daf8f134624788656382481dec6ac05e6106f9157dbeac3628ba4ac10d62a2f4

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe
Size

96KB
MD5

fc3b9772ce503e712e2914dc7e8ab3e0
SHA1

a06c67e23c465aa91c36f8460d3aa427a036b439
SHA256

daf8f134624788656382481dec6ac05e6106f9157dbeac3628ba4ac10d62a2f4
SHA512

9327eef647952f849c0c3ceb4b48e65976fd21c3926e39073b9aad67179958687785dc52b1c3b265410dc2ee3df1c0524e1dcd6859b0e842ecdc2fba4c953525
SSDEEP

1536:BM8D5CZR5S2huSXYRXyg8gEjQldHnG251ZDycT4MEVcdZ2JVQBKoC/CKniTCvVAT:v5mDSwjYcvgVlJnZ7V4dVqZ2fQkbn1v2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mablfnne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hehdfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcjqgnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgklkoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe

Executes dropped EXE 64 IoCs

pid	Process
3224	Phajna32.exe
412	Pdjgha32.exe
3132	Panhbfep.exe
4480	Qjfmkk32.exe
1620	Qodeajbg.exe
3052	Akkffkhk.exe
2636	Aknbkjfh.exe
3812	Agdcpkll.exe
5028	Ahdpjn32.exe
4492	Apodoq32.exe
1556	Bdmmeo32.exe
3124	Bacjdbch.exe
3204	Bogkmgba.exe
1776	Bgbpaipl.exe
1048	Bahdob32.exe
400	Bnoddcef.exe
2100	Conanfli.exe
4812	Cncnob32.exe
440	Cglbhhga.exe
3568	Cgnomg32.exe
1036	Cpfcfmlp.exe
2148	Cnjdpaki.exe
3104	Dnmaea32.exe
3068	Fnfmbmbi.exe
1156	Gkdpbpih.exe
3880	Gndick32.exe
3480	Gbbajjlp.exe
548	Hlkfbocp.exe
780	Hlmchoan.exe
4076	Hhdcmp32.exe
2940	Hehdfdek.exe
2076	Haodle32.exe
4136	Hnbeeiji.exe
2196	Ilfennic.exe
3456	Ieojgc32.exe
1764	Ibcjqgnm.exe
3776	Ihpcinld.exe
4148	Iahgad32.exe
1732	Iefphb32.exe
4440	Ibjqaf32.exe
2508	Joqafgni.exe
736	Jhifomdj.exe
3856	Jbojlfdp.exe
3140	Joekag32.exe
4516	Jlikkkhn.exe
1096	Jeapcq32.exe
5036	Jbepme32.exe
3336	Klndfj32.exe
2744	Kefiopki.exe
4320	Kamjda32.exe
3308	Klbnajqc.exe
2096	Kekbjo32.exe
1808	Kabcopmg.exe
4572	Kadpdp32.exe
4548	Lohqnd32.exe
4128	Lojmcdgl.exe
3264	Ljpaqmgb.exe
2652	Lchfib32.exe
4156	Lplfcf32.exe
4964	Ljdkll32.exe
2040	Mapppn32.exe
3404	Mpapnfhg.exe
4900	Mablfnne.exe
824	Mjidgkog.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Mapppn32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Dbdjofbi.dll	fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Ahdpjn32.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Gkbilm32.dll	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Cnjdpaki.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Pqbala32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnenlka.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Ikpndppf.dll	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Hnbeeiji.exe	Haodle32.exe
File created	C:\Windows\SysWOW64\Nckkfp32.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Edihdb32.exe
File created	C:\Windows\SysWOW64\Kadpdp32.exe	Kabcopmg.exe
File created	C:\Windows\SysWOW64\Ghpkld32.dll	Afockelf.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Iefphb32.exe	Iahgad32.exe
File opened for modification	C:\Windows\SysWOW64\Klbnajqc.exe	Kamjda32.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Ddklbd32.exe	Djegekil.exe
File opened for modification	C:\Windows\SysWOW64\Ihpcinld.exe	Ibcjqgnm.exe
File created	C:\Windows\SysWOW64\Dbkqqe32.dll	Jhifomdj.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Bdlfjh32.exe	Apnndj32.exe
File created	C:\Windows\SysWOW64\Jkmjlphl.dll	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Cmedjl32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Ddklbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kabcopmg.exe	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Adgmoigj.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Hlmchoan.exe	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Ibjqaf32.exe	Iefphb32.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Bgnpek32.dll	Lohqnd32.exe
File opened for modification	C:\Windows\SysWOW64\Afockelf.exe	Qikbaaml.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Conanfli.exe
File created	C:\Windows\SysWOW64\Nphnbpql.dll	Kekbjo32.exe
File opened for modification	C:\Windows\SysWOW64\Oophlo32.exe	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Joekag32.exe
File created	C:\Windows\SysWOW64\Klndfj32.exe	Jbepme32.exe
File opened for modification	C:\Windows\SysWOW64\Kamjda32.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Kekbjo32.exe	Klbnajqc.exe
File opened for modification	C:\Windows\SysWOW64\Ibcjqgnm.exe	Ieojgc32.exe
File created	C:\Windows\SysWOW64\Hfibla32.dll	Joqafgni.exe
File opened for modification	C:\Windows\SysWOW64\Edihdb32.exe	Epffbd32.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Biiobo32.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Qikbaaml.exe	Qpbnhl32.exe
File created	C:\Windows\SysWOW64\Ijgiemgc.dll	Biiobo32.exe
File created	C:\Windows\SysWOW64\Obhmcdfq.dll	Djegekil.exe
File opened for modification	C:\Windows\SysWOW64\Lohqnd32.exe	Kadpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ljdkll32.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Epffbd32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Hhdcmp32.exe	Hlmchoan.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Ieojgc32.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Joqafgni.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6232	4512	WerFault.exe	224

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjfeo32.dll"	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joekag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjhfcm32.dll"	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gndick32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndbpeal.dll"	Gkdpbpih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll"	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajefoog.dll"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iahgad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafep32.dll"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhgglaj.dll"	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnbeeiji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 3224	3620	fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe	90
PID 3620 wrote to memory of 3224	3620	fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe	90
PID 3620 wrote to memory of 3224	3620	fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe	90
PID 3224 wrote to memory of 412	3224	Phajna32.exe	91
PID 3224 wrote to memory of 412	3224	Phajna32.exe	91
PID 3224 wrote to memory of 412	3224	Phajna32.exe	91
PID 412 wrote to memory of 3132	412	Pdjgha32.exe	92
PID 412 wrote to memory of 3132	412	Pdjgha32.exe	92
PID 412 wrote to memory of 3132	412	Pdjgha32.exe	92
PID 3132 wrote to memory of 4480	3132	Panhbfep.exe	93
PID 3132 wrote to memory of 4480	3132	Panhbfep.exe	93
PID 3132 wrote to memory of 4480	3132	Panhbfep.exe	93
PID 4480 wrote to memory of 1620	4480	Qjfmkk32.exe	94
PID 4480 wrote to memory of 1620	4480	Qjfmkk32.exe	94
PID 4480 wrote to memory of 1620	4480	Qjfmkk32.exe	94
PID 1620 wrote to memory of 3052	1620	Qodeajbg.exe	95
PID 1620 wrote to memory of 3052	1620	Qodeajbg.exe	95
PID 1620 wrote to memory of 3052	1620	Qodeajbg.exe	95
PID 3052 wrote to memory of 2636	3052	Akkffkhk.exe	96
PID 3052 wrote to memory of 2636	3052	Akkffkhk.exe	96
PID 3052 wrote to memory of 2636	3052	Akkffkhk.exe	96
PID 2636 wrote to memory of 3812	2636	Aknbkjfh.exe	97
PID 2636 wrote to memory of 3812	2636	Aknbkjfh.exe	97
PID 2636 wrote to memory of 3812	2636	Aknbkjfh.exe	97
PID 3812 wrote to memory of 5028	3812	Agdcpkll.exe	98
PID 3812 wrote to memory of 5028	3812	Agdcpkll.exe	98
PID 3812 wrote to memory of 5028	3812	Agdcpkll.exe	98
PID 5028 wrote to memory of 4492	5028	Ahdpjn32.exe	99
PID 5028 wrote to memory of 4492	5028	Ahdpjn32.exe	99
PID 5028 wrote to memory of 4492	5028	Ahdpjn32.exe	99
PID 4492 wrote to memory of 1556	4492	Apodoq32.exe	100
PID 4492 wrote to memory of 1556	4492	Apodoq32.exe	100
PID 4492 wrote to memory of 1556	4492	Apodoq32.exe	100
PID 1556 wrote to memory of 3124	1556	Bdmmeo32.exe	101
PID 1556 wrote to memory of 3124	1556	Bdmmeo32.exe	101
PID 1556 wrote to memory of 3124	1556	Bdmmeo32.exe	101
PID 3124 wrote to memory of 3204	3124	Bacjdbch.exe	102
PID 3124 wrote to memory of 3204	3124	Bacjdbch.exe	102
PID 3124 wrote to memory of 3204	3124	Bacjdbch.exe	102
PID 3204 wrote to memory of 1776	3204	Bogkmgba.exe	103
PID 3204 wrote to memory of 1776	3204	Bogkmgba.exe	103
PID 3204 wrote to memory of 1776	3204	Bogkmgba.exe	103
PID 1776 wrote to memory of 1048	1776	Bgbpaipl.exe	104
PID 1776 wrote to memory of 1048	1776	Bgbpaipl.exe	104
PID 1776 wrote to memory of 1048	1776	Bgbpaipl.exe	104
PID 1048 wrote to memory of 400	1048	Bahdob32.exe	105
PID 1048 wrote to memory of 400	1048	Bahdob32.exe	105
PID 1048 wrote to memory of 400	1048	Bahdob32.exe	105
PID 400 wrote to memory of 2100	400	Bnoddcef.exe	106
PID 400 wrote to memory of 2100	400	Bnoddcef.exe	106
PID 400 wrote to memory of 2100	400	Bnoddcef.exe	106
PID 2100 wrote to memory of 4812	2100	Conanfli.exe	107
PID 2100 wrote to memory of 4812	2100	Conanfli.exe	107
PID 2100 wrote to memory of 4812	2100	Conanfli.exe	107
PID 4812 wrote to memory of 440	4812	Cncnob32.exe	108
PID 4812 wrote to memory of 440	4812	Cncnob32.exe	108
PID 4812 wrote to memory of 440	4812	Cncnob32.exe	108
PID 440 wrote to memory of 3568	440	Cglbhhga.exe	109
PID 440 wrote to memory of 3568	440	Cglbhhga.exe	109
PID 440 wrote to memory of 3568	440	Cglbhhga.exe	109
PID 3568 wrote to memory of 1036	3568	Cgnomg32.exe	110
PID 3568 wrote to memory of 1036	3568	Cgnomg32.exe	110
PID 3568 wrote to memory of 1036	3568	Cgnomg32.exe	110
PID 1036 wrote to memory of 2148	1036	Cpfcfmlp.exe	111

C:\Users\Admin\AppData\Local\Temp\fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\fc3b9772ce503e712e2914dc7e8ab3e0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\Phajna32.exe
  C:\Windows\system32\Phajna32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\SysWOW64\Pdjgha32.exe
    C:\Windows\system32\Pdjgha32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\SysWOW64\Panhbfep.exe
      C:\Windows\system32\Panhbfep.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        23⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Gbbajjlp.exe
        
        C:\Windows\system32\Gbbajjlp.exe
        28⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Hehdfdek.exe
        
        C:\Windows\system32\Hehdfdek.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\Hnbeeiji.exe
        
        C:\Windows\system32\Hnbeeiji.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        46⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1368
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        67⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        70⤵
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        73⤵
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        74⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:228
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        76⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4112
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3464
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3540
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        83⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        86⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        87⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        88⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        89⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        90⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        92⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        96⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        103⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        104⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        105⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        107⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        108⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        109⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        112⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        114⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        115⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        117⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        118⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        121⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        123⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        129⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        132⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 400
        133⤵
        Program crash
        
        PID:6232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4512 -ip 4512
1⤵
PID:6160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:6700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afockelf.exe

Filesize
96KB

MD5
737fc7759dca581fe3ad194a179b8acf

SHA1
8350fe2d954922074404abd773fc5cd8b71a25da

SHA256
c70b3936e5b372b42a288b3f8b711c34df0e032bab3938459732e22bab0568a7

SHA512
ae38ff12c4772650587ecac48a16dd0b9b5d9fbba4aad82ba9acadc4cd9b4be0c69bd7047733d58e40183672e439306fc28bc494ecc2567a1edcda59c2d4c281

Download Submit
C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
96KB

MD5
ccaf55e23e955c4e706b311ea39c3668

SHA1
cab5037184840828986229095571f82d870e4b1e

SHA256
1cc9d559a514f4ad27d65206a9be8330aa3ed1f711ef004fda13a04ee144cf67

SHA512
38f818a9d632f6e5bf44979b2e53d469e028ce689abfa0984926d342e1ff7cffaaffc4e7401f72a7c8740cd5465b460163d46a28d79015f65d307eea2d9b747c

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
96KB

MD5
45453fe9adbcc64c96fe8fde83f083f2

SHA1
ef8c280bfb8f7a472bb979f803ae408cf3f7f9e2

SHA256
32ea3c10426d394e80355ff6cbcf3d5ba3dbed96f988cd5356f57d70cbc87747

SHA512
e3bdb6565dd5e66d030dfd43bb120b3510e707b2dab9bb54658aa03b732c2a7f47d535cb28976a3ff919915ee5b0b26db603aac24865eff307272538d5a63d36

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
96KB

MD5
cd9a12be117ec26d2218281e04d389fe

SHA1
34ee0724b3d4dbc333f433e231eb23d74a3e55eb

SHA256
f205d48b5eb9ade263f3912c6f095622100e46558546908a8f7d02f9469b6bfa

SHA512
539edd82e74cbcaf39ddd30017e4cde79ced4fffa343e107dfc5bda2f48f97d302c703dc83ac1b404cceb397a1f21d902c2a06a337c88d9956d5949e635621bf

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
96KB

MD5
58203169013420496d6eb3e22b26f662

SHA1
0e337938ec3fe26cf565b4d453b90b3f3026b40a

SHA256
51c5a8e2c294d73d22f0d96183f1964c500c73060c35414b08c5996333830e1b

SHA512
ba20d14f1299386d4192bdeb21b0dca3aeec5d91ae665f07d300c8ee67807c61c58d5d2167769a5330aec40f83b138d2f096a4fb2832125e94cbc30b65fc3e1f

Download Submit
C:\Windows\SysWOW64\Apnndj32.exe

Filesize
96KB

MD5
974cf6c778bcbc826c226bc62a4cef03

SHA1
6455fb2a6191132d27e87202d35e9453ddd0e0b8

SHA256
5ffae386cc2c204e07dee35087455af69576d45e2f8be1874e228a3187979ccb

SHA512
e3b4f372f60144c7b38768c7031afc8a3c74978e7a7e8e36e2e880971514b207350d8ff0916777cbb0d31ff5c17712b7022a99200b1492349ab9d0aaefd2050b

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
96KB

MD5
a12fa97ed2ac6b2ea8964962553a7bac

SHA1
ba30d02e678e68d3c824b8e52357720e0a5020bc

SHA256
b6baa9868b883d8e3b85a827b0ebb5a7e5c9b04a6bdc9b13c64a188c2f5fedac

SHA512
4b8998a13d2dd21a75494c0dab756e016b921b189e8225639d41f50cfccfbe04885071b1eb6eb92a3135337fd43eadbccab391d93250c60f8ac161a423bd53f0

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
96KB

MD5
370dcfd87e1b81a2647488cbea1d586e

SHA1
27bc1a2df7fdea0cb69a3df978b890b963451e22

SHA256
e5cc94b2c0ebc3bcf7eb8160b0b3112fff648ef1d025236a8634f964fe692b8d

SHA512
4f9843adaaf73575851b5c00be54df9683fd61f12dbd02408604388d57e9605f7c393c9cb25350a516b856c07614cacdddf1c5729ee56a289fc2d1e4450ae6bb

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
96KB

MD5
4c0b0c8339a32ba1fa2242648935fc76

SHA1
2a45c1bbd8c198bba20900cc9650e5725f5b8a79

SHA256
a8582dd8ac924302ef4665f0a782def577b0ddf8521a494cc9e77cae91eaffd0

SHA512
ab049383fdc4ff55ab7680b096374961fba770c077e0c12d48e5211a701ffc2229e466ce756b47888c04eee2ecebe618e0a249a397c4c8876e40b6b807bc80b0

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
96KB

MD5
22212e96347f9ce8cf8eecfa8f6cf0c7

SHA1
c0359675286e1fe27aefd48888dd04e378d29961

SHA256
a26747a2b622d4c069070c2f5d48d7bf0a04eab43644d87944bfa90436c95640

SHA512
5c0dc12fd219a605a6d797b814834ee5a6bea64b4974d63456b312de90100176d2ef3fa32a7b00deb779de58722af290494264ba8cb8084ba433a961ccb58627

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
96KB

MD5
7584f1eee1438f0a58cb3e3782b4cb34

SHA1
d876b2723230bb5a025b04e4b1e8a9d02df249b9

SHA256
85fe132bc56688ddb83b7cb0b5d2a67e4ae44bc99e7b9f00237b3f0c0c9e801b

SHA512
9e9812bf295ee8f8edf5717d070a3ec998f0e2e0bd0ec3c9d8eaac8269637b9a1dca81c8967560bcf0ee031dffcc050208ab739131896738768627ef9042ecf3

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
96KB

MD5
49a2da7ba6de18a49ddb332a10a6f4ab

SHA1
7a9eb21a71816313c16cdee60cfe0c8f605ff039

SHA256
191b0ac7d4b8c349286017c0cfd12985d538b8f7ad3117a57a0d5771ae711df9

SHA512
034f55f730f14ed9898825c49df2f07dca45f5b511fea7935f0b18b19a6d342405b31373a5bb911bf06c1c57fe94029334a664bdc43a1c7d912534c56f6fda07

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
96KB

MD5
350cc589d3a6140541a52e9cd5ee5eed

SHA1
2548b9b6b3b19559f57fe9a67e2da900b00bc3aa

SHA256
dda80189bcf4ca3ea92c32de4fb2276bdbb4e9b5fcfbc8a5fd8de7cc65fde2b7

SHA512
feab58c93645970cd08e937a5bd733996bb4ad5884634a8a9ee96819fce14b3eedd707b9badd82345500bce3842728ebb9c4337069e83c3f521630d27a675a9b

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
96KB

MD5
b2edf538693dc4a1738becf844354bbd

SHA1
16a89642b165cbbf67723ae6908ec9d6c37844a1

SHA256
0d53e5c825672b984d33509145c49af1ea5324abf8277324a7593fa7150c4b3e

SHA512
f28a8aeb1516588f7f8f2ef8d469766535d5c0525ae3013affe23475b812cf55744f2f4cee4fbbe3f64f5ff618d352d8a991ae9f7ac2ce8187efce475216cfe2

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
96KB

MD5
399da94070783014e7037c368dcef612

SHA1
fbeb83e643c0508b93a262c02605b949e6b50fb9

SHA256
5d733ee109035c80192e91c786279491e2688af935530a1419991af44d1267d0

SHA512
635cb56cacc6e15833c6ccd6fd01ea81192c67279c00dcc3a75edb96d8ac731a12d33fa83985686547986081c29b45a98a3add7a8c4337d9b1efca588d69715b

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
96KB

MD5
ff3d47d03db9b9ef534a6241ab1e5aa4

SHA1
049d358836ff2f0fb1a93c48bdd8c39a21b686c5

SHA256
c27e7a85f378cd963bd7e86567dba7de981534db0d5862753c0695c352f4ea24

SHA512
4cf8a6a0e3ac6d34fa243eabedf7dab0f5cdd8ef2f4bcd9ca8a435e30e4aef8bf35f69944c32961bbadb7d73b583ea2f003386ff321e5db1adf68b6dc61ecf28

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
96KB

MD5
6119aebf572d0a29c1d14c871e742fb2

SHA1
2f54d81b96f9afac634c2e8e919a9f5e8cc6e9fc

SHA256
26923bafccb48d974a0a73dd8f183455f8b042b42de2d30b1b5c493cafd2819f

SHA512
be918c8d2fc4d32c50e4743e369433d2e3b946946cede46e7076fe96c7ee628a1c756a804bedf5423b33ce6e1a9098e67970f4ef4b4bcc5859cfce4fee6f09a1

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
96KB

MD5
e3af9bea78b65e58a5b0d6322333bef8

SHA1
c9d521bfa745e48a05afd3cdf86452ed65ed9601

SHA256
7b1f29c0997637051aafc1c04b48745687d6d1a32e66c8c77f02537c54584fc3

SHA512
45ece46ff0484f0f586dea05eeb5e1f76133ac791af89997a16268ef6a1866fff0892954400446e48478e3868e1a755c448a32b4c8d3667515019b4d717931d6

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
96KB

MD5
9516380e9db5d60c25edebd8e31b0fc0

SHA1
2ffe77905699bedf56d763e2bfee6e1ebed51f20

SHA256
8819ef9cb6bde0d5ca758cdf46f80839ade7565885bd928e5b200d991dcce3ff

SHA512
fb5c1f29db25665d1c33efbc58cb21c23b2c0e36af08027ae63768f65418c62e5dce1d9e0a4c7bea2f35d7b4bded14da3d7214fe5b849b13d01bd6d1c4781a4b

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
96KB

MD5
e92ade3d0981727e36244c8c4aa2a251

SHA1
2fc196570915e1943ff5a8b2e89057c3ddd0d1f5

SHA256
d6aef9af92a62600c9f6dc7d54f534ac373e2ce6d8aeeccc872f215ff46afdfd

SHA512
d39465f5f7e0020a8ff66e835b49c9a0f172bbbac9cde098a47861abf1a3f1b96063fd6574ca8dab2717db09578ec94d5aea244726f00210aeb07b27e786ab6d

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
96KB

MD5
972af0a46f349e65b874d0f288577c7b

SHA1
173b12669bfacf43f92b53f18668b7de98461706

SHA256
31d59f0572d4d89213c5d647a8b2bc6e973e8bdcfddf436cdbf647607a335b28

SHA512
3c97e26c55c45c7b1c3a332e92f624fdcb24d9bdf9da040e43117a47da0200951d91e56190ad79673b695efaf7b72cc8650715f66ab3cc01138cc68525233789

Download Submit
C:\Windows\SysWOW64\Dnmaea32.exe

Filesize
96KB

MD5
8b88f6cb39cb31c683002e2e81ad3146

SHA1
79ff699e1f953968f0e640ea3b7e929a5cff60e8

SHA256
b7ed4bb139ec5922ca4de7e3538fedf040d442fe628a901f596a1bcd4fd79295

SHA512
a5089b1f7c40781e1d16c99c1dfd982f39042712c309563274b5cd25643bc48c879f49993eeee2a5c2ac64e77738eb668b1e9b0d74df35038a5b6d20a7df6e4d

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe

Filesize
96KB

MD5
f302a9b79b9fb96f120964c12cb805c5

SHA1
ccb58c4bfc13b38dc51fe3a29600f935777649b5

SHA256
e1de6969dcc90103b5036431e1fdbedef8394a1b409b8e8bcb75794345eab6dc

SHA512
a4fbd255e02b471237c543091534b31611cffe9b31f0d472981fa310b4be409cd604fcf51ae0d1f8a5dff4b14dcc4dc6ca66d6c58ba136440f18bb0a3c0c7d80

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
96KB

MD5
c65653d738d341415dd88987a705988c

SHA1
32121a7995abb4e2bf833b90adec0ccceb982a98

SHA256
0521e52ee6a669813651a9e25923290880795d1c9c05f2ac135288186ab01155

SHA512
5c4f022fb3cf3a0d0687e1bb9f7899b4e8b435b64a63694e98f75859b3162c1f749e1831b85d3817e95420b671592c97967ddb4ec4366893f2b1d3f7d5cb3787

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
96KB

MD5
65e18e201c1a46c6668459e8e37c0112

SHA1
7bce9a35915d10f883d8bf53ae1c50cedcca73ca

SHA256
7234e5302927f39b48525b643804e4f72bc3a67760b08c505c367e1f9d849e0a

SHA512
eeca6a22aac298f0cb14299477cf873e253ec07cb4861cc5451d3348eb45028698bc9a5a7c130e775ab1eb0b32e69bee3a5a914424d3c92c281e129a5c03c070

Download Submit
C:\Windows\SysWOW64\Gbbajjlp.exe

Filesize
96KB

MD5
a129c33b9b1487bca5b21ae5a91bf717

SHA1
ee8125ef327f9e7a9e613cb13acc6e06f3ffd47a

SHA256
1c3a1c28064d6e2a68f9cdda9f1c64be3ba2edd750f0f50a29d8bcf1b8f8373e

SHA512
7b3caf1e66ce879327ae56ab9289cd0db9f44048ce53e065b09a5a62094c30ab8f687e8eeadcce8f42339b650162b5f02feaffccd8e90b17bdd567816b683501

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
96KB

MD5
ac7de67c8c638cbd49328de406e43e9e

SHA1
f7d4f43bd5834c1a0293f69bbae3ce6c20cc2884

SHA256
88a44bcd33b2291212573d1d5015a4407349633b299547b0547e9f6a571a81a6

SHA512
a61d576e62abb86016cf083ccc894d4b128f2587f181d8618d119d19f35b9b53708e9bb30ada5a795a674d50511a3f39e73dcbb1fa058d672dfa266e72a84589

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
96KB

MD5
67aa859759ccfb4176d649871486eeb3

SHA1
03f0043ba16db6ec1b273b32585d44e8582edd44

SHA256
9f657587355791ff74fd7dc41535973933e199933acee162b19c51ba1aea5777

SHA512
2dc5112a43fbaf3209b064c19f4ebdfcd202fbe94b418bc6131dc4ef0b465bd471fac152b3c59c7882f20b007d77f89a0858a26d607de2f720dfbf235b8fb40a

Download Submit
C:\Windows\SysWOW64\Haodle32.exe

Filesize
96KB

MD5
58b25c32d5f4f8aec2b6b5cf49bc1599

SHA1
4858ba0b90ecfea479f459a4b244d8a75da06aed

SHA256
8415681966628acb89c3a7f682f3d3978dc010246be416446cbb30e8b16b4726

SHA512
7c1f9978ca29bb165fbb59e7ab9281d59c68ee6ebb54aa3e2d5efbce9b4a83a4917acfadfb3b1f10b82a246f04eac699708926e4db4caa152190929358c5f26f

Download Submit
C:\Windows\SysWOW64\Hehdfdek.exe

Filesize
96KB

MD5
6471665d0bc432aa3f0fe9f4be36d122

SHA1
fd12a6c7c927dff66703e74d6ff767a6803fc7bd

SHA256
8cfebe0f664ea85b9c9cda313fe0b13d2b670d947b7996cd27f3d630121a6e8d

SHA512
269e67a9bc994b1dea66fd0138756c01e1bc9b1d721cae978afb5a861406f1ae89f5d4d2f6bc5c0bd30a3a9f27591128da3764d55d55d82ba9ceaf943674034a

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
96KB

MD5
7e3962f366f8c52e5bf2a1e9627ac3eb

SHA1
644fa72686562b192636f34660ba2bcae621b08e

SHA256
391904cc7cd8e093d513a2fa57b7bd467d3143b10eedce1d0f016f63f9c1a80f

SHA512
edd27c963edccf3dedb5f09b9a0a2801ed5186083f114a630646bb292778471d5bb80e2e64df9143812edc61015c747f86f10bedeb4e6558cd968a72983638b2

Download Submit
C:\Windows\SysWOW64\Hlkfbocp.exe

Filesize
96KB

MD5
4560567178be034b24845f77817efa83

SHA1
fc537d201643bcddbc3f004242f50a88b4b23d57

SHA256
67fa24cd1305e79cd9ab2375afab0971823fa9ba905f89b54a743fde63eddfea

SHA512
e4085edc7b63cc436f411b22d9fcbd344d7570e6bcf6fa6ae0d363627009b40d79e3985ec86217e4dad0b853ab897415a7d21c0a934f723ab2568adc3a1e2bc2

Download Submit
C:\Windows\SysWOW64\Hlmchoan.exe

Filesize
96KB

MD5
6f8a48a731cce0d34ad39caff2af7466

SHA1
bbd84899446cb11826e04531efedcbefe8fc93a5

SHA256
baba25393a2976ccc7b9a1257501570c80065602cb0bcf7d4dfd4269d9189c1d

SHA512
77dd72b96451559c045d23c4761690ae12e821d78ad47405dd89f099e527434afde58ff337c59da57103af3b6270fe95070647a4ff4b87dcae4a202abfbf64c9

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
96KB

MD5
959c5d476d59fd9f11747a9cddc19361

SHA1
14b3b423402843223632dc763037f8f5e3e5afff

SHA256
65ad66942b96fcb194f59acbf37acec22400c9fbc5e49f70c8c6c31862422144

SHA512
f50b3fe1ca029c6d0f12995db2f8d1bb423dbf1d4373caaab1aa9c69c6cc0b1214761b9168ed2d7b356a4d104b0dd58f23ee14974da37e404f9df0a55570d576

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
96KB

MD5
00e71b80d5ee540309eba0a64697062a

SHA1
a835553bf2ad91dd158b63884b22bd9037ed2e66

SHA256
4dc04ec387e0a0e69904576af766e9537a8da4d6b56a25effa69fef45985bacc

SHA512
bb2f29d4f73e0d87222b20f98622028eb92b6010c689a1e37619695d8a52ef3fb43e23455aa016ee146e99285e4856ff06c82214d411549a9af0b607e4af772d

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
96KB

MD5
da8aad5ddfe3aca79104e0c469478c11

SHA1
51c0c1afdeda11b9eb8b54d23e14846642282390

SHA256
4304f8fae40487ffe9a53635ae75855e79824a4dd6b1edc86e116bb746568aac

SHA512
ad9a5ec82891138c0303d171fcad6771eab16f6b940bd817482139616bedc2d7fda54b042ad69c69ac8a114d7d99efbcf2631e89cd9ee5ed66002fef2fce5514

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
96KB

MD5
e00f2d48203b519599c49c18fa9f1964

SHA1
144475d0d98a3a09c12b0d0fcf6dbf7bda492d8b

SHA256
ebd5d6c5bb9125ab301b311f22cc3cae89912808fe1dad3791249161da73ff8c

SHA512
7ebf4166d5295cd87b986ce6812f585a47bd9e2c697392ef61a7cd109a7c532ea24c4f83a2671bd381d25c96d36514db6004475abd76ffabcad9144f82d924c6

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
96KB

MD5
d4c09214f9c1ebd2fb79b2a96e4c7e34

SHA1
57fb96eeff67b71ffc477a2d4833492e970cd8fe

SHA256
5cf6c1ba3bfbe362cec9aa8f1f05dbd7b328fdbaa6e71a7445b242a568a2f440

SHA512
a97a52fd4370ab98262dff31015e2abad451730b1f53fcd77fe28178788a942e323919dd3304c612dc01c741bc8cf7b73921bd35e89042ffd726e7503b6c1551

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
96KB

MD5
65083e5325ed00b752a6fc060c10a934

SHA1
94161c51fbc75f9b8f3ca0a275feb1281a7be469

SHA256
b68f78bd94e8d285a2888339b21e520159ed0ecb619c860f95e81013ee8daeac

SHA512
d89974385864931d420a329b9cc6916601e93cad04edbc17e0d0b923d9ce439ddb1c7cd82450c9c16c72c33c53b0991a751d74d1d013e1b387be2e6cc3186363

Download Submit
C:\Windows\SysWOW64\Ljdkll32.exe

Filesize
96KB

MD5
81e9f9cd1171115d4276173c9ff888f4

SHA1
16f86524006507393353ba90145b6d308e50dc4a

SHA256
4088bf3b4d7be6f4180376b73d11ed8b08c8181bd2239736e005a5198987af62

SHA512
f77d8f1272e421bc56c37e73a1069ed4a956ca37dd4a9133747441fe7f3247edc8a8afb104c52e5e436d7365b679dae32506fa68876871171c11575efe8eec61

Download Submit
C:\Windows\SysWOW64\Lojmcdgl.exe

Filesize
96KB

MD5
153e9fff2d61c761f07766789357e065

SHA1
2ca7d442b735f56a4fae0657bade82e080360f7c

SHA256
27ccd80b66637915f54d0bbe2b60acfb0ffbd8878dae7c1866b561b199340238

SHA512
4cf7b3f88cb6a3095ff6ac64b3eb22178dc587b0b7ad163b1f4b1d2fd7130c9c1f08f89705657b5fc4c9d96b8f19636e0e202fc0079cc28abf3c6956a4d8723a

Download Submit
C:\Windows\SysWOW64\Mablfnne.exe

Filesize
96KB

MD5
7de9ee509b07aacaf45ed596d7288954

SHA1
4cd9a912883c6bfa039b6d62d68708a0d82ffc27

SHA256
043f5154dbf3ccdd73e00e9ff19cf30d8fee12a42462ab63bfd105a871c28480

SHA512
366f2d48aafa277600b275e0512564a0081c40a5df0cded08b9a573054c31e0c402ad3dc8953fcf79c9964898eb9f1fe3ac6d855cc8d4bf92e60dc9ed88c0f56

Download Submit
C:\Windows\SysWOW64\Mqjbddpl.exe

Filesize
96KB

MD5
6c1b0deb1f08b78d92479d65e52826ae

SHA1
ca5bde2cbb417b8d5097c461e2cdb8c4e8a93767

SHA256
f3127e0ff635f3f73ef919605a58dac60eb3bcfbdd3996814d8a4153f494ed54

SHA512
c0fe338c5cc55d7ede8194b3984ed6d8d7345909cff664b457a98dc26b8a7bf2fe34bc0fcb4428bda29ae0590458a23c7df1daa09ecefd11d04b7c0e2d8349cd

Download Submit
C:\Windows\SysWOW64\Nofefp32.exe

Filesize
96KB

MD5
5d8f97b82f185b14fee97d6432600f0b

SHA1
1cd6b3bb11179bb7e69efbae306598937d1437f5

SHA256
409d512d3263869219e516f177d177e0f9c8f4d4c2e4f107992253964af4e6b1

SHA512
ab8b30dca63c0fe63315e66b26e4c354260b6e6f4ed2e7872da7d33d58dbc63b266a084d720c0a2f952b6ebb51bce607399346234d8a3d86937a2d6391291a94

Download Submit
C:\Windows\SysWOW64\Oophlo32.exe

Filesize
96KB

MD5
23de2bb0d4da234ee0987f8fce4f9d4c

SHA1
bf44d8232d91e02e784395f29d67846e211ab1bb

SHA256
4fa70ef204f50b7a909396d47bbfc2179620d6a8f1237edc7e94ad95a2552667

SHA512
8c75093f3d769951e93d2ae1f20cff402eb5a86e08045ff238547ed0b1c82d7be94cd2a1c34c0d429797cc38c3fbc9cd1e3649290efc1de32f68ddc1e39e4326

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
96KB

MD5
f1ba1ed6c84c9d2557403944f9db2bcd

SHA1
d8645e1156e210d4056cd889347333bb177a2d70

SHA256
ea3dc35d2d2721fd084bea6c76236f61f03523399094c1b1319568750d5d7c77

SHA512
b46e36467ad8391661df840c9fc813afaa0278b8d7bb3fcf4a68cdb0ef71e69f7bb802153a7562d65bf99133abe79e67ad90de5904260619ae60001ac9de12bb

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
96KB

MD5
233edcac01b7148c8fd6437dfde0d7a1

SHA1
d3e85112ef019e99192fd414a985241d29a03210

SHA256
d0adc4cfd178c6f0c0025cc32bf7736134d9f8254ebfbcfd7aaccd5bbe582aa8

SHA512
fa730d0b235883d902a6c8c4a5e20f9e6422f3fb5e8e6ebf6b2e5b789377cfb1434196d474b5d777a71082f2c58fb625c768739923f0bc15b4f9bf3888f323fd

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
96KB

MD5
e43a33a7ee9884146594edcb9fcb08e5

SHA1
0daaa557b14ae6a0be7f82f8d746e8b781e78711

SHA256
04d4aec684195850c26398611711215cbe42a4dce44adb0bbde312f52073533b

SHA512
1372812b280d1c6c1fe56e1497cab6bd11ac49a156861e9c8e4062656249165d9458fcf0d55c1a4eefee3b0ef10e876a71b7e332f1e33a0e0793c3be02c3895c

Download Submit
C:\Windows\SysWOW64\Phajna32.exe

Filesize
96KB

MD5
8cfe7153228f66a22312afcec0aabb80

SHA1
8bfd8f3c9af3c26470ff73201a18cbe88f568873

SHA256
23e1482c00d05bc161bb8666eb82fb0a4d91b8f6385f576353cfa05c0c5c0fef

SHA512
9a0dd57ae6512524873d2bc3625803881815eea406dc0cd0edcba723d5496817f58950ba7ea27a9fefe3b02ceb460f7487ad1ed877aaf17ebc4d6c0bce9b216b

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
96KB

MD5
1e4f87148e2b6dfb029d0d510ca4aa80

SHA1
38bf835ce3175ee7ba990502c6139a3bba8df571

SHA256
0d4d4eda8ca24ba1a77d003b52ed13b438d415423bc43a994e755c01fd6b492c

SHA512
ab4050a7bed5c9d20701462793d66328366765de425a4526492129344e9c94d0f30e2ddea3ad11ffda4d003a0a2b6403d183f24a8c51b4a281b67169738e551f

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
96KB

MD5
80e348485d237c6dbbecf41450299bba

SHA1
2b4541ec82f4fcb8f8111161017eac66367b6eb2

SHA256
982cdd0bac9bf1bea8774e8fe3729354c9bd6d5166b6c18bd2bb33e7b1e7d1dc

SHA512
5eb9922ed1eca01878d0ec8dc2bb873a93226d5a56b6bdae26eca442d89b4dece4142823191f02d51ed4e63166f635d5cbb8c9a729713dfefeac32ef3aa6bff8

Download Submit
memory/400-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/400-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/412-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/412-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/440-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/440-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/548-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/548-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/736-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/736-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1036-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1036-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1048-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1048-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1096-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1620-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1732-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1732-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1764-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1764-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1776-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1776-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2076-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2096-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2148-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2148-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2196-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2196-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-397-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3068-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3104-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3104-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3204-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3204-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3308-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3336-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3456-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3456-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3480-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3620-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3812-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3812-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3856-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3856-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3880-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3880-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4076-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4076-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4136-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4136-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4440-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4440-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4516-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4812-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5028-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5028-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5036-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads