3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b

Analysis

max time kernel
132s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b_NeikiAnalytics.exe
Size

96KB
MD5

3ff8625cf1c3a5d5dfb318b39d9434e0
SHA1

14af0ca35ede6f989aaf36eaf68a931329724d81
SHA256

3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b
SHA512

b232e2a69eeb8dc005062aa7a8ff2ee198f0c5a9d66e9a308498094143b6448dbd7c3711be1d2c6a81cce1ed3c83f167a8e647cd43b77313bd12076bedc87ab9
SSDEEP

1536:Mg+b3oYzwj3Timhf7c9+2GxynH56qHvyPUl6IMwDWpNbUPTOZ5M2+byduV9jojTw:Ma1jjtY9+UHAqHvYjM12+ud69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dohfbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkffog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkoggkjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doqpak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhemmlhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfngap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doqpak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffddka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihepnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlpkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhjfhl32.exe

Executes dropped EXE 64 IoCs

pid	Process
5016	Clkndpag.exe
2668	Cecbmf32.exe
4576	Chbnia32.exe
3724	Colffknh.exe
4912	Cajcbgml.exe
4896	Chdkoa32.exe
940	Ckcgkldl.exe
3136	Chghdqbf.exe
3628	Doqpak32.exe
3232	Dekhneap.exe
1748	Dhidjpqc.exe
916	Dkgqfl32.exe
5072	Ddpeoafg.exe
2428	Dkjmlk32.exe
4732	Deoaid32.exe
3316	Dhnnep32.exe
3092	Dohfbj32.exe
2068	Dddojq32.exe
1116	Dkoggkjo.exe
3532	Dedkdcie.exe
3420	Dlncan32.exe
1508	Edihepnm.exe
2540	Elppfmoo.exe
4232	Eoolbinc.exe
3512	Edkdkplj.exe
1384	Ecmeig32.exe
2680	Eleiam32.exe
1596	Ecoangbg.exe
116	Ehljfnpn.exe
3548	Ekjfcipa.exe
2584	Ecandfpd.exe
3424	Ehnglm32.exe
3560	Fcckif32.exe
2900	Febgea32.exe
3856	Fkopnh32.exe
3120	Fojlngce.exe
4616	Ffddka32.exe
1396	Flnlhk32.exe
1520	Fomhdg32.exe
3468	Fakdpb32.exe
2176	Fhemmlhc.exe
4272	Fkciihgg.exe
1684	Fhgjblfq.exe
464	Fkffog32.exe
3144	Ffkjlp32.exe
1588	Fhjfhl32.exe
3596	Gcojed32.exe
4784	Gfngap32.exe
2928	Ghlcnk32.exe
4372	Gcagkdba.exe
3964	Gfpcgpae.exe
3908	Gmjlcj32.exe
2244	Gohhpe32.exe
4120	Ghaliknf.exe
636	Gkoiefmj.exe
5036	Gcfqfc32.exe
3660	Gmoeoidl.exe
3156	Gkaejf32.exe
4804	Gblngpbd.exe
4424	Hiefcj32.exe
1440	Hckjacjg.exe
3140	Helfik32.exe
4144	Hmcojh32.exe
1768	Hobkfd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfcbjk32.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Fjpqmmkb.dll	Deoaid32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Choehhlk.dll	Hecmijim.exe
File created	C:\Windows\SysWOW64\Adopjh32.dll	Ifjodl32.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jbjcolha.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Ckcgkldl.exe	Chdkoa32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Chdkoa32.exe	Cajcbgml.exe
File opened for modification	C:\Windows\SysWOW64\Jbhfjljd.exe	Jmknaell.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ffkjlp32.exe	Fkffog32.exe
File created	C:\Windows\SysWOW64\Kdqejn32.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Jmnoof32.dll	Gkaejf32.exe
File created	C:\Windows\SysWOW64\Clhkicgk.dll	Gfpcgpae.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Laapnj32.dll	Ickchq32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Mdmann32.dll	Gfngap32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Laffdj32.dll	Hmhhehlb.exe
File created	C:\Windows\SysWOW64\Imoneg32.exe	Iehfdi32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Helfik32.exe	Hckjacjg.exe
File created	C:\Windows\SysWOW64\Dbfmkjoa.dll	Gblngpbd.exe
File created	C:\Windows\SysWOW64\Hfmbha32.dll	Jfoiokfb.exe
File created	C:\Windows\SysWOW64\Higchddh.dll	Dkoggkjo.exe
File created	C:\Windows\SysWOW64\Jmehcnhg.dll	Imoneg32.exe
File created	C:\Windows\SysWOW64\Fkciihgg.exe	Fhemmlhc.exe
File opened for modification	C:\Windows\SysWOW64\Gkaejf32.exe	Gmoeoidl.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Fcckif32.exe	Ehnglm32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Jcllonma.exe
File created	C:\Windows\SysWOW64\Ogqnnn32.dll	Ddpeoafg.exe
File created	C:\Windows\SysWOW64\Gblngpbd.exe	Gkaejf32.exe
File opened for modification	C:\Windows\SysWOW64\Ifllil32.exe	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Fakdpb32.exe	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Edkdkplj.exe	Eoolbinc.exe
File opened for modification	C:\Windows\SysWOW64\Kpbmco32.exe	Kmdqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Bcfmgfde.dll	Dhnnep32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8552	8412	WerFault.exe	356

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkoggkjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linjpeof.dll"	Dlncan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkffog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlncan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegnoi32.dll"	Hfcicmqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehnglm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpijopg.dll"	Clkndpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghlcnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnaabfm.dll"	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkoiefmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekjfcipa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deoaid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhgjblfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmfkoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhidjpqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 5016	2796	3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b_NeikiAnalytics.exe	83
PID 2796 wrote to memory of 5016	2796	3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b_NeikiAnalytics.exe	83
PID 2796 wrote to memory of 5016	2796	3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b_NeikiAnalytics.exe	83
PID 5016 wrote to memory of 2668	5016	Clkndpag.exe	84
PID 5016 wrote to memory of 2668	5016	Clkndpag.exe	84
PID 5016 wrote to memory of 2668	5016	Clkndpag.exe	84
PID 2668 wrote to memory of 4576	2668	Cecbmf32.exe	85
PID 2668 wrote to memory of 4576	2668	Cecbmf32.exe	85
PID 2668 wrote to memory of 4576	2668	Cecbmf32.exe	85
PID 4576 wrote to memory of 3724	4576	Chbnia32.exe	86
PID 4576 wrote to memory of 3724	4576	Chbnia32.exe	86
PID 4576 wrote to memory of 3724	4576	Chbnia32.exe	86
PID 3724 wrote to memory of 4912	3724	Colffknh.exe	87
PID 3724 wrote to memory of 4912	3724	Colffknh.exe	87
PID 3724 wrote to memory of 4912	3724	Colffknh.exe	87
PID 4912 wrote to memory of 4896	4912	Cajcbgml.exe	88
PID 4912 wrote to memory of 4896	4912	Cajcbgml.exe	88
PID 4912 wrote to memory of 4896	4912	Cajcbgml.exe	88
PID 4896 wrote to memory of 940	4896	Chdkoa32.exe	89
PID 4896 wrote to memory of 940	4896	Chdkoa32.exe	89
PID 4896 wrote to memory of 940	4896	Chdkoa32.exe	89
PID 940 wrote to memory of 3136	940	Ckcgkldl.exe	90
PID 940 wrote to memory of 3136	940	Ckcgkldl.exe	90
PID 940 wrote to memory of 3136	940	Ckcgkldl.exe	90
PID 3136 wrote to memory of 3628	3136	Chghdqbf.exe	91
PID 3136 wrote to memory of 3628	3136	Chghdqbf.exe	91
PID 3136 wrote to memory of 3628	3136	Chghdqbf.exe	91
PID 3628 wrote to memory of 3232	3628	Doqpak32.exe	92
PID 3628 wrote to memory of 3232	3628	Doqpak32.exe	92
PID 3628 wrote to memory of 3232	3628	Doqpak32.exe	92
PID 3232 wrote to memory of 1748	3232	Dekhneap.exe	93
PID 3232 wrote to memory of 1748	3232	Dekhneap.exe	93
PID 3232 wrote to memory of 1748	3232	Dekhneap.exe	93
PID 1748 wrote to memory of 916	1748	Dhidjpqc.exe	94
PID 1748 wrote to memory of 916	1748	Dhidjpqc.exe	94
PID 1748 wrote to memory of 916	1748	Dhidjpqc.exe	94
PID 916 wrote to memory of 5072	916	Dkgqfl32.exe	96
PID 916 wrote to memory of 5072	916	Dkgqfl32.exe	96
PID 916 wrote to memory of 5072	916	Dkgqfl32.exe	96
PID 5072 wrote to memory of 2428	5072	Ddpeoafg.exe	97
PID 5072 wrote to memory of 2428	5072	Ddpeoafg.exe	97
PID 5072 wrote to memory of 2428	5072	Ddpeoafg.exe	97
PID 2428 wrote to memory of 4732	2428	Dkjmlk32.exe	98
PID 2428 wrote to memory of 4732	2428	Dkjmlk32.exe	98
PID 2428 wrote to memory of 4732	2428	Dkjmlk32.exe	98
PID 4732 wrote to memory of 3316	4732	Deoaid32.exe	99
PID 4732 wrote to memory of 3316	4732	Deoaid32.exe	99
PID 4732 wrote to memory of 3316	4732	Deoaid32.exe	99
PID 3316 wrote to memory of 3092	3316	Dhnnep32.exe	100
PID 3316 wrote to memory of 3092	3316	Dhnnep32.exe	100
PID 3316 wrote to memory of 3092	3316	Dhnnep32.exe	100
PID 3092 wrote to memory of 2068	3092	Dohfbj32.exe	102
PID 3092 wrote to memory of 2068	3092	Dohfbj32.exe	102
PID 3092 wrote to memory of 2068	3092	Dohfbj32.exe	102
PID 2068 wrote to memory of 1116	2068	Dddojq32.exe	103
PID 2068 wrote to memory of 1116	2068	Dddojq32.exe	103
PID 2068 wrote to memory of 1116	2068	Dddojq32.exe	103
PID 1116 wrote to memory of 3532	1116	Dkoggkjo.exe	104
PID 1116 wrote to memory of 3532	1116	Dkoggkjo.exe	104
PID 1116 wrote to memory of 3532	1116	Dkoggkjo.exe	104
PID 3532 wrote to memory of 3420	3532	Dedkdcie.exe	105
PID 3532 wrote to memory of 3420	3532	Dedkdcie.exe	105
PID 3532 wrote to memory of 3420	3532	Dedkdcie.exe	105
PID 3420 wrote to memory of 1508	3420	Dlncan32.exe	106

C:\Users\Admin\AppData\Local\Temp\3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ab4cda46311ef12d0f431a1b445b58e1537163d7094f75cbc6c041c1575c06b_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\Clkndpag.exe
  C:\Windows\system32\Clkndpag.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\Cecbmf32.exe
    C:\Windows\system32\Cecbmf32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Chbnia32.exe
      C:\Windows\system32\Chbnia32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\SysWOW64\Colffknh.exe
        
        C:\Windows\system32\Colffknh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\SysWOW64\Cajcbgml.exe
        
        C:\Windows\system32\Cajcbgml.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Chdkoa32.exe
        
        C:\Windows\system32\Chdkoa32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ckcgkldl.exe
        
        C:\Windows\system32\Ckcgkldl.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Chghdqbf.exe
        
        C:\Windows\system32\Chghdqbf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Doqpak32.exe
        
        C:\Windows\system32\Doqpak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Dekhneap.exe
        
        C:\Windows\system32\Dekhneap.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Dhidjpqc.exe
        
        C:\Windows\system32\Dhidjpqc.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Dkgqfl32.exe
        
        C:\Windows\system32\Dkgqfl32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Ddpeoafg.exe
        
        C:\Windows\system32\Ddpeoafg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Dkjmlk32.exe
        
        C:\Windows\system32\Dkjmlk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Deoaid32.exe
        
        C:\Windows\system32\Deoaid32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Dhnnep32.exe
        
        C:\Windows\system32\Dhnnep32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Dohfbj32.exe
        
        C:\Windows\system32\Dohfbj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Dddojq32.exe
        
        C:\Windows\system32\Dddojq32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Dlncan32.exe
        
        C:\Windows\system32\Dlncan32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Edihepnm.exe
        
        C:\Windows\system32\Edihepnm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        24⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        26⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        27⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        28⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        29⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Ehljfnpn.exe
        
        C:\Windows\system32\Ehljfnpn.exe
        30⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        32⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Ehnglm32.exe
        
        C:\Windows\system32\Ehnglm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        34⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        35⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        37⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        39⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        41⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        43⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ffkjlp32.exe
        
        C:\Windows\system32\Ffkjlp32.exe
        46⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        48⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        51⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        53⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        54⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        55⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Gkoiefmj.exe
        
        C:\Windows\system32\Gkoiefmj.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        63⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        64⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        66⤵
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        67⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        68⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        69⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        70⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:216
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        72⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        73⤵
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        74⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        75⤵
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        77⤵
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        78⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        79⤵
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        80⤵
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2812
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4020
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        85⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        86⤵
        
        PID:804
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        87⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4376
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        89⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        90⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        91⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        93⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        94⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        95⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        97⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        98⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        99⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        100⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        101⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        102⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        105⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        109⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        111⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        112⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        113⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        114⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        115⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        117⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        118⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        119⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        121⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        122⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        123⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        124⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        126⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        129⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        130⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        131⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        133⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        134⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        136⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        137⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        139⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        140⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        141⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        142⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        143⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        144⤵
        Drops file in System32 directory
        
        PID:6256
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        145⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        146⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        147⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        148⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6468
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        155⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        156⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        157⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        159⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        161⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        162⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        163⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        164⤵
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        165⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        166⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        167⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        169⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        172⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        173⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        174⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        175⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        177⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        178⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        179⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        180⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        182⤵
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        184⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        185⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        187⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        188⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        189⤵
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        190⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        191⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        192⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        193⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        194⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        195⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        196⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6676
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        199⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        201⤵
        Drops file in System32 directory
        
        PID:7212
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        202⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        203⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        204⤵
        Modifies registry class
        
        PID:7340
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        205⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        206⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        207⤵
        Modifies registry class
        
        PID:7468
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        208⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        209⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7556
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        210⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        211⤵
        Modifies registry class
        
        PID:7640
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        212⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7716
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        214⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        215⤵
        Modifies registry class
        
        PID:7812
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        216⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        217⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        218⤵
        Drops file in System32 directory
        
        PID:7936
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        219⤵
        Modifies registry class
        
        PID:7984
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8024
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        221⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8112
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        223⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        224⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        225⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        226⤵
        Modifies registry class
        
        PID:7304
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        227⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7380
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        228⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7452
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        229⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        230⤵
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        231⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7684
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        232⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        233⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        234⤵
        Drops file in System32 directory
        
        PID:7892
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        235⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7980
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        236⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8032
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        237⤵
        Modifies registry class
        
        PID:8092
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        238⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        239⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        240⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7320
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        241⤵
        Modifies registry class
        
        PID:7440
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7552
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7660
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        244⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        245⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7864
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        246⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8016
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8096
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        248⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        249⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        250⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        251⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        252⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        253⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        254⤵
        Modifies registry class
        
        PID:7384
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        255⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        256⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7976
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        257⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        258⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7744
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        259⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        260⤵
        Modifies registry class
        
        PID:7840
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        261⤵
        Modifies registry class
        
        PID:7576
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        262⤵
        Drops file in System32 directory
        
        PID:8196
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        263⤵
        Modifies registry class
        
        PID:8240
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        264⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        265⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        266⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        267⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8412 -s 412
        268⤵
        Program crash
        
        PID:8552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8412 -ip 8412
1⤵
PID:8480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
96KB

MD5
c76a5cac5425677291dee6773db3b575

SHA1
27c04cfd755215ddb6a831499762ba9a6b322a92

SHA256
c814f36a402194dd29e690fde03b24e94c2fe7550bb1faf89f47c547ade5a5f5

SHA512
a7160713b912cbc3b4db6cde4ecade34533a44f5be59ff5a883f28925a2b9abfab3631097c9b1030b0143c473713f50bbe67826334be98f698c5eb75ffe2a2a7

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
19b251cba715a5a0a9c6b5e9e171c88b

SHA1
bebb1d276c9bcaa76bbd0937a4df04f45e568b46

SHA256
16d0f008949ef4fe82bacfe432d83bb31e3a90c43b14ca5237eb9138f50b61a7

SHA512
091af8e110dd491388cff0cea4d67631ffbb5701de2be8a61bdea072da2f958a0c00aa235798cbf9208868a3f3cb1c5d262a2c846efaef4665622f13829ad2e8

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
96KB

MD5
6ed15f4705ef206ca542ab17106a4795

SHA1
e4522002f10e5f049739b9bf06608eb05512b6bd

SHA256
90bd2ba6833e298860143b78b2f0d763d1b9133c2236aa3609c5e9eefdf61781

SHA512
0f7ca9b2b5add1689c2465bc2dd9f8be22a63e8450b7f216e9bc0ddd9cbb149c972c87175e42d4a027543aacf7912397e496f5ca8c4c0cb07d0d40bf50422b6b

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
3c2104b0e2247679316e7ec5eeacace7

SHA1
6e804a60b4f5d4763a00b0538c95c1e2566b7b13

SHA256
2ae6864e43142aed61d5540f90d0a446914c8e6eb91e8c8edf3071039540ffa0

SHA512
921ae50e96f6a61609e669ac76b6d49fc6bae16d3f5a46534e664a4da43a39380b2d973b5f60c2b2807615edba0add5184965f2e2ddaa3de0d27d92a39fe6f87

Download Submit
C:\Windows\SysWOW64\Becbkfdh.dll

Filesize
7KB

MD5
bbcd434e047fd159dffd2797cce1efc7

SHA1
9b295bba81080f3a44f848b2f4a2c21ed12996a2

SHA256
38229cbe60c6505d5de7f2e7ec31cfaaaf2d3bc41f43303096e63eaf3c4bcdf0

SHA512
cb6d9953d8e19e7874d2edd6acd565c5c5f10aac143f00832620c450456bb94290616e83c338ab3ec6cd65706e109647fef3736107ab161eb85546068f6f645f

Download Submit
C:\Windows\SysWOW64\Cajcbgml.exe

Filesize
96KB

MD5
b80f66db4a97465f2d694259ca889dd1

SHA1
3a394937589125ed0ba93f23112833cd4f1e2e59

SHA256
42b7db8cb81b2d6da7202ab927a8cd54406b04b08e7a5a1da5b5aba6140509b3

SHA512
976bbb146a98d002975ee7080ed49c0e01375b3999455eb5c38553df8e9bf3f73c76e98ead9804be2a96bdb0ed659087f2f51491449223fc05ba8a57ff4715cf

Download Submit
C:\Windows\SysWOW64\Cecbmf32.exe

Filesize
96KB

MD5
b7a207f9868f9d2444282027ed959d0d

SHA1
5178adf337d641c2f58849fff8bbf145241ea7a4

SHA256
0b3518c710dc4851834fd488a06f62b4f7f11619530a2f7c71f038f5f59f7608

SHA512
87a87b472d80da354eb4f45e00c1715cdb3791d797d7bfc20fe7c0dcb88af4a47c75cbbdc1ea6519e51bf0fd00c53fd3a0628eeae3e1ad64d075717f9ddf74ca

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
96KB

MD5
def0ddebbed86b2411afb7442e13efae

SHA1
2c99f8312ffb0fffa6eed878bde1a99b7ad5df91

SHA256
3f9ed00872c7c4baed8c11d514718e3276cf9e9b6d0f9bc743fdc3c3490b5e62

SHA512
c91d4fdd8b8852afcfd3bb62ebd19acaf6079eca8e5fad1498fbe2b052a738b4931266133cff86ffce6a371b77894f899732275454846e204ee654434733cb70

Download Submit
C:\Windows\SysWOW64\Chbnia32.exe

Filesize
96KB

MD5
bd640d4bbe2924f112a91a9f6cadf1ef

SHA1
82db9a76e886d30288eb002bba02e9f2525a8e2c

SHA256
d626acd99c1d5297ad16d72390a44c29b0deef2cf036ee8b41504f3c9fbf04b6

SHA512
561bc0d44bdd8789709886ef0135cb5911a7cb96db43bb368eb46b88ebe014321c3e5bb4ed08774c8c8c0ce65b1da681c4b4c86064e56c89de98f061d44c47c3

Download Submit
C:\Windows\SysWOW64\Chdkoa32.exe

Filesize
96KB

MD5
924527d44bacbda95853bc172c3f7229

SHA1
854439b4eaecec1a3ce55422f9c37d81c4df9019

SHA256
4030e3dca72d58e2f15eeb89615ffb47615da728fad4ae41aaea769f91943128

SHA512
509aa222cdaeb815a67469a9c5a72d9d06fd9b2066fb517741fa55a75621b789ad4a559d77f4114d9fc0b45752fec988935e0d9b10a15fc9d61ff91f6609f2a0

Download Submit
C:\Windows\SysWOW64\Chghdqbf.exe

Filesize
96KB

MD5
f3fa02962feaf7471ce4f80f8a4ce519

SHA1
e44da22c0f4bfa4134ee348fb255ca344a7c014d

SHA256
a1c1f6073aa2ffa2414f6ee04fba5c89cd987944333a54a58da630919096c1d6

SHA512
e8de9e118cc52dedf887478e4d64d235dd2e7f4ee50733dc470fabbca779d6b94507f7b0eafa25ede281fd8446029345c34aba05a8f710eea9d244989d46692a

Download Submit
C:\Windows\SysWOW64\Ckcgkldl.exe

Filesize
96KB

MD5
c3d732d9fe0d1aadba766ab2a880c67f

SHA1
a3eacf1d8f9dc2600b8475dcc77d436e27269cd3

SHA256
0991c57cf705b5f6bd92b8604de3420b0dcc8fffcf2198abf0413650e3c6219e

SHA512
589c65cc0283e47e993b69e81247241fc1b90dbc6cd5a099aac682f98599814ef0af489afe6eba0b58eae84388c9f6bd4a984efab73c1304f383ef0d012a4853

Download Submit
C:\Windows\SysWOW64\Clkndpag.exe

Filesize
96KB

MD5
a94b5ca94c2297bd48200d8073bfa634

SHA1
ba365b1c202bc04d1b85ae6504f50f99b5be56d9

SHA256
044d9c7c12a8a97a6a229ea4004a5506f9c77bfe548f873079b82bf89b973ee1

SHA512
3e4032429d4509238a7b98cca0822d6c52b17a31e2f14e7ddf559922ee516fe9321f61463026a85748f376c28d4ceb6e0c6a65a54b9da05d99a3bb05f23ee9d3

Download Submit
C:\Windows\SysWOW64\Colffknh.exe

Filesize
96KB

MD5
5c84fba0b4de64f4d315a5ac4a190b81

SHA1
8d6f43dfa9e8db83cfa93b7ad27a0a7e2e15c345

SHA256
5b5c44f058aaa03ebacf4b72abe14751f92033f519bbc640860b562f9fb1c911

SHA512
f6720e6cd4e2a63d1394d73528df142b6c8aa732660f2470c15776424f0273b5b3f930162477ca058ca197ba45b8d93727bbbc51d10526c5fd19bf14554258c6

Download Submit
C:\Windows\SysWOW64\Dddojq32.exe

Filesize
96KB

MD5
9719213450d81370e4b563127d9e0518

SHA1
ce66fd1cf8fd65981f3425259be4436e97f3cbd7

SHA256
591e65b142b8ce5a7713cac75ec249f09754f9a3e19092ec0ffc9a313d95fa58

SHA512
976f4d29fac2ea82d16d0eda3eb726d778fc609727d786dd94ed5de66861787653a488436ff11d141e3475b34d00d123f139727e41b172667bfc18de99177880

Download Submit
C:\Windows\SysWOW64\Ddpeoafg.exe

Filesize
96KB

MD5
769be8ce7381b3c263ac870f58395092

SHA1
f3871fe9b83a2ff4c525e24c93a43e602eaaa032

SHA256
12fd5f6448165273fd0babd8f106a2c9e650db8fc4509969cfbf482a65f6d3e6

SHA512
927ecaafa612a885401282fcde0e4377ab3922b7a18367e7e6c06cd51d4d6ddea4a58b4eea791675fb7861d25881141985a8227b072cb8d672a9f2a7b2879f90

Download Submit
C:\Windows\SysWOW64\Dedkdcie.exe

Filesize
96KB

MD5
aade527f6b9eb96e7b1a0919554ebeee

SHA1
5b6faadf1fd8bc10a8d0b76650db3b13e8c3f171

SHA256
7e4aa72b0e822c96f0374547cba9b681e9c102893f0269cb64a5a60fe923386b

SHA512
6018f90b6adbf7ca479e84b89ba768c3f513c863ceba938b164a3971313da46db7d529d5085715dc748d0560d4b0308ddee677fb1e078fd073484f4966a38e79

Download Submit
C:\Windows\SysWOW64\Dekhneap.exe

Filesize
96KB

MD5
ab0b4a861305bc6ec04fe89b79d49fd1

SHA1
645e6892012442df478010a99b43ef20af6f2910

SHA256
d6a4032db9b25a273548d6d5f2fc21001d10cc12df3625f2003a8a0140434320

SHA512
661abced5e146ffd77de7466b6bdd94f4867ccb4dcba9fe85020d4b4ef64ec049c43d44347c39b86d615303e14e798a58c5cb13619000a1a259550375e3a8ff2

Download Submit
C:\Windows\SysWOW64\Deoaid32.exe

Filesize
96KB

MD5
62b65706133896c827ef2c8b86bfc6b2

SHA1
24e50e3cd63f37a9c83755477719b8d265141e80

SHA256
08fb6b0acacf007a8656436d5d4fb16a5a317f6ad62c1cd0b33052485b292874

SHA512
15408c90bb8a9731043dc881724976a946851d2baf129ab938dd3f34774aea311e6beb81bf4abda2086938e535ebdbf76284329fc0657d37fdc129a34892c128

Download Submit
C:\Windows\SysWOW64\Dhidjpqc.exe

Filesize
96KB

MD5
68ec43a3dd7e14b69f22a5e1b13d441e

SHA1
e7ca334f67b5d2e8a7da40a3c7a411ac98daf144

SHA256
db4dc48d23c48b42bccaf592e06a613df393ece59fe76eb553f5d81d764e78ff

SHA512
d94963fcb892837373e53e6ea08b56f45cfe21613d04a800698f59a476439a363093e096f94647677ca6b526f6d0b4372cc249b15950b13d53ce266f6e21d476

Download Submit
C:\Windows\SysWOW64\Dhnnep32.exe

Filesize
96KB

MD5
23dc89a9bdc5d2049688401844fc2279

SHA1
eb2b4de78319424b5ac4df510fc8e8e04c01adb6

SHA256
198736bf3786168af20bd2d6fe86b1a8df591901e5c2e52a9f34f73d4a346cde

SHA512
2a14d3b6152a11fb26244a2fd069d6ed6aee6c3c64d2fea51d5a954f06fb6b21eb3c8e9508e4b06716327befcf6a17e5c3ff42da8f1328cd2a46c3c238f54fa4

Download Submit
C:\Windows\SysWOW64\Dkgqfl32.exe

Filesize
96KB

MD5
fbd5b2e3b045cc1fbae6588fe307681b

SHA1
0c714a4d487ba5ce9f7f621554020755b226de79

SHA256
ec0a7b1a8e8a7527c272c9f80bcb4cb8a9529410f246587f442be8267508ea9e

SHA512
404d2c0a8590259598d49ff0e8ac8a466b558520e94f6b50725a5efc9f377998f9d42b3c00eaa89e94b466929fdcf65d7218f05e4e1acecbee3c5b44640edb07

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
96KB

MD5
415d2bb8cc41bfc9e9e508f29da43cf6

SHA1
b6dc1fee7ceed5fd1f7e5361d8179937c37265d5

SHA256
5fed3d12ab4d29f5673906447ae960c4753e561efe1ece62cf779ad3edc1e265

SHA512
28f415a3012efc7c455b1e63d5d4e921b52633f8d47f73e41cd80311187ddf6a21a5f11a1429c6a82611eb73afe3383df586a6a33336626ee648ef27f81c648f

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
96KB

MD5
2b5d73adc82d57da326a6d344b587a13

SHA1
cc7f7bbf69338b1a53c8513169e48475e0b9f6d1

SHA256
bde7f0236486db307e910460aa0d2fe8c34fa5d16e639e4bc312020585bfd40e

SHA512
84e8768d9d337650c42df771d0c9ce4e45e9df973d0d3d750301920d870091d401d673475d13c18b50a7e47498ad0f867368e392c6c494164e0971fc8f753cdd

Download Submit
C:\Windows\SysWOW64\Dlncan32.exe

Filesize
96KB

MD5
01663bd251de716cbde6c08c2ba7434d

SHA1
26573dc4483048daa387efb895ce247224140f38

SHA256
ce7186dda7aeeaec87cc183c171dca53acf1e2f81de3f062abfd5046915a54da

SHA512
962610445fa02dd002d7b774a6a50ec6856a5973552a273fb5d09090fccb822d3fd6bcc084a637fb41b7b52b5df1c1ef5ef7ade6f86c3292973da033b432a0d1

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
53614f8c3b8ce53a089015099d71ba87

SHA1
ceb49d8dace141378fc761f27105a3e37d9760e7

SHA256
9149284c7e6f7db1627e7833edde71ade281995658aea3c30740a7e70f790786

SHA512
7d88707afd26ece00e5e3612072a5ba3db28893d09cf753af026902710903b1ca370bbcd88c5f1f4ead437fc4ee4bad3abaaeedbecda0249f54e543eb1470676

Download Submit
C:\Windows\SysWOW64\Dohfbj32.exe

Filesize
96KB

MD5
2811c7a476e117a2c3a5269542799332

SHA1
f2a85ab905118c94f42a751fcd7eb52e025c1690

SHA256
76159b0536709d54cdab060bb284463c7174bab54da0e5488ea123e2fa4265a6

SHA512
05e418430cbd90ac5d8636e28472e957c3de399e3944cf536400c315b8b0c74b6ccfcdcb2585f3c45d855fb124b258186df186bb4805fcddfc83548b7ece7df7

Download Submit
C:\Windows\SysWOW64\Doqpak32.exe

Filesize
96KB

MD5
9eb380613901eb14f267d9a0372e6357

SHA1
1067eed448edc4f46d2a6179702ad1db05d77c94

SHA256
ec060eded738fa4dea3cffb294f247150588a5b83b31b39114272dfceaedb5e7

SHA512
2ed097d9a17d804fd3c37baf8ef44ec999ec2e139fb36a3659535cb8366587c873ad84e4836173c5a3cfbb4b308b0af536bc77e26553a4be32863db718e15246

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
96KB

MD5
70c0460798c2526bbdb80b5c10dfb93b

SHA1
1f9dd12b6026fbce545b975b41e3109ce3043448

SHA256
64cabea4d1ef188e76c0aaecc978dd1cc335412e2f99a8625f4aad6734b207ec

SHA512
252553bc284643e07120a9f55a756d4f12e3d59df1cd017a6fc0bfb05346806c504a050eb50b15bc60438f8fe24fddcba4d0b7fdfd289719123a84fa68d20ad8

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
96KB

MD5
16a060dd94db36df24e9315bc6697ace

SHA1
31bb6b0fb29a1ea194d1b332080f373f61b4b83f

SHA256
0cc0e0af444c1ff5e08512036eb4f1454cc0b0d0f773e6eb9b624340ddafa50b

SHA512
e1a305721b76ce7d2299b50a9d0866eb9a40a42ef0e91dee805d16322298a8261ffeda15a60da51ba3c552e6116de9a3629fe52904ffa0d7c61abee09556b722

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
96KB

MD5
42c65cbe8798943a71532ca44ae5ef2f

SHA1
e20de6c5b000035c2b61e1f460421a89917b4600

SHA256
edab9a2dc2b0a56e4ac32441c8af11cd9d4453cbf1e40628380d93c5af7db71f

SHA512
09cd7ee1210bcd70d670e74949d3052e7b6748fe4a373843d366a91816afe20d2489649e5a1bc9b299343c092fd9be0871b6b1a40dc89664218e52470aaa85c0

Download Submit
C:\Windows\SysWOW64\Edihepnm.exe

Filesize
96KB

MD5
d681e520ceb28705ecd14217ddca6270

SHA1
228f980d10af0dc6357763e8579fc468ca511eb9

SHA256
6dc8a24b95320bfdaef04ecaf81931b1eb33cb82d0b8be386e98b7b0c5b51da4

SHA512
297beebd1845c800dd6de453c29870654110bde57326281bee69e35807f8a03e1d712dcebd1f15ab8f19a718302d0cde8437042e27c55baad30e126114e7828f

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
96KB

MD5
2f1cc643baa8000e556b7924c9f37537

SHA1
ab4e0f23762e26648a1936cf34b47ed693242f14

SHA256
2a44f32f5157a7c5a399263135de3e752764ca973ab9f62eb9f95af36023562b

SHA512
36dda59d7a2e777733ccf3774397239b5d0849d2563c4d3e6432faaf5474fd9ba43f50468cbd4504b70db9154e5e3c603cf06c7c61de2bb54af12476fd6da2f9

Download Submit
C:\Windows\SysWOW64\Ehljfnpn.exe

Filesize
96KB

MD5
bfe4c86c2658855ee1cca8d4781e4595

SHA1
2afcf6c2c9162e8a8036fd59002eec4efa3b622c

SHA256
d358b66b4ade371608ffa08d5e0a134b3ffa40ddb950103a9ce5d34b51fe4797

SHA512
e1320a4c2711a4e3005299268d8ef4a48c49ef1e39e7a6e4f07985142b1871afae5252d1270045e701e438e1af86eb1d950e602fce703362890e38bf7ba6e3b3

Download Submit
C:\Windows\SysWOW64\Ehnglm32.exe

Filesize
96KB

MD5
9071821894b8c6ddd376b5f4d72a95fa

SHA1
a22c9184d980076b01af3b759dd0953cf68a9e8b

SHA256
0f8bd566795ae32902937403d3094f4c1279a11e45cdac4dc0164ddee0dbe63c

SHA512
bc5b34836c481ffd3cea1ef71ccb92e4dabc750bcdaa24decb076aa47558366e3edd8ae765fd28c4a207d9d3ab316a7e67b7a4beda8037b4bb6f487866c45438

Download Submit
C:\Windows\SysWOW64\Ekjfcipa.exe

Filesize
96KB

MD5
0e0518fad61d9df121ecab3d38227244

SHA1
508715b95314729d59fccee54b5ecc6dd35e2148

SHA256
169d690d06a944127769e320f0c0b3951de32f7cbfabd4b71f6c67ffe7601b22

SHA512
03fae108e00d7bcd0b1e388a61e772db9315404d166802c6247333850aa171c63fb2a80f52adf88f892063ee365a8dc1be73d406df96820ff9d17b530f9d8ed1

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
96KB

MD5
2824c65998ec23888b718f943fe1feed

SHA1
37cc2f879df29729dbc3388c93ae953758655e2d

SHA256
8ddf17dbafae44e399b73a7b499ae85d021ab8b1def3596892f2098c07cd78d5

SHA512
fc5f5a8f0195ddf6c179b44a0c06fc15989b0b6c7c6faa0693760f7020f6bf7aba38a736c304c249df0fe8b6a220bb4ab28c374a30d4354a02714b5baa467d90

Download Submit
C:\Windows\SysWOW64\Elppfmoo.exe

Filesize
96KB

MD5
488b51fd506ad9cc67b14bec6c15e507

SHA1
b81050edf0d4facaa8b0aa213db432b4f7b69d6a

SHA256
f96c0f58fa028f472d70f84c8d63aff6f7460a50903240181589b5615db91366

SHA512
28b85a0ae64ce19282b00fbb2030772c450b759f18e7e3f9445f16deca975870fee8a7d853c5c9e3e2aa4b05671359691baf1d19b287046ee1e2f8089a509a4c

Download Submit
C:\Windows\SysWOW64\Eoolbinc.exe

Filesize
96KB

MD5
0ed6a0c50ed6446c3a611e1ee7f3e396

SHA1
d9361226dd6184e4cb740f806c6685c84ba220ae

SHA256
4042cb5fd501602bd0adcd43e5bf40aaff39310343c08c13dd4eda8e34273a03

SHA512
e2e8013a7ab162959cbd88808c52696ffe623d93947e06a3a6a0fe69a9a97c721af5d7d0bbaba031725177f18bc98f0e8833e9ef03a568a1fa9c2e913a2515b8

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
96KB

MD5
54dfcac0355700d0fdee4d3190810a5e

SHA1
84a50bedac59de0bf601120666685c36f2b07020

SHA256
1e29161ae009d57559ec8899b60237aebd024adddc068e7f0d6dd49e52ad3f95

SHA512
b1b02c5eed434bb66d270344767bd0e959b772c7dcaea5523536f88a0804d1110002de9510f1e480f941e85efae0f33350623d11f65c2ba3b57168314d763db6

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
aee82e65d05b39ac44e852aee0577e76

SHA1
397b5ffe223485cf08d657c6eca3b7346ef540bc

SHA256
2c55be48e18fc67ec2f78c1d1792eedd7668ad4391460f97dbd93802baa8d08e

SHA512
b8ea90b122d73f53ecd975a5ca45475f45485b6dd64e7130599959c398b94dd92fa62980a41e83fbad56dd110b7828a7964d5cb3c2492d2075a92df1958b95b5

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
deac9715a32e55055be5c32e0a1099c1

SHA1
6a5610e93dcaec310a780bf6a5dc3221aacf1ca3

SHA256
6588deb695cf5bcb8a0911302117299424150b398df447ed292e97bc485c9975

SHA512
2e8837921816b55e2c52e22a892254ffc850a84c3f32b1a225b5c84a744057f464b0f0703a85febe86845b13983ca2186ee8f08a5660a5b5f7189098cb1e412b

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
282e2a98f813c255db70e67edac3c63e

SHA1
af0c73d3bfea833c533b11c78ed90b26b4ffb2f3

SHA256
37c29ebacc3fa59bee4483618ca134638da6894c6b0e038951391e82c7fba473

SHA512
755dd439de492b9ab0bba7147bdf8f54e383c220d6bbed0ad313af10e0b712ca9093b7f278264df4163706860a1bf9d151b61ac9e2f8573900789ed79017f40e

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
96KB

MD5
231436434156cdb6b4d4e1f235e95575

SHA1
aee90e6a7a7517214d19e1b15c5bc853c07e4280

SHA256
63cb8e72d2e813ea0179fddae51cd0a7c75235fec9fcab3dafe31f6702821e37

SHA512
23c517a41e2331ba7bbb3eb57bb7aaa385352a721ef2fb2ef283c97ec4e7decf731b497ef6c6d70aef18e2744747d6e3542fc8653b4e7dfe2cd03eb3d77b6765

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
7b52dcac5b5587a27dbb4f0e550571ff

SHA1
561292504f35d3c15e580f89fdc76fde94d79c52

SHA256
4577f2dd80e87cb13227fa1a48124a0025d96feee2722dd46bd665e215f62500

SHA512
109e43e0f822123ec201ffd8b5b36fef1dc474c2bf8c8c1b0d426e6ae757247a2b34d4bef5514ba029e932cf967e12bbd9a97e6d31d09281db232bb99efb85d7

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
8e41162faa4a07055eccba5a7fc2b0ab

SHA1
f3c69bd25f0ad448ade0d0b3bda5926bc1d637e0

SHA256
49b1de9eae39db6c0349f018e1c932c468d016a4a8b860484b81afb6d1d7d247

SHA512
8d26f0b1a12e3321cb8d01f990032e70d512bcba0467fe86a831a414766e1759ee7852b97427968eed5a66fa028f1f1edc22dda8ccc31db599e03b0fe5416884

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
ae25efee6d22822565cceea6d623bad1

SHA1
facaca0a3d3c7546af6d2ef1705e853e57ef54c2

SHA256
fffb94ffcb116e3d0f1543071828efa76c0bad56c02c2bb62b7ea4c8acb0a990

SHA512
dc125e24cc76224d39dd5d91ea6987d9912149ab90d6439f2c98acc16b23e197c61fb9c72512c5b5ab6834ea3be09638699386de4d94c6034e37e37486214e4c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
87f9b87329fa1c695f3ef826f4496798

SHA1
be498b209bdb87bca290d86d9b8b4367327e3e7e

SHA256
a342570e0559edc325c3cb8765d39d723fc3489f62c06ff40856238d0caf8000

SHA512
ce2d14a43b96ef4a7eee3ddea2bf814741807cad9accf01a1fee01f3e05b2e3e3f75de8b9c903cd0642ceb46b21ecdd17300d66595f7cf9031c92d2c917c025c

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
96KB

MD5
bd42152259ca38952a84013498af1a37

SHA1
00415dcf10e74b47d16a74f68cee05c66d8bf549

SHA256
2564e64fc1491807dd01a6023e9dd3d926dbe141dfb323c99afc49651ef11e31

SHA512
16188f8b98e600e1622b6cabab4349b4e08bb0f552edba22f7d20a05dd0f35b0efde7d650e14a1f0aeb577b128084d219e356fb10841ec83f306b9d89e0ed932

Download Submit
memory/116-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/216-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/464-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/804-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/916-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1116-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1308-500-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1396-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1440-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1596-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1684-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1748-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1928-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1976-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2176-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2244-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2428-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2584-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2588-536-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-562-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2812-563-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3080-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3092-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3140-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3144-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3156-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3316-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3420-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3424-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3468-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3476-506-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3512-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3532-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3548-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3560-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3628-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3660-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3724-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3724-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3856-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4144-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4212-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4232-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4272-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-598-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4732-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4780-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4784-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-43-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4916-542-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5036-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads