab36b90843c2c568aec75faf26659e94f065328d8ca9bce0614a6aad329548c8463ca3455ef50da

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
96KB

MD5
a2ae35154c061c50ccea37e48067d7ee

SHA1
58d11cdf377a97f2218f38fe78edc3918dbed9a9

SHA256
c8ccd1e08ff0c831d7531b1e56768f9160069a92f3541c6479e53345cdfb142b

SHA512
75fe708cb95a955b4feb0ec4a5bfcc4ba0567709efdc15957eaf39fffe7f82deb43223eebdc509f739749b01fd09e57e0f417b4c7f4b267826f60de682a956a1

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
96KB

MD5
84bdfe78869c9f4e9081b4b68394de6c

SHA1
3f01d279737344a7bb4435d2bb81fb45f7779170

SHA256
5ef05603071de64d357b6c4543ffb86b800775d4473711a35a04609c2be3abb4

SHA512
9d21021cd05cf42a9bff98e9035eb79082089d076dd00105c20010657ac88da374663cbd5c5c323c13bac185ce84ee8635b957715555b7db9ac3fff87898ebff

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
96KB

MD5
7878451aa06eb3e09b5391cd2e37b248

SHA1
fc5176086d47314ebcdd1956146ecbee4c42f469

SHA256
cf842f293d8a113fbd19d64f9003f41a8e960ddb177a5ba7451ff2549af9db81

SHA512
6168e236b76b6dc0fb48538ec2618a641407c29f2cbce95ae1157c0b5aebd4afcead0e29db9f16c7d2906d34b4fcbae7247daaae2246ecec4ed9b816f1f26501

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
96KB

MD5
f81f4f1210b9f25867f684f3f873e472

SHA1
660dedf5307133ab3201023a389378cfd66222d6

SHA256
ffcab02fa15a69df38414bcc0798a3c7d4812cb6b4794f6bdac7593b93e7d85a

SHA512
3263bb598bb6cb7997f410ec0ba95709d9fbacb782ce786b19920e84816010886535b741a0fbb10154b1ab7de59409b84e92414a4317f8e5740133621e842564

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
96KB

MD5
a4d209d67285ce63f982d4c66199db9c

SHA1
9a10146dd9e3b70826b1d598b9b8c855b303aacd

SHA256
d8ebfce24da084b777c69a6962d0508cb5566bf54900eae3539dd7aae71ba645

SHA512
0c5bcfc50e22756d51b3fc84f03890039e6971a6e3dadf9fb8898bea00b12c45683aa6e788c17d8c598154105419d0dc3f986207a506047d165d44af2d650b4a

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
96KB

MD5
3635bc25bb2543e183489ab387d37253

SHA1
43166242ae157cba86b34c2250beca5f6ef8c27b

SHA256
6d31f6bc0ba84484376bc2be6835ffcf2f6874eeb7e7c0f5491488f702e9e434

SHA512
9284aa2e07f9cf87e4c3277edbe36c965261ba93c46581da461b911f55ee129e59827ec07a70ef2bb7e348ab7641ec1f0a2ad17fbab5d4494eeb7abe83ba25f1

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
682c713e35a6c3200c8d5de111760619

SHA1
54ab7ead8261845c8d0a19b218a338833f78a63a

SHA256
cf820d97ad9f095e07af7c981718d19624fc04cf36cd4938f707a4f045b6e134

SHA512
2121ad8715e6aacb2b082870b35689aae71a4fb83720fd3478101da066e324e90f277557463084243fbd927de17c851ebc084f2185f2a9ae70776bc7c544ebcf

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
96KB

MD5
f2069b1b193635e359246f7845cf5a9d

SHA1
4be8ff575f75b2c84adea44bbe3c152780de0b1f

SHA256
ae61d42b061a6877e211d3ae4580013fddbef43746e4d0a45ae393b84fd99b26

SHA512
58ac210c45e6cbbcb4392b4d4b519ee0931c6075a6eaf7a500e64a3175b50a92e832b5de0f8d48112f971db94f5ecdd9fb9ff03c80001f4cdb93448c73dea276

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
96KB

MD5
d4f79d6e27470c444ff183e61c040960

SHA1
71671d407b56ba6f06d257784872e869151674d1

SHA256
c93c4a8108af6fd00d7d54d5be968ee046db6417ee5578aef6a8e680f5e7d972

SHA512
2edecaebc1b1f81f8c43ffaca2b0b065c60b75bbc5a82c02540f06db66f68c93b49de059e3b5ceb1077fe4dfb7a7379dd3a177085c496f4dbc3c41091eacaa41

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
96KB

MD5
c3b4e8c59c6b3162be53a04e9481cf60

SHA1
f5cc4e631e0e330d20e0d60733e8df76aa56a208

SHA256
198fac8e766a911001c9db67a8d4c49b782386abe5a5d563acb30e805d2b1376

SHA512
6dfac83e362eff39803b2bf61880a24fd75c800c42662ccb78c82c38326c1cec29a970e3b1e54594719c91c1de505d048f57db37c3ce40a917c33386e47e6bb8

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
96KB

MD5
541a5a1c52ef8f9190707ce4d6fe3a72

SHA1
14daf317be1149aa1b5fd9e3e6619dbd80c242a7

SHA256
fc8a06f404260707110297b2473c0d2843f64ed3bac5a81d3d1db1fe84324280

SHA512
2315047212befb3577152e8fcdfcb81a54e6c778040ca07a3204c11abdffbf2762c50fea6410f5c90a203a1387064f0e26a9948eb8f826b21efa435af195a626

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
96KB

MD5
2057f59537e333b7a9f2b39b13ccb4ee

SHA1
8c490839af522627cb669f1ecebaf1afbfa4d936

SHA256
99b37b81f17a8690f64d69a2c07ebba4d59d64a4ad42891d456fad2c621e43ce

SHA512
0eeb0ea4e1045e841992ac24637e110599dad2dd4bdd778dc7c8696e081d0f9746902b2e7bdefc46955d69dca98e7346e58699715b567222ed73a46681523ec3

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
96KB

MD5
13c45502d61de11c1a4efec5e0827e0c

SHA1
3cf7ae3cd44d4ec45e04ab70f6384474c3e7d2f8

SHA256
4be4057f98fd2a4893747911adf34537b66631868f64deaf4e2864c727a05a77

SHA512
e93d31b7dc8701d0fd74cac0aae7433b265d0c352cd2db9dfe7262fd2c5e7f2d845584943dc735c2edc7737a2307076d0e80b1ac8e463754f742b907dfdff97c

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
96KB

MD5
a1ab339a9a9cce4335961e12d3a8f13c

SHA1
0509b5cad5ac565e6bff1dace12599b7e858260d

SHA256
a0dd3689e9bda54aa1d0dcd72ec2870a9c8e3ddc2bb96def08391682e45bdf04

SHA512
27320a4fa8235e0b4ab34bd1ecfb86e3876f65030c8f16422b690390b7c30886abc77e8d93d298144eeab34b00a8624dc1057642f1140bfa8ae4cf010e569cbd

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
96KB

MD5
cc36959d2faaf2bcbfe780e7172ca312

SHA1
6a6d45dcf5600cb290ec35eafc2c15dbc750a49e

SHA256
adc1e05a2fc46251d116e1f1d2dafd9adc7fe3bf9e3cf8af55d5bc3243792ae3

SHA512
e4fecb6e29f2ae18d94886ad082dc7faeee2257ab96571f463e2f26e83d5f8e649c575e2a69cb71a3aa4f1f2b24b4f1f049116057e84583ccd52b34b7b224eaa

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
96KB

MD5
75c12e25e2219c8800eb70b195a7d42c

SHA1
edc60336e88703fc4a0411aeb7cf2cb350a4eb40

SHA256
7b7a16bd3b0d94831b1531fea515510004d0585d122d0450beb455a686909626

SHA512
3a51ffec85204581d69f2f42320fa3886a4aac113901a4848b621b9941c68d8488986ba105f96d1f1639e8d7b38b2bdac0cc5bc7505257d36e17f27784cdd2de

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
96KB

MD5
af6555c2ac956551438d5af7ad759cdf

SHA1
cfd07a8698bcfa14a31c19ab9aa85a1341b8211d

SHA256
db2c1e156c3e6e8f5af3762f54bf316e80e5fc3655c6bb56cdfcaf4a8a8ac758

SHA512
dd03b64786128c9bbcb5b5265ef3b7c0d617593047c236181c9e8c0c8c43a9902bf558350fdf4aa38d1296e593f856e20c8aa383744192f54d93e618b438d217

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
96KB

MD5
adec07993f96910c2a03f5459f764a50

SHA1
cafc17d6485f431b5c8c2277954fe5b4a58c309d

SHA256
3379e285e5f163b410baea4f48b871c8c39874143d5db9f9c4c442c44d133b97

SHA512
8df49e33493dec2bad971178fae001721244d7570081a6684fe70642c1a31b4d94abf0c2a921a06d63aef12e54d00a96ebc2221fb590ef779c7cec6397b4fc6e

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
96KB

MD5
3f272204b66e505746c78e2d3e2aacde

SHA1
6c2678a25ac975970b09347e5155b6cd30a65a52

SHA256
790ee1ec59d8687820d21540ab1a86b50085309e9e1da77903a5c5124d05889d

SHA512
8576855cc9f1c734e8ca2fc7d8e67167d09fb9fc7dd1fd7bf69e4047af06cc7775597de2e134f1039c041d85f48c407c5ebf6ee40d3a9514ef811970b47add0d

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
96KB

MD5
28454cb89976e5cc5e3e4497822323b4

SHA1
08608b0f43e396150eb29583b5646d6cead21cd2

SHA256
7cf5b0c0abe6bb92cce9f532b0cb36087cadbc7de3bbfbfd1da3297ec0e1d49e

SHA512
87652455ba16b21b9e0fb5cf3c24fa04491a73e1586f252c2bd2bb6264ddc0479b0bd1c83cd80e36359cc017ba4da177b3c50a2f16780262fa73a6c6a78136f0

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
96KB

MD5
dff19caa48f07a14ca284b1eb32ee697

SHA1
1e4c945614bd3f7e73468d9ae90a7747227ea1f3

SHA256
9e4bf2ef4b70c7c1d24f76fb9976ee20896c7022cd7b6333c227342d1ddb25e0

SHA512
fc064dae6eb165f6018f04e2dae2bbbdae06cb2b33cb08e23a3bc36a16574a10fa46696d8ae38da477981b3f82eef8a3b188aca771ee5148590290fd4d907ef2

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
5eed9c12cc639730f29e6f70c9d74e39

SHA1
dca65c096f8c13bcedb4b9d6625e3cb6e70b3b07

SHA256
389f9115d6a3dd6de9990b10224b0e32c77e6aff69165a3d55178d61158173e8

SHA512
687f4c12d37652fdfe86fed5a7d2b1616ac91fa92c1125c1ab139c8f535a6ad4b3d3728662b386519c8cdf9e0c5fd9e7258cc407a9e91eba02f2904820ad5b37

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
1c9270a2a5fb365e9cae719b681278d6

SHA1
d9da660b59db25abaaad98c76cf79c3b8909df16

SHA256
d5952c7fc468f3eeffe77498eaaf12227a630426d3a09012fd39be7d3eb40883

SHA512
9a763923a6899c73c3a7eff94c7bf2eda1bab769a88ecb39e423ea1ef159f6b113d4cf4dc2bb7542f41c6215e22d88d856fed75fb19d9f444a2eea4aa258ade3

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
96KB

MD5
b92a3af1c3120dec49b5c3df8af4ceb5

SHA1
cbddb7a0c273a26f228cc893416031d345e104ce

SHA256
a835bf733d1e009e89900a9a23f4b580f12e18c63dbe54023438e406d4cd895d

SHA512
0e7dedd95434a2db640c2dedfd94981efec9083cb0a523a92c7dbfc084974d48dcef60684638d87feda99f8801583e96d32dc493b460f0e06f4286cdac16ac63

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
96KB

MD5
cc8c75df70ae82bf02ff02a1bb85be24

SHA1
2fb198e37d225886bb2932f092b74a5050d38358

SHA256
e6f48d9de95728ee54ecef717e908e2f23a0b55b0a2d3abfd31c35cb8ee0bfb5

SHA512
d9787c6ac8726285bd0ed5b1a371017b891370f693de438e9c0da58c775b05c309878a131759407dada0d7d396d9c2341f464136bcc58f622bc7ff674fe5e7f8

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
96KB

MD5
c3480eba837424569fef9cd50d41584c

SHA1
cacfd021c121c39a59cab0ffa4baae429ecb4a1e

SHA256
11df27c18f41aec5ac5e4037a84ec97f0b898926e9163cb0e2a005414d802ee3

SHA512
0817876db74b5ed6d496e399b1d950a8678f5c759b34b24b3a36bd3a30f6105f4d744c135b228d5880b261d3426748cf3f3e98af2fbfab74af23a3b1a3f1c7fb

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
96KB

MD5
2d3748346ada1dbf92c46b7cfdeefb89

SHA1
3cebc62e5a0fea11f24c2aa0d10fd78d0e140756

SHA256
a801c7996452e80549c9c8fbf90d6e1306b56818d359e7c1e3f2bf0534843e3f

SHA512
f90ed054666942b0a72a70586510c3aac92dc08d6237d0e803b1e4cd3633575123bb1e7e97dcfef9354dfe1d084bd896911d9942bbaf6d5696c855697f836b0e

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
96KB

MD5
ec079e680afb5d504ec2c2caa88f9a48

SHA1
d43d6b20dbe66cabeeb77017205c04c25d3d6d2c

SHA256
7cc8ee7049f71638b22301abe3c6329f74eda12a1705327c1a45128e089fec4f

SHA512
54dec92e260164d801e9333d04c51e79dbc7caaee8bac3e3e84cb0b5d7849eb9c91056d70cb4b5dd0b5097ac4e39f4acd4231455f79c68d4090c0b5e3afd64f7

Download Submit
memory/8-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/228-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/244-487-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/640-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/728-492-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/776-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/776-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/852-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-527-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1164-574-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1164-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-588-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1288-575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1316-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1332-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1368-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1628-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1784-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1808-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-581-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2228-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2448-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-560-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2848-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3196-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3204-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-503-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3304-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3336-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3348-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3472-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3536-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3628-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-567-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3724-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3768-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3808-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3824-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3840-568-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3860-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3980-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4008-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4048-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4204-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4268-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4808-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-533-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4988-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5000-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-501-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-547-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-519-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads