4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a_NeikiAnalytics.exe
Size

92KB
MD5

a1eeba093b534f416dc41e3c5f3f0e60
SHA1

676aea0da1a01883ee7ed33db2a878e55fb52480
SHA256

4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a
SHA512

e31301debb9b0a93339e9619a25e81a463e33f585e874937c3f6025d5453486d7cbf55344f936f074d782a4e3f25bb0648eacdc0828b3e93f6c390ec031f1bae
SSDEEP

1536:oJvRHtguJeDDY1uDTKCn86sucHVFhcE1BSWEpAlKc7v7i8xGFWh1MiJljXq+66D7:avRHtguBW2GFWh1rJlj6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglfplgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnhcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomqcjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fligqhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbpjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhfpbpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacepg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljdkll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnindhpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbcke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fohfbpgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jljbeali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onmfimga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklfgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahkih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljfhqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahkih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gemkelcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbccge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogopi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbagbebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjnfkma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eokqkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feqeog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcclncbh.exe

Executes dropped EXE 64 IoCs

pid	Process
4024	Lkalplel.exe
1104	Ljfhqh32.exe
1064	Lkeekk32.exe
2408	Mglfplgk.exe
2632	Mkjnfkma.exe
4436	Mmnhcb32.exe
1228	Mjahlgpf.exe
4828	Mmbanbmg.exe
2344	Nmenca32.exe
4748	Ncabfkqo.exe
736	Nlkgmh32.exe
1988	Oeehkn32.exe
4548	Omcjep32.exe
3516	Alkijdci.exe
1712	Adikdfna.exe
636	Bnfihkqm.exe
4616	Bklfgo32.exe
2040	Bahkih32.exe
4396	Bheplb32.exe
2120	Camddhoi.exe
2872	Cfkmkf32.exe
4408	Clgbmp32.exe
4596	Cnindhpg.exe
3052	Cfbcke32.exe
4804	Dokgdkeh.exe
2172	Dhclmp32.exe
4308	Dfiildio.exe
4972	Dndnpf32.exe
3156	Dbbffdlq.exe
576	Ekmhejao.exe
4896	Eokqkh32.exe
864	Eejeiocj.exe
2560	Fmcjpl32.exe
2100	Fligqhga.exe
5024	Fmhdkknd.exe
4212	Fefedmil.exe
3628	Gehbjm32.exe
2016	Gblbca32.exe
3676	Gemkelcd.exe
872	Gmimai32.exe
3376	Hfaajnfb.exe
4928	Holfoqcm.exe
3644	Hblkjo32.exe
3256	Hmbphg32.exe
3708	Ibaeen32.exe
1568	Iebngial.exe
3092	Iipfmggc.exe
1604	Ipjoja32.exe
3292	Iplkpa32.exe
3580	Jghpbk32.exe
4580	Jenmcggo.exe
4604	Jljbeali.exe
4108	Jinboekc.exe
2984	Komhll32.exe
1000	Knnhjcog.exe
1628	Kgflcifg.exe
4480	Koaagkcb.exe
4636	Kjjbjd32.exe
232	Kfpcoefj.exe
4284	Llmhaold.exe
2620	Lomqcjie.exe
4432	Lfjfecno.exe
640	Mqafhl32.exe
1796	Mcbpjg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pagbaglh.exe	Ppgegd32.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Ncabfkqo.exe	Nmenca32.exe
File created	C:\Windows\SysWOW64\Bnfihkqm.exe	Adikdfna.exe
File created	C:\Windows\SysWOW64\Filclgic.dll	Gemkelcd.exe
File created	C:\Windows\SysWOW64\Lhnhajba.exe	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Bahkih32.exe	Bklfgo32.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Ndjaei32.dll	Dnonkq32.exe
File created	C:\Windows\SysWOW64\Ljdkll32.exe	Lpjjmg32.exe
File created	C:\Windows\SysWOW64\Mlljnf32.exe	Loacdc32.exe
File opened for modification	C:\Windows\SysWOW64\Mmnhcb32.exe	Mkjnfkma.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Ibjqaf32.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Ocoick32.dll	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Nfldgk32.exe	Nqmojd32.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Ghojbq32.exe	Gngeik32.exe
File created	C:\Windows\SysWOW64\Iogopi32.exe	Iacngdgj.exe
File opened for modification	C:\Windows\SysWOW64\Hiacacpg.exe	Ghojbq32.exe
File created	C:\Windows\SysWOW64\Ajhapb32.dll	Nciopppp.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Mhpbkngk.dll	Nlkgmh32.exe
File created	C:\Windows\SysWOW64\Knnhjcog.exe	Komhll32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnenlka.exe	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncabfkqo.exe	Nmenca32.exe
File opened for modification	C:\Windows\SysWOW64\Dbbffdlq.exe	Dndnpf32.exe
File created	C:\Windows\SysWOW64\Koaagkcb.exe	Kgflcifg.exe
File created	C:\Windows\SysWOW64\Ofpnmakg.dll	Eokqkh32.exe
File created	C:\Windows\SysWOW64\Oonnoglh.dll	Llmhaold.exe
File opened for modification	C:\Windows\SysWOW64\Aajhndkb.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Aogbfi32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Fohfbpgi.exe	Feqeog32.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jhifomdj.exe
File opened for modification	C:\Windows\SysWOW64\Ocnabm32.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Dblamanm.dll	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Mhjmpfcl.dll	Dndnpf32.exe
File opened for modification	C:\Windows\SysWOW64\Koaagkcb.exe	Kgflcifg.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Pfoann32.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Onmfimga.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cgifbhid.exe
File opened for modification	C:\Windows\SysWOW64\Geldkfpi.exe	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Kpmmljnd.dll	Jaajhb32.exe
File created	C:\Windows\SysWOW64\Nqjgbadl.dll	Lkeekk32.exe
File opened for modification	C:\Windows\SysWOW64\Eejeiocj.exe	Eokqkh32.exe
File opened for modification	C:\Windows\SysWOW64\Knnhjcog.exe	Komhll32.exe
File created	C:\Windows\SysWOW64\Nqmojd32.exe	Nciopppp.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Pplhhm32.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Gghdaa32.exe	Gnnccl32.exe
File created	C:\Windows\SysWOW64\Ccbolagk.dll	Gngeik32.exe
File created	C:\Windows\SysWOW64\Hfibla32.dll	Ibjqaf32.exe
File created	C:\Windows\SysWOW64\Kldgkp32.dll	Kheekkjl.exe
File created	C:\Windows\SysWOW64\Hkajlm32.dll	Omcjep32.exe
File created	C:\Windows\SysWOW64\Dfiildio.exe	Dhclmp32.exe
File created	C:\Windows\SysWOW64\Llmhaold.exe	Kfpcoefj.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Aogbfi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmojd32.exe	Nciopppp.exe
File created	C:\Windows\SysWOW64\Llgmeiqa.dll	Mmnhcb32.exe
File created	C:\Windows\SysWOW64\Kfbdfl32.dll	Ekmhejao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6984	6828	WerFault.exe	253

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidalg32.dll"	Dfiildio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbdfl32.dll"	Ekmhejao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkjnfkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhclmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didmdo32.dll"	Iipfmggc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlgdjg32.dll"	Iplkpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkcndeen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlkgmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oeehkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geldkfpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbccge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbalhp32.dll"	Bklfgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjoqdcl.dll"	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clgbmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcjep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklfgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmhdkknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdbcaok.dll"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alkijdci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmmpa32.dll"	Hiacacpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll"	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjjmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibaeen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jljbeali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkalplel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll"	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdjqkoj.dll"	Gnnccl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lindkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnnccl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoick32.dll"	Gghdaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll"	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ommceclc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4024	4948	4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a_NeikiAnalytics.exe	90
PID 4948 wrote to memory of 4024	4948	4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a_NeikiAnalytics.exe	90
PID 4948 wrote to memory of 4024	4948	4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a_NeikiAnalytics.exe	90
PID 4024 wrote to memory of 1104	4024	Lkalplel.exe	91
PID 4024 wrote to memory of 1104	4024	Lkalplel.exe	91
PID 4024 wrote to memory of 1104	4024	Lkalplel.exe	91
PID 1104 wrote to memory of 1064	1104	Ljfhqh32.exe	92
PID 1104 wrote to memory of 1064	1104	Ljfhqh32.exe	92
PID 1104 wrote to memory of 1064	1104	Ljfhqh32.exe	92
PID 1064 wrote to memory of 2408	1064	Lkeekk32.exe	93
PID 1064 wrote to memory of 2408	1064	Lkeekk32.exe	93
PID 1064 wrote to memory of 2408	1064	Lkeekk32.exe	93
PID 2408 wrote to memory of 2632	2408	Mglfplgk.exe	94
PID 2408 wrote to memory of 2632	2408	Mglfplgk.exe	94
PID 2408 wrote to memory of 2632	2408	Mglfplgk.exe	94
PID 2632 wrote to memory of 4436	2632	Mkjnfkma.exe	95
PID 2632 wrote to memory of 4436	2632	Mkjnfkma.exe	95
PID 2632 wrote to memory of 4436	2632	Mkjnfkma.exe	95
PID 4436 wrote to memory of 1228	4436	Mmnhcb32.exe	96
PID 4436 wrote to memory of 1228	4436	Mmnhcb32.exe	96
PID 4436 wrote to memory of 1228	4436	Mmnhcb32.exe	96
PID 1228 wrote to memory of 4828	1228	Mjahlgpf.exe	97
PID 1228 wrote to memory of 4828	1228	Mjahlgpf.exe	97
PID 1228 wrote to memory of 4828	1228	Mjahlgpf.exe	97
PID 4828 wrote to memory of 2344	4828	Mmbanbmg.exe	98
PID 4828 wrote to memory of 2344	4828	Mmbanbmg.exe	98
PID 4828 wrote to memory of 2344	4828	Mmbanbmg.exe	98
PID 2344 wrote to memory of 4748	2344	Nmenca32.exe	99
PID 2344 wrote to memory of 4748	2344	Nmenca32.exe	99
PID 2344 wrote to memory of 4748	2344	Nmenca32.exe	99
PID 4748 wrote to memory of 736	4748	Ncabfkqo.exe	100
PID 4748 wrote to memory of 736	4748	Ncabfkqo.exe	100
PID 4748 wrote to memory of 736	4748	Ncabfkqo.exe	100
PID 736 wrote to memory of 1988	736	Nlkgmh32.exe	101
PID 736 wrote to memory of 1988	736	Nlkgmh32.exe	101
PID 736 wrote to memory of 1988	736	Nlkgmh32.exe	101
PID 1988 wrote to memory of 4548	1988	Oeehkn32.exe	102
PID 1988 wrote to memory of 4548	1988	Oeehkn32.exe	102
PID 1988 wrote to memory of 4548	1988	Oeehkn32.exe	102
PID 4548 wrote to memory of 3516	4548	Omcjep32.exe	103
PID 4548 wrote to memory of 3516	4548	Omcjep32.exe	103
PID 4548 wrote to memory of 3516	4548	Omcjep32.exe	103
PID 3516 wrote to memory of 1712	3516	Alkijdci.exe	104
PID 3516 wrote to memory of 1712	3516	Alkijdci.exe	104
PID 3516 wrote to memory of 1712	3516	Alkijdci.exe	104
PID 1712 wrote to memory of 636	1712	Adikdfna.exe	105
PID 1712 wrote to memory of 636	1712	Adikdfna.exe	105
PID 1712 wrote to memory of 636	1712	Adikdfna.exe	105
PID 636 wrote to memory of 4616	636	Bnfihkqm.exe	106
PID 636 wrote to memory of 4616	636	Bnfihkqm.exe	106
PID 636 wrote to memory of 4616	636	Bnfihkqm.exe	106
PID 4616 wrote to memory of 2040	4616	Bklfgo32.exe	107
PID 4616 wrote to memory of 2040	4616	Bklfgo32.exe	107
PID 4616 wrote to memory of 2040	4616	Bklfgo32.exe	107
PID 2040 wrote to memory of 4396	2040	Bahkih32.exe	108
PID 2040 wrote to memory of 4396	2040	Bahkih32.exe	108
PID 2040 wrote to memory of 4396	2040	Bahkih32.exe	108
PID 4396 wrote to memory of 2120	4396	Bheplb32.exe	109
PID 4396 wrote to memory of 2120	4396	Bheplb32.exe	109
PID 4396 wrote to memory of 2120	4396	Bheplb32.exe	109
PID 2120 wrote to memory of 2872	2120	Camddhoi.exe	110
PID 2120 wrote to memory of 2872	2120	Camddhoi.exe	110
PID 2120 wrote to memory of 2872	2120	Camddhoi.exe	110
PID 2872 wrote to memory of 4408	2872	Cfkmkf32.exe	111

C:\Users\Admin\AppData\Local\Temp\4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b2989960dc5d8ac9ef692154687d86c8ab9142cc231d92ba07e19de803d9a9a_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\Lkalplel.exe
  C:\Windows\system32\Lkalplel.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\Ljfhqh32.exe
    C:\Windows\system32\Ljfhqh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\Lkeekk32.exe
      C:\Windows\system32\Lkeekk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\Mglfplgk.exe
        
        C:\Windows\system32\Mglfplgk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\SysWOW64\Mkjnfkma.exe
        
        C:\Windows\system32\Mkjnfkma.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Mmbanbmg.exe
        
        C:\Windows\system32\Mmbanbmg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ncabfkqo.exe
        
        C:\Windows\system32\Ncabfkqo.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Nlkgmh32.exe
        
        C:\Windows\system32\Nlkgmh32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Oeehkn32.exe
        
        C:\Windows\system32\Oeehkn32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Omcjep32.exe
        
        C:\Windows\system32\Omcjep32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Alkijdci.exe
        
        C:\Windows\system32\Alkijdci.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Adikdfna.exe
        
        C:\Windows\system32\Adikdfna.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Bnfihkqm.exe
        
        C:\Windows\system32\Bnfihkqm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Bklfgo32.exe
        
        C:\Windows\system32\Bklfgo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Bahkih32.exe
        
        C:\Windows\system32\Bahkih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Bheplb32.exe
        
        C:\Windows\system32\Bheplb32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Cfkmkf32.exe
        
        C:\Windows\system32\Cfkmkf32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Cnindhpg.exe
        
        C:\Windows\system32\Cnindhpg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Dokgdkeh.exe
        
        C:\Windows\system32\Dokgdkeh.exe
        26⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Dbbffdlq.exe
        
        C:\Windows\system32\Dbbffdlq.exe
        30⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        33⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        34⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        37⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        38⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        39⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        44⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Hmbphg32.exe
        
        C:\Windows\system32\Hmbphg32.exe
        45⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        47⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        51⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        52⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        56⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        58⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        59⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        63⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        66⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        68⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        69⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        71⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        72⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        73⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        75⤵
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        76⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1412
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        78⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        83⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        84⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        85⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        86⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        89⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        90⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        91⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        92⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        94⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        96⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        99⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        100⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        101⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        103⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        105⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        106⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        107⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        113⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        114⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3112
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        120⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        123⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        134⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        138⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        139⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        142⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        143⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        151⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        152⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        153⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        155⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        157⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        158⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 400
        159⤵
        Program crash
        
        PID:6984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6828 -ip 6828
1⤵
PID:6940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adikdfna.exe

Filesize
92KB

MD5
5c820911972b21be71ba60e3357cf745

SHA1
4385ffa9bf5782f38e36d30187da287db52913fa

SHA256
f815d152b52364e64ca15183bff2d0a52d3d8b0cbf208a23d56795f5d771b09f

SHA512
6457d633a188327e91cafb321f0398f090f9f3d69d1978ea13fae13c5a579e717a6b7c208dc66d3ec9ab7a9942b5a49bcd0e901bcb382ac7d9fe8422b424d5d9

Download Submit
C:\Windows\SysWOW64\Alkijdci.exe

Filesize
92KB

MD5
e4b0cc7cdfac9e0f32e23c96cc3f49e4

SHA1
2dc5bdbf383e25c8cd7a692a4a193522f9871ab9

SHA256
476167f247194d7f2980027015322b5c512e90b51d5fdc956a3fd61e611ac4d1

SHA512
87027403b3bf93bb03e7d749924729154df8b24093d4ced803ab882f0a0246225125ea74dc31c6d90329a8e68487089dd79c69807841dff2e90ab2b9f9f5390d

Download Submit
C:\Windows\SysWOW64\Bahkih32.exe

Filesize
92KB

MD5
d976445ae473ad30f8fc25b9149eb837

SHA1
5d8fa9504aa8c37eb2b02d52aa9082255151f7f7

SHA256
818c7b3ea2c1d4a1db571cfe54c8f984c60cb305061d9c14d7c7b69c37a8bff0

SHA512
40bfde5e0354495ea298b2c489fd30c42b79697753d4474661efd939b5f6f4362f362f95d8935d76c9fe68a62ff7902390cc0e1c15589e19c3e17f1cd7e5839c

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
92KB

MD5
59e235967208b93de7345c769f5098d6

SHA1
ee8c16cbdea2e06a3abcdac92e34d3b2c5c0d2f2

SHA256
9afb1b10452e03518a406af328a1bd4c4fcad34db6f11f191ece3f4c25220d10

SHA512
7ad0a076a0b37fdc56854f01804882faaaa15fb30a429d9b8424a6d53445bb1aaf4359b08fae8c14c1c7813e897247fffafe48a3ee4a19a5ec6f487b26674077

Download Submit
C:\Windows\SysWOW64\Bheplb32.exe

Filesize
92KB

MD5
b38c2fec9882b18225944dc5d610f91d

SHA1
dd9b8f6269708c5405d0b2258b7ed27d9e36257f

SHA256
38e7fa93cded0e75a2706d9080022ea70a9f2489e443ddde1dbbac9125a89b19

SHA512
4ead2a7727440123526fa8d266e4f1ec2c5fe80fb15e2efab7993257838d9c13d60d35ac06c9f2338d4b8d7c0b03c2adfe1805a800e2ca075805a3ea87730897

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
92KB

MD5
6b8d3527b7333e179909fc4c1cc2b3fb

SHA1
b9bc9e0152d7d1f577df9f408cced9d54e49e018

SHA256
109ecdfa322b3afc964298865c94097f96e454d29cc3e8caefe8b0972e515087

SHA512
474d3def90459688827efd562ef8f9e736cb31b860c9f519a2fd55dc92ecde3241b4e20f991a44fb432cf4e4787aaba685b15cf6516f6a0db33df37f8fbef800

Download Submit
C:\Windows\SysWOW64\Bklfgo32.exe

Filesize
92KB

MD5
c32ec9553b939959fdf6d91025911119

SHA1
50aed22945459d40bce45dc1cbe1eaad6a2ca8bb

SHA256
16bc96d9a518464196937e5245a687c513164f33c3fa74e1649e36f15898c517

SHA512
b34c9e340b789b4b1738f3911ccdd82c6c95ae51885fe122ade9b4e18e6dfede029f6277dfffdcc015057b10a08f9b5ae1706ebb73cf6d3d1e877aaff82bcfe7

Download Submit
C:\Windows\SysWOW64\Bnfihkqm.exe

Filesize
92KB

MD5
6b3d1c373c3ed9184535cfb8622da93f

SHA1
dfd89d4f3ece9e8dbac82cf112a5a29fed9e1344

SHA256
4c7b8cfdb751dc88b7423170c2a634eb4df59aea5c742dd38c6446e845d927f8

SHA512
21fea2b2f7c0a4dde193f2c2303b58ad3c301b738db358cc8c641c5c393f16aeaf91ef38a42edd22b90f0959277921ea9ed9e48637e21b4076d460e8a06564df

Download Submit
C:\Windows\SysWOW64\Camddhoi.exe

Filesize
92KB

MD5
77dac243e02c9b83a7ccac6a7b4f3cce

SHA1
ab47b56f2ad77de60cf14f529aa78245db253947

SHA256
edef062693da3db8bacf16387a2178f6bb562a73fe93e43201e92f0ef8a80bb5

SHA512
62df33b8064004f3a1bab14273080784163c599815574516076c432db0ff319060297bf1e165a94037a00f297301b5d4fa527d571a0162ec1b289fb6dde96850

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
92KB

MD5
24c396bbd90f212564d83db83b1061b5

SHA1
767cf22863e20aba7914228c8f79ceb02cd7e712

SHA256
b715ed039b6b2af7a8e82bccf97c8360367090c50acd438533acb88b05a357df

SHA512
523027b1b4befd21bea740271990532fc740fa219a765fb6783aea32a94c222ad49d1455c6f07c668d218301104782f7908e632a3f099059c6f4a912108c92ba

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
92KB

MD5
217d84434526c8d11c6f6ee8a3b893bd

SHA1
b7c41764192232e75c05724e7e43d8079577c68a

SHA256
0af7e8fd7898609d872db6977364d0b56c214d5d231f2f78d3858efed5d723d8

SHA512
bbdf7d9ae772a6d2493902e881b0abd573ebc2a7eaa18d832b30bc094e0a3f484159e3658a999ced923b1492af303eb1d1b00b7f9bdbfe0316cf2303fb283a9e

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
92KB

MD5
12d9a92b0aff663f2c213209b177e9c3

SHA1
7ae643c21017565d648540cc5f14320f419662de

SHA256
ff023c8b03cae7e4d09077d2fec64ff30e6175ba1fd25f0b9e602352baa4e6c5

SHA512
c4e6758b058b1d26a770ba955fda66a386c59d4924201799f0a5dd8fe3f317eb13722877e565792d39b0668311bf4fb38740c1892e6c0032b2a817ee656baf92

Download Submit
C:\Windows\SysWOW64\Cfkmkf32.exe

Filesize
92KB

MD5
e1fdb1e430ca01845fa92400b8d61d93

SHA1
271cab61be9a94f7274ca478efb0a86c6206fa41

SHA256
3697cde01995864da022477e24574a85b29efd6dd810fc45aaa65a919a00c669

SHA512
2afa81ecc6f5fbbea15a0ac4e024c15ab85d245d0016ddf5110c25ed0e4dbb34440745e9ccd2c5a577c8a2b3bec0df40c78b04210c87f9094c5a566bf7ac059e

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
92KB

MD5
af2975b45e3cdf59a78abb4f9b7aa7b9

SHA1
80131d22696b49a0383cae97c8cf38b59aad8b0f

SHA256
2384eccf286349ba555e12cc7b1b73b1caedd3ec1a07b2c4d0ca146a2aa1a8a4

SHA512
aaeaeeea87235fe84e8725c82afcdb3b3770307498b13b997f34e783617bd6e1b5b15108b1f8ba306a1bb4942beee060ac9f9f51bfd6397c54bff5c6c32b1f84

Download Submit
C:\Windows\SysWOW64\Cnindhpg.exe

Filesize
92KB

MD5
c44f0803a566c8aeb373ac2c4cd1b03f

SHA1
af45ccdea06a0c06eed385d9ea4721b371523bad

SHA256
1826156ee99d2ad96fa73a8d3d0c9f8508b0f7d63aecd94b9ebe36ba74cb8885

SHA512
29dd8c75fca37c0f004fac94aae3343125437c594783dc6ad2e6cb1de0d33a818e9b051fb51fa4b032580aee87e908129657ce3a102af8183c4a1a8a0fe5b12d

Download Submit
C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
92KB

MD5
8932689fa7b637b63feebbbd6e153005

SHA1
971ca6d1b2d3850cbfefb72844edf26414f35756

SHA256
887e8e2f2c0f0cea7e439b158a08a3c8291b3518c8af38e87d6830286a39322c

SHA512
61da0772366207ca987c40fcf32b966a8b29c8128b28f6a8428d80360a0c63554b894a629204be1fc5cbebe4946901ce09acade1cb0e5958b4ea73becccfb466

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
92KB

MD5
e2f8851c275bb2700fb33bdcb03d134a

SHA1
7be787c0dc28f708ac2886b3e12513e869194d8e

SHA256
f4f9efa20cd716c8f8d9bb1b12cb43910e407e926154000d5f0adc5bb4f1431c

SHA512
03b65ff059e1b0e88e568e63b7d0487f3a9121251e16a3ef3ddb8bd07b6504c505f678ff42f5edf4c3e9dcf28f919ed8ee926765cf948d6ec55cc602c384a191

Download Submit
C:\Windows\SysWOW64\Dhclmp32.exe

Filesize
92KB

MD5
b261e55e0480a648c987c429c5c85d24

SHA1
45b803be4173b46728745ee887a41e2f44c7812e

SHA256
e0c392dd81356ba130c1bfd45a8bbbe4980a1cec54be61dfa1d047369d4b70d5

SHA512
aac98f6966d28ae6dea2262409dc3bc5b4c0cd95b6d953da8ce9bc3e1f72e78e35c0ee8317a9720875fa4b8ddb025746f151a17316b3c31515e0f99e80bbb2f5

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
92KB

MD5
77aa93527a47de27a005c086c3d5b4ea

SHA1
c09183de82fd291b424c1c28c1be82adad9a83ad

SHA256
a3ec209cf73f38c2f1bbcc63fee402a9fab7c3d56e7176caaf87a7985b278458

SHA512
56f70e842f5f0ae785d50acad6494dd7f24146a8c8168066351a3e528709d4c6c29647c29739ecd8ff6451cf43958c1451818c8e0ab2bad82ffb91ec6359c63e

Download Submit
C:\Windows\SysWOW64\Dokgdkeh.exe

Filesize
92KB

MD5
034b11143c1ec86c15ec5a1bf4dd9bd4

SHA1
51cf33dd742f2d7d03a066abd2136b6066c28a86

SHA256
f62bdefbe011653744339c8d7e093a65675af9b920eaebb8b1a799fcf0384781

SHA512
1d134acec1d046495289f808c3c6c5352d062f2b970df7ead68dd61722408bc2d75bf89633b6f1851fa37de396ff8d7659d3533beb8b86d2a36ccb5ef915a3ea

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
92KB

MD5
f573d7a10585c1a963fee2a2b7669a67

SHA1
6d3625a826dd5bff98fd36944a9e2004935936d4

SHA256
2bd7fc4667ea67c96a5fba3dc620126507db7159adf2d1fec8563cc87a6958af

SHA512
06f2dfd3f84bb5bd269a3c670fd209ec4a679c8a54c256b9531e6ee554b7e2133151b24cce55619eaa55f68aaea2ce9a5222a5bcd1336d55de219990e39f83a6

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
92KB

MD5
06a4730cebdcc145801d9f26c0a722a6

SHA1
192fbdfa57ff26913dad5538c01b6f2424a3902b

SHA256
ee88193bd9e439e3027f4a9dcea87d58586d057a6d3bae19d8bd2e407b9ab375

SHA512
9dbeeb1478122875bec6db7ffa96d216b092238ee1735d93042ed3f676e47a17c062d461731ca27c82f71df9f5f27ee6017697e2dcd3bf7ce1c0f4c9a8f9d0bc

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
92KB

MD5
e45503004d43d771120d693149c3720f

SHA1
f4bb4073ae6aa5713b3f03cd973c8a45e1327a27

SHA256
83d677ca3649813e6010831f53f8f3cd813006b7b77cd9120fe4f375fb2eb337

SHA512
bb29ec79e46aa3d7d515c2d3ffe8127d1c814d9e087a289dda731939ef35cb7dbecb43c7334b08f02fc3697018627ef436d1a59eee44a2a8c0cb7d43f8b4ed2e

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
92KB

MD5
5fa51b5491eb4a531d69d0a1ce5d364a

SHA1
8330d2627e004578837148f71bce3a8545b65e5e

SHA256
b07cbbca6e5fd5c661101957956ca43d8e7f2067f3011a9019a79441119ae041

SHA512
f6dca03230d0c83b4ff91dd7a8349ba065240e9b708617a01ed930bdb038a7ea73badb1f704c3466e4cb1782079a65e0b11cfb7c8541da8c604f11286513451f

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
92KB

MD5
f0025d3159f173f8f67ced6082ef6dc7

SHA1
fdb883ff5ee572042b4ff5ba6be5972228e75144

SHA256
23039bc314718351c6c8897694c588392a94c0108b60bb4c37ffc7b25a0416c6

SHA512
834c2ffb6226d705c6b10783a855ea31114ccec2dfb95c3e5003730bbf6f39cd4ac3674f309faa94eb84988b5237c57d25e8d3dcfcd88fb12c50b749cd40f9d8

Download Submit
C:\Windows\SysWOW64\Hhfpbpdo.exe

Filesize
92KB

MD5
11edfbd14ea682e98f2ed5a90e41898c

SHA1
1818eecc060fc702a9c241ed596f42bbf99515ed

SHA256
a0d28d1050beca28b578cf5f20efc5e5dd08350581146e840e00f94284f71b17

SHA512
1fa104c9bff218c0126ad6aafd4fddee96cde3db4b4a35e81ce658ee64338a5869142e70c25caffc363bfc938a7cdffa91ff9c2a22413c20ff7e48407caa5636

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
92KB

MD5
42b7baf24691647eadab2a8f47a6ab99

SHA1
f2584333eb6b83efc95715bfcce2051022b218ed

SHA256
7ace3a3ea462f0de214f457a31c61559c0ee0b586e6a9193d9d919f2effad71e

SHA512
d5a365ae9c827c58fcc21467ba409ba147e5a4094bf69025dcc5c75245545caac7fcb997e2d7ff0dcbbb5afd71e4186c0fb30c271e27cfc2eff93ad64c27bca6

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
92KB

MD5
32893350c2b6c2ea5b13752237cab305

SHA1
326d4961ae3d1fcaa3a379d2deb53d6fceb00a9a

SHA256
2893970b1c3e9fd31eefad2f4cbbaba1d28761f7fe4a19c92d191e3e9a08290f

SHA512
94e589ab1f5275375221d1e6bfd4ed14ab7402b948b1274ef792a19e2c058efb404a3aba1967fa899377a95d6ca908b1617d967b7b4443309cf7994c319ad149

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe

Filesize
92KB

MD5
f97a00f3b3907bb720922bb03d9a48db

SHA1
00993ea1c0d3a9f91d8a8b5c2089eb6f0c59d9b0

SHA256
0c7838337cd9f004bde480b5b3d82d47b64bfc5c79f8c4656d9538fe89242a5a

SHA512
4742c3ceffbf95f35d15e963f143df80307cd404d367e8aac4c90e7ff88e0383aeea4be0bc173d2b2929d06e582f9316225a55b3bc4ee13b538941388006a7f7

Download Submit
C:\Windows\SysWOW64\Ljfhqh32.exe

Filesize
92KB

MD5
219fc1dceb11b868838b63d4cfa4e366

SHA1
aac933d7b872d42eebdf37145c7801e44eb730a3

SHA256
d1c166b630abc7fc1ae83efccb07f04474d42eb3ef8e7c4456020662bc466ef5

SHA512
e7b420b05445a3dd9da825ccb39697de54c737a3223181ace2dc9b64ab23d702fe87425231f7792c316a68863a4fa7e7e733f26dff639a14818d23f3878bfe03

Download Submit
C:\Windows\SysWOW64\Lkalplel.exe

Filesize
92KB

MD5
81d2093b9784aec5cc4102fddd98c99b

SHA1
e112ed646e126b96cc89ce2d826936ce54222d6d

SHA256
ad0b35ac06f5edda52c517ead958baa27997a0b114d67289630e0bfa980721df

SHA512
7bd42e4eee800be6427cf86d6b3d129fb7e1e80fe38a303cc7a3c726b22e9f64f00fbe1991f02f2e3c815f075b3005ae663af11cbb046a924c7e94632061bf2d

Download Submit
C:\Windows\SysWOW64\Lkeekk32.exe

Filesize
92KB

MD5
cd5ba35aed9a4c23ec419f60fe42b273

SHA1
5202e4d8887dcd8f35a475ae7edadae0e4f7a7e0

SHA256
e5f7df99d5ab05645c724a9e787ac16d61841678e5c88c075ac3b4f860baf4d2

SHA512
ac23eed6155ee2d8cffe1a368bd5e8a5c1927fea9959b1b6ccb914bb1d56181edb800b98505843e8a5665412bdfbbede19ef4aec15a0fa311b35c7c9e33c80f3

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
92KB

MD5
4749a5efa643ebb95003b5d081372b6b

SHA1
e0935e2886143704ce3c48cfdcb817136264c78b

SHA256
a7c905b4719476b611c37c6e98bdd1758a0693bccb1059db7c19409039b999f2

SHA512
63e38dd17eee30e4b309ac7909ea5c3d42c95c6afa25c05360c68f57fc326565ba18424dcf9734efbd0d707ccfb1370b18ca5a8eb99c0b66b1a363a883646f85

Download Submit
C:\Windows\SysWOW64\Mglfplgk.exe

Filesize
92KB

MD5
ca46bdfdf32379ce2929deb467f215be

SHA1
ac75e31cc624b1f4e266dfc273c3f044a5a472a3

SHA256
b70d1ed887bead029c2c10a340ac1ce308a837e56b99d6d6676f70031ac376f0

SHA512
ae200cc46adadfcec37350fe09082dfc2d247157a50717f21a338774e8e975b8076a74f22c609b37ba15724460a01302e61fe8af09d26bf34a6c2e24358364d9

Download Submit
C:\Windows\SysWOW64\Mjahlgpf.exe

Filesize
92KB

MD5
eb07bd2a66d3c914d88409d5ebd5dcd0

SHA1
0b236d6f3c8896acdd7c12441bffa89d47003bf9

SHA256
8598952aef96aeeaaf29b1cf6b784863b96c60fb64ef897c0c3ef61ca143bd4d

SHA512
4d11d1b13fed9b5c00b600987bcbecfac28130096e20bb6368458f0ef9e257eb8bffcc5b2f8c5c950c388143b53b528931de3e99819db5dffd8008aedd53f278

Download Submit
C:\Windows\SysWOW64\Mkjnfkma.exe

Filesize
92KB

MD5
0adbccc1014b88bde681f86caf16ac29

SHA1
f29560862e38542139c72e765a0948671cb6e222

SHA256
5d8423c3a9dddad6c4aa8edce0bf932605ea0ba831939d843308dee260b48d2e

SHA512
d7bb72ac67788ee287d944325a78363e93cd4e13f1bf837fc140fcada3de4752ac2dd2b421782945b9a054d52f8e99355a046ce913c64a1412bf8602d11349a0

Download Submit
C:\Windows\SysWOW64\Mmbanbmg.exe

Filesize
92KB

MD5
07a8c95ff5d17abf56811240c1497573

SHA1
d757dba49a602b086cb2f7618effedf0dc3d6fca

SHA256
136fa5642316d7270c9175346760530bfaecd7ec6c87c891494ad7d6bfe6f650

SHA512
065c89db870a4b3cc5d94b86ff48cabfc42161428fa945bc474c48f126e3156fffa1448259e43c7c61f42a58491fbd12ec02b1684847ad1dd85ce4772ed83c81

Download Submit
C:\Windows\SysWOW64\Mmnhcb32.exe

Filesize
92KB

MD5
02ee88e37e053f2233eda201830a5417

SHA1
ca1d2c04dbc8ec94075ecc59cdeea71753f14205

SHA256
64d72aa2ab5fcfa7f17a9007b1f2945979fb255272be522de8dc99fa14b5ac5b

SHA512
fac5193fea3779adbe58379e5a53eb587c96c323cea7a4cc85ad453b6346469d09632b1bcda8a745cc6415095b97ef7cc7b41e2d180593fa74298aaaaa6029cf

Download Submit
C:\Windows\SysWOW64\Ncabfkqo.exe

Filesize
92KB

MD5
b987ea536d666252855831120d7e7330

SHA1
393c4dc6b528d058a703b2de268072e02a9c7f3f

SHA256
c5d654fe5886ac7a5ba3afaec3031c7f587d54bf9738a49333e8d6a579fee82b

SHA512
3118e8a0efc1d582456a8e6e60317be40575156e5869fbc51dc319b384075c806e0a0f498b7fe307bdd0b7ef0d3f81eca6d29ae29f0cd2e9fdeb4ddea3eb980f

Download Submit
C:\Windows\SysWOW64\Nlkgmh32.exe

Filesize
92KB

MD5
cab1c0630ac3a6e7127e09322d25d51c

SHA1
b562e6d9fa38b69a5a38145e50de72c3cf91e824

SHA256
ac45750e88f22027bab940e4b5aeea23f051f3ef64eff03d4f50f461765a24d2

SHA512
1b7789317e2f980e53cbecbfcc5f4b2ac7bb9920bbb428e7028dc51df41ae1c969582e37b148b2fef21cf57d2dafc8c2c2da54e786b80ec14a3275be79115920

Download Submit
C:\Windows\SysWOW64\Nmenca32.exe

Filesize
92KB

MD5
d807469bcc02e1b790df08a1afbe8fc1

SHA1
8a130caedf7cffe1b41fdebb55b44792b05d28c2

SHA256
93f1e046fb47f7db4d68fa4ab5f1e10ab005397e0349ea5802d1ac5acb9614c8

SHA512
6cf5038c9712cfbc69bdd3ebf38f9780234f14390d5110fd203532be0772cf9aadf120886ac271a0cd58ce2971dff4daee00ad94e1c03d3490f01e6a0d1b6e91

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
92KB

MD5
254c1f86b81ce18bcd31ff0da242d845

SHA1
9e2e6ff1a03e49a5e09fe311ced09ce7dd9a267c

SHA256
c7900c42aa7ac82557782329a7ac745cbc40f48251324c2f8d234c3adc5466e9

SHA512
d2c8521617012e8465175640b44e9041f52993b6ec6ac87a113a30b64510ad7b8756d973b00186f8c4cbad76eb1e0b397f20ad25fa80e4a834c249d5c7fbac66

Download Submit
C:\Windows\SysWOW64\Oeehkn32.exe

Filesize
92KB

MD5
a66d129b21cb1c5eb931111ea4ea5b7b

SHA1
04af72b7a11265a36dc94e1a7e1961ff1c892d74

SHA256
787a6638ef15efacc529e853644b1fba66cd0ed708316db217697897f03418a8

SHA512
a5028d544b2c1282fcf032f677d81907a1070e9d961ed156b84f4368e842efb2edc2528f18e9b3bf85c28f4164591618341970136ac77107fb4ef4c37ca2206e

Download Submit
C:\Windows\SysWOW64\Oikjkc32.exe

Filesize
92KB

MD5
3764be4d1dbb83d7544612470dc1499e

SHA1
1283c9ad70657e9ee815f50209d956517e5e3c76

SHA256
854785b5f456560c5e522c86f662cab0ac89fe7cc476f2268871d521eacdedeb

SHA512
ca92bb2cdcfc5b0c3b7ea41aa86617cd89fd7c504d8785b7685f5bcadb3e47b16b46682b4ed9c67c2e7384f4837aada0093f1ec4de94e842f365cef162481868

Download Submit
C:\Windows\SysWOW64\Omcjep32.exe

Filesize
92KB

MD5
c0da204150316d788164f6da520bc8e8

SHA1
fa1cc2ed7c732939ad1138a88d05a13ec3c2d109

SHA256
282a824c788816d300356a8c58730f5c9e55221ff3c1f890594b5eba2bf31af6

SHA512
58bc1d2503170cdcd144e56765f03cebcda6c7793fc461cd39c2890cd5d6c80878c12a8296e922d873e6656aa215c91dfc37a4c20ced2bafed906d530c419ec7

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
92KB

MD5
99753e04ea4f532540aad1f8536f618a

SHA1
bcf961df9892f1d999c670ff477c2673353abd79

SHA256
3b89e1cbebd1bd9a4f096f67e8a4ebaf09d7c51f32cabc68da7516d9bef25f75

SHA512
aa5a0fabfccba7b8bb40d4bfef18b2d116fb878c985eca2d1e353dd41ca14c1bc81fd2b98a716ada6f79ea8d520b1d89f7730b6f565d0b2cad7496ff740064f5

Download Submit
memory/232-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/396-527-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/576-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/636-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/864-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1000-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-589-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1412-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1424-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2120-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2276-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2408-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2408-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2500-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2632-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2632-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3376-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3628-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3632-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3708-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-547-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4024-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4108-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4212-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4396-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4432-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4604-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4896-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4928-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4948-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5184-537-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5232-541-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5308-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5368-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5428-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5476-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5524-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5572-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads