fba7b63636a5c0ad223526e53a82f2edba90999b5416113ab19a1838ee849623

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 19:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe
Size

1.5MB
MD5

d2e06fd1d653dff5d593cafd5feb0790
SHA1

ff02a5a98cc5f07d3929e19dd81ec27abb29bc99
SHA256

fba7b63636a5c0ad223526e53a82f2edba90999b5416113ab19a1838ee849623
SHA512

67ea278e0f3288da9b55cdf4a6049d03252773dbfc8ba931e64d56ee33168fd3134263192f2db94dfd05dba8667c33befa5b9e0bd7ce79404df60640228f9fb1
SSDEEP

12288:gF04PbWGRdA6sQxuEuZH8WF50+OJ3BHCXwpnsKvNA+XTvZHWuEo3oWB+:6jzecI50+YNpsKv2EvZHp3oWB+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbped32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqdcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnbakghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kncaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chqogq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqfpckhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npbceggm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnbakghm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfaajnfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eehicoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geaepk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddligq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iliinc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnbbqpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnindhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqimikfj.exe

Executes dropped EXE 64 IoCs

pid	Process
3236	Cnindhpg.exe
4736	Chnbbqpn.exe
4896	Chqogq32.exe
4556	Dnbakghm.exe
4360	Ddligq32.exe
1712	Ddnfmqng.exe
1444	Dmennnni.exe
1120	Emmdom32.exe
4636	Eehicoel.exe
1164	Fmcjpl32.exe
2204	Fbbpmb32.exe
4444	Fnipbc32.exe
2596	Flmqlg32.exe
3712	Fiaael32.exe
1748	Gppcmeem.exe
3720	Gfjkjo32.exe
4820	Gpbpbecj.exe
1372	Gmfplibd.exe
328	Geaepk32.exe
4792	Gpgind32.exe
764	Hfaajnfb.exe
748	Hbohpn32.exe
828	Iliinc32.exe
1580	Ibcaknbi.exe
5060	Iedjmioj.exe
4240	Ipjoja32.exe
5100	Ilqoobdd.exe
1624	Jocefm32.exe
4676	Jcanll32.exe
4464	Kpjgaoqm.exe
4048	Klahfp32.exe
4496	Kcmmhj32.exe
2300	Kncaec32.exe
3852	Lljklo32.exe
2524	Lfbped32.exe
400	Lnjgfb32.exe
532	Lokdnjkg.exe
116	Ljqhkckn.exe
3676	Llodgnja.exe
4376	Lgdidgjg.exe
1276	Ljceqb32.exe
4612	Lggejg32.exe
1212	Ljeafb32.exe
3108	Lqojclne.exe
4284	Lflbkcll.exe
3708	Mmfkhmdi.exe
2624	Mcpcdg32.exe
2848	Mqdcnl32.exe
4092	Mgnlkfal.exe
5088	Mnhdgpii.exe
5008	Mqfpckhm.exe
2040	Mqimikfj.exe
396	Mnmmboed.exe
732	Mgeakekd.exe
4372	Nmbjcljl.exe
1272	Nclbpf32.exe
1776	Nnafno32.exe
3000	Npbceggm.exe
4784	Nncccnol.exe
3600	Ncqlkemc.exe
916	Npgmpf32.exe
3916	Nfaemp32.exe
3220	Npiiffqe.exe
3972	Oaifpi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pcmdgodo.dll	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Lljklo32.exe	Kncaec32.exe
File created	C:\Windows\SysWOW64\Adfonlkp.dll	Jocefm32.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lggejg32.exe
File created	C:\Windows\SysWOW64\Bjokon32.dll	Mcpcdg32.exe
File opened for modification	C:\Windows\SysWOW64\Opqofe32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Dmennnni.exe	Ddnfmqng.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Mgnlkfal.exe	Mqdcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnhdgpii.exe	Mgnlkfal.exe
File opened for modification	C:\Windows\SysWOW64\Pnfiplog.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Jlkidpke.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Jdgccn32.dll	Emmdom32.exe
File created	C:\Windows\SysWOW64\Pgpecj32.dll	Kcmmhj32.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Gppcmeem.exe	Fiaael32.exe
File opened for modification	C:\Windows\SysWOW64\Gfjkjo32.exe	Gppcmeem.exe
File created	C:\Windows\SysWOW64\Jcanll32.exe	Jocefm32.exe
File created	C:\Windows\SysWOW64\Ljceqb32.exe	Lgdidgjg.exe
File opened for modification	C:\Windows\SysWOW64\Ojajin32.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Cponen32.exe	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Chnbbqpn.exe	Cnindhpg.exe
File opened for modification	C:\Windows\SysWOW64\Lljklo32.exe	Kncaec32.exe
File opened for modification	C:\Windows\SysWOW64\Ljqhkckn.exe	Lokdnjkg.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Gfjkjo32.exe	Gppcmeem.exe
File opened for modification	C:\Windows\SysWOW64\Gpbpbecj.exe	Gfjkjo32.exe
File created	C:\Windows\SysWOW64\Kncaec32.exe	Kcmmhj32.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Fiboaq32.dll	Chqogq32.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Nncccnol.exe
File created	C:\Windows\SysWOW64\Binlfp32.dll	Nncccnol.exe
File created	C:\Windows\SysWOW64\Dannpknl.dll	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Opclldhj.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Bmjkic32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Ifenan32.dll	Jcanll32.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Npiiffqe.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Bmeandma.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Ddnfmqng.exe	Ddligq32.exe
File opened for modification	C:\Windows\SysWOW64\Geaepk32.exe	Gmfplibd.exe
File created	C:\Windows\SysWOW64\Ckkpjkai.dll	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Ogekbb32.exe	Ojajin32.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Dnbakghm.exe	Chqogq32.exe
File created	C:\Windows\SysWOW64\Konidd32.dll	Flmqlg32.exe
File opened for modification	C:\Windows\SysWOW64\Gpgind32.exe	Geaepk32.exe
File created	C:\Windows\SysWOW64\Omfmcjlk.dll	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Lfdqcn32.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Mbibld32.dll	d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5312	6064	WerFault.exe	207

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmennnni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll"	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jencdebl.dll"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll"	Dmennnni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll"	Gpgind32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjgaoqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahamgib.dll"	Dnbakghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmqlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipjoja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll"	Flmqlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicpnnio.dll"	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lggejg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll"	Fmcjpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll"	Jocefm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3236	3024	d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe	90
PID 3024 wrote to memory of 3236	3024	d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe	90
PID 3024 wrote to memory of 3236	3024	d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe	90
PID 3236 wrote to memory of 4736	3236	Cnindhpg.exe	91
PID 3236 wrote to memory of 4736	3236	Cnindhpg.exe	91
PID 3236 wrote to memory of 4736	3236	Cnindhpg.exe	91
PID 4736 wrote to memory of 4896	4736	Chnbbqpn.exe	93
PID 4736 wrote to memory of 4896	4736	Chnbbqpn.exe	93
PID 4736 wrote to memory of 4896	4736	Chnbbqpn.exe	93
PID 4896 wrote to memory of 4556	4896	Chqogq32.exe	94
PID 4896 wrote to memory of 4556	4896	Chqogq32.exe	94
PID 4896 wrote to memory of 4556	4896	Chqogq32.exe	94
PID 4556 wrote to memory of 4360	4556	Dnbakghm.exe	95
PID 4556 wrote to memory of 4360	4556	Dnbakghm.exe	95
PID 4556 wrote to memory of 4360	4556	Dnbakghm.exe	95
PID 4360 wrote to memory of 1712	4360	Ddligq32.exe	96
PID 4360 wrote to memory of 1712	4360	Ddligq32.exe	96
PID 4360 wrote to memory of 1712	4360	Ddligq32.exe	96
PID 1712 wrote to memory of 1444	1712	Ddnfmqng.exe	97
PID 1712 wrote to memory of 1444	1712	Ddnfmqng.exe	97
PID 1712 wrote to memory of 1444	1712	Ddnfmqng.exe	97
PID 1444 wrote to memory of 1120	1444	Dmennnni.exe	98
PID 1444 wrote to memory of 1120	1444	Dmennnni.exe	98
PID 1444 wrote to memory of 1120	1444	Dmennnni.exe	98
PID 1120 wrote to memory of 4636	1120	Emmdom32.exe	99
PID 1120 wrote to memory of 4636	1120	Emmdom32.exe	99
PID 1120 wrote to memory of 4636	1120	Emmdom32.exe	99
PID 4636 wrote to memory of 1164	4636	Eehicoel.exe	100
PID 4636 wrote to memory of 1164	4636	Eehicoel.exe	100
PID 4636 wrote to memory of 1164	4636	Eehicoel.exe	100
PID 1164 wrote to memory of 2204	1164	Fmcjpl32.exe	101
PID 1164 wrote to memory of 2204	1164	Fmcjpl32.exe	101
PID 1164 wrote to memory of 2204	1164	Fmcjpl32.exe	101
PID 2204 wrote to memory of 4444	2204	Fbbpmb32.exe	102
PID 2204 wrote to memory of 4444	2204	Fbbpmb32.exe	102
PID 2204 wrote to memory of 4444	2204	Fbbpmb32.exe	102
PID 4444 wrote to memory of 2596	4444	Fnipbc32.exe	103
PID 4444 wrote to memory of 2596	4444	Fnipbc32.exe	103
PID 4444 wrote to memory of 2596	4444	Fnipbc32.exe	103
PID 2596 wrote to memory of 3712	2596	Flmqlg32.exe	104
PID 2596 wrote to memory of 3712	2596	Flmqlg32.exe	104
PID 2596 wrote to memory of 3712	2596	Flmqlg32.exe	104
PID 3712 wrote to memory of 1748	3712	Fiaael32.exe	105
PID 3712 wrote to memory of 1748	3712	Fiaael32.exe	105
PID 3712 wrote to memory of 1748	3712	Fiaael32.exe	105
PID 1748 wrote to memory of 3720	1748	Gppcmeem.exe	106
PID 1748 wrote to memory of 3720	1748	Gppcmeem.exe	106
PID 1748 wrote to memory of 3720	1748	Gppcmeem.exe	106
PID 3720 wrote to memory of 4820	3720	Gfjkjo32.exe	107
PID 3720 wrote to memory of 4820	3720	Gfjkjo32.exe	107
PID 3720 wrote to memory of 4820	3720	Gfjkjo32.exe	107
PID 4820 wrote to memory of 1372	4820	Gpbpbecj.exe	108
PID 4820 wrote to memory of 1372	4820	Gpbpbecj.exe	108
PID 4820 wrote to memory of 1372	4820	Gpbpbecj.exe	108
PID 1372 wrote to memory of 328	1372	Gmfplibd.exe	109
PID 1372 wrote to memory of 328	1372	Gmfplibd.exe	109
PID 1372 wrote to memory of 328	1372	Gmfplibd.exe	109
PID 328 wrote to memory of 4792	328	Geaepk32.exe	110
PID 328 wrote to memory of 4792	328	Geaepk32.exe	110
PID 328 wrote to memory of 4792	328	Geaepk32.exe	110
PID 4792 wrote to memory of 764	4792	Gpgind32.exe	111
PID 4792 wrote to memory of 764	4792	Gpgind32.exe	111
PID 4792 wrote to memory of 764	4792	Gpgind32.exe	111
PID 764 wrote to memory of 748	764	Hfaajnfb.exe	112

C:\Users\Admin\AppData\Local\Temp\d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2e06fd1d653dff5d593cafd5feb0790_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\Cnindhpg.exe
  C:\Windows\system32\Cnindhpg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\SysWOW64\Chnbbqpn.exe
    C:\Windows\system32\Chnbbqpn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\SysWOW64\Chqogq32.exe
      C:\Windows\system32\Chqogq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Fmcjpl32.exe
        
        C:\Windows\system32\Fmcjpl32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        28⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        32⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        37⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        40⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        44⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        45⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        55⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        57⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        69⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        70⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        75⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        80⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        81⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        82⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        85⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        88⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        89⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        94⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        95⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        96⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        102⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        105⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        106⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        113⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        114⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        115⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 416
        116⤵
        Program crash
        
        PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6064 -ip 6064
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aphnnafb.exe

Filesize
1.5MB

MD5
8d0efb625e7e693efe15823a137b8847

SHA1
4c45e593fe8bd8c411316d58b9c4c4be52f1ea4b

SHA256
840411a31cac480bb79b2fc6b91e719fd612392c6e4f5392424a9cd6914bca7c

SHA512
59f0896bcda679140f2d4695a02114adcf635b2f190085b8d3b34af72cc6e66f538759864bb00d9dc8b2e1d6390858a8f338e421d8e6e36fbfda1de91912a3b9

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
1.5MB

MD5
4e65c36f62d76de6c43a0d01d8a8ee89

SHA1
44e5328d61f780a694c6132c9a4f191eabe0114e

SHA256
60dc994a3241f89df7af73d8fdbc61e8d06e1db4a2a509cff6c2bc4d0badef54

SHA512
8b2d0c9735a4b8a6821eb8ddad81b8995ef2feec814d9e7654c90f7917bdc9f21dc00287640a38cf1e41a424e9738e928cb8bbb606e0443108c1bfc51764665b

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe

Filesize
1.5MB

MD5
3fbb3a823d3bf6fcd0edb4d778b3f6bc

SHA1
3e49872ff33c12ea21211b1e852dfdef10d6c377

SHA256
af4e862b25a1b26064a49c1c4f68ad4872e8ec3c024a47bbb29a193a92a89707

SHA512
a7ed24f74a2764df6e2fa4120cdf32bb338076e85e3ed2a16e70e5ab3749eb3bea8b7d31cd61391f367563f16ac8cd477958b954a349b6b5963c218f8b613c2c

Download Submit
C:\Windows\SysWOW64\Chnbbqpn.exe

Filesize
1.5MB

MD5
70254de856410bd0aa16c4d09493c120

SHA1
49c4a6e5bee20703cc3a93a427187087bd9dc9fb

SHA256
7fe255633eb3a683e931d6985aa5087026398a91b35bcf684d804d45057d1783

SHA512
1f760d867505fea9a509445c94f0a6f56427c2354189ce8c07fa409d0ce9de3cdd45beb4c9076c2b78056ecdc2c2d0110b8e682f017ac7a9d120978ee6002488

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
1.5MB

MD5
246573b8fa8207a29e37aef4b3d7b3a2

SHA1
1e8ed74bda69dac75c24fbcc4eff82f223d09955

SHA256
d1dbab97f28f2860334a53f81cab1505ca547c6e7175fdc1d1145fa257369a80

SHA512
50038934d8cd868efd0bcaedb98ca5f24d072fddf01c0505f95d7c28eb331a5ecaa5c20cb231d69af7e5b9a212a3c327c7ecc152f95034f29af3b8d8bf75043f

Download Submit
C:\Windows\SysWOW64\Cnindhpg.exe

Filesize
1.5MB

MD5
88048c1be5b5fa76d2adf73b48e0a87c

SHA1
9b23fab64e01f7d02e3f2de9e7d69c513c523218

SHA256
1dde196f08bc9953cf0aa3c86954a12e8aaa4f64894d95e64c4937c7179ad4c9

SHA512
00d3b82cb02ed2c8b16d29bb798dc48eea95261a96f4fb266029a81380632430ded4ee4e65dc5896a42992e5ebfe122dfbebc2a09b0abab265a0ffa6be1de06c

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
1.5MB

MD5
8904fe6c9c7be88d89ba36c0aff30d68

SHA1
91b684378745ca11ce8ff7a1849b7d0b47b34fa4

SHA256
3eef88f2bff8c693c5052a78d0509e634295163b733a769873cce4656513bbfe

SHA512
aeb9920f4ceace9d974710f1e2c7295c7a728ea15e9fd705a7ffd7f9064a96364043c7987c3dfa5006d4a49a6929288a76c603d469894a29699edef0cff2ed24

Download Submit
C:\Windows\SysWOW64\Ddligq32.exe

Filesize
1.5MB

MD5
9e8238bbcef98e801b1f644882b8da1a

SHA1
ec182bd59673530550c38a79b32090d3f21b669d

SHA256
57b0f29f97b6a9bbaa33fe5e5de77ff158885a34f7b997b3029f6a16b25a8b67

SHA512
8984296524ed3ea172407ebe1777bbfc7bb72fb25cc0c9fb460a81456fc2107a8dc52d0d8436f75cb9ca0506572eb24a871c24e03340b55681e0c93a2c7da078

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
1.5MB

MD5
50ade6d47d66cef2d4e25847688806de

SHA1
28a3b30b33b14053ed41c94f4fefb740a3af782e

SHA256
4e37c74b9ab264212b05a16f28dda99bfed9d2f944ae1e3ee0738fd7dcc2c9d0

SHA512
dc5ea234de5413389e7b50e15b265909e9d93d97490a0d92299ee919bedb1d57ec231ce08ac6acd105bda790ff162778a57c85e161be5d9686225103dccb7a2f

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
1.5MB

MD5
4f72b05e22d3736c9b75b7e1b7f42874

SHA1
b751afb2d518e08204d8850b88a656a3046dad29

SHA256
8a7815d22481efc910f4ede1a803afc17287d6ef6eb6a1405db74d614a4fe308

SHA512
d2d0162f39c1ea2bb402a2596a0b9361fdbfde129bf6de12055f96202f107e7dca38f0516aa121d0c32ace142d5577ba13cfdea70aae376a51753eab9ee2728e

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
1.5MB

MD5
394f9f4683a8af8627cecef55741807d

SHA1
c2e992d8b89da2f1b2dfa1e30a1979a77ffa60a8

SHA256
beeb2d09b9f1af2e639e641da6e8e43c9d91ba5cbaa8beb5fef12d7bf04ab947

SHA512
68727e49466ae4a2db7a9c3abbf9781e15079e3a06db23b22d78b16a0dfeb8cf6b1cd31d015a4f592db9ce4b31a45caf1247a2d0f8cae2e5d2593c66a1e4783f

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
1.5MB

MD5
9fe417a077c85c388ce7e464241c16ee

SHA1
603f47536790e8e8379a442cdf6045781330781b

SHA256
5be1b39b88f9ca2291603f37c9aa6b7306bc4253d82dc5563dbdafb10f32b5f9

SHA512
0098464e3b37d259009965076eff2e9f002e6fa3e7b3bd75e3f1e939499584aa19626f7f5d0137db04f1c03003b0357ceb04b04e2f6a8c3a25b15660efe91ebd

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
1.5MB

MD5
cbd136724e42782da2ee0e98e6d21a40

SHA1
732aa6e498b06d5d33c330fc03467bf50cda9f2b

SHA256
5434de3b41536ef35ee7bffc13b4f1a7ce6456ae95f5bea1c7f4713142975c89

SHA512
695dfc7df2d153558a4c1bab838b4ceb6d34f68fb3004f1118721f76c6a2573f0cfaec575d7c608f499889ed399895006131bb033180d001c225da191ba2aaf1

Download Submit
C:\Windows\SysWOW64\Emmdom32.exe

Filesize
1.5MB

MD5
0ed9cb64d06faa9aa4ded49b0a1d615c

SHA1
af46335a8df76006c6ac35f6ef4f2e8f978ed449

SHA256
18ad91384bc2d6973843cb81024105b25cc59cd27710e1730b0b8f78c3ef6859

SHA512
a47efe5aaa24b3fba309a2ac91931c87e7ac7a34e4d52380d022ad5aabe1e16cb0d2d0345606933b7e70dd9ce24047e420f7c4eb0df7bd46e06ae2fc0c5296f7

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
1.5MB

MD5
221c326ce67ae0b725f6eb9c56400535

SHA1
4b84e6c76143ac8022355e7599d3a9a0feb6bbc0

SHA256
4c2848b46aebb0b3a20e5d52c6a728e59a2f9e11b93a126713ab31f873846eec

SHA512
61f6c2520e9179565b83f538c5524af1271d5aa346665267c3ad564233f88f3840460b28a902a6ea8eaf1fe4e7000c6dc83f9b906f7196a3948e7402f34ca7a9

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
1.5MB

MD5
94ee5151007e6a35e06c4213bb38ee2c

SHA1
85b2d0a83f316ac62c3f6b2d9b7a16d3dc87bedd

SHA256
2bebcbbfa086bbfd590fe8452b65ffdcc00fca1ca79da6a55308bf258d4edd16

SHA512
148e1127c1cf47a21bc223c64532cb780597a6fc3fdc1981d29719f403c0b78864151e27517ffad1c885ff169a8f041e8420a1c3fe9f4d211dd83ce419c94291

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
1.5MB

MD5
02e3bd72631a6c6bfa0af0beaeaf8909

SHA1
fd8bb71338d7a57f97e090b195d2d5af57298f2b

SHA256
e7e4c0be98e734600af2f3f1688344e4da204d5e3c52d03db9c7079975c5c3a6

SHA512
0c48479343c94e4fdf83e50882ecbff438add5d0432820cbda0a35f1fb75a9485de06aabc18a4beb06bb6e54d96700a9fddd9e24c6ad4e425296220b33eb1597

Download Submit
C:\Windows\SysWOW64\Fmcjpl32.exe

Filesize
1.5MB

MD5
f0b2b00643a345d966c3a5481dca3d81

SHA1
81559125981820c31757566b40ae13ab4b6cbee6

SHA256
27d5ea3dd0c0cc979ccd419db3f3ec0a31bb7bd70c9d29d89ac967dbbebc5f54

SHA512
ce9eac038ac620cfb8396a0cf63fdeb88d09eec4c106c446cf9412c83644374329ceca9dee68069fd92d4c13a882a6ba97d3e33eb886b84d36c45c83882d8ece

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
1.5MB

MD5
9b0b5bc50abf65f443a85639e9e05540

SHA1
7e1d936bf2cf5d98bc980d78aee4328e9fc57f7f

SHA256
74880c7c8e64fc316815429f11636aa654d05d53ff3e29f390cdc683d5e56b57

SHA512
868587177d80340d32ee936d428343af3c2969d7a235d434a699f0df961099f0b2d4ff7977881594ce6198373895cd6e9f4cde16f88d8f0053f54b13c68098b6

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
1.5MB

MD5
c91727237b8fc2fbb1e58d7ea4ba04a0

SHA1
0c2c925fc57a1c34be47d770b863f6b33eb8e955

SHA256
a94854f8114d2e375b0ed03c020c00303a828dc6d4349bb223c517206c1ae271

SHA512
cd55aa42279ebd98f508daee5fbeb616eab3f78cb2268f829469b011a2af5d0ea13c81f040bef523de3b9657c3fb32eb2bc18b064e56ee3ed996f451845de2db

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
1.5MB

MD5
0c53f14edeb4e82cff61a77afe3be403

SHA1
23824cd7b6090018117204dbc251f1f73dbec1a2

SHA256
010f200b65f76e89269e448786c99d3bee6a25315375b47eaae08882a528f0a3

SHA512
e4b6cd2ea0f1758cdaf239002f7ec115ea1d86f1b147a1e7e3283fa17e8a864e7f0e583c4b56b6ea2bcb1a3be8a45e06eae4c373710705b15f61d24310355c38

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
1.5MB

MD5
056fdd772c53cd47f8b41713705f62b7

SHA1
ab828692d1385af57074b134c45b926ab643b208

SHA256
44c1b4cae332820b4f228c73e300e420eb9b8f96daf297d50be36471f6509e1a

SHA512
7f1fe5a47685ac4fae5dbae218aa2d0595fbbd4178011dc4da2ff6050f2d8abdb9e8adb4fa211a0a497b27cf5ae9b6a8ae32480b779c1482e3800b278b31c5f5

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
1.5MB

MD5
e10236cf9198d07fcc152b341c6c618d

SHA1
704c488e017bb3baeb2ec919a46235a40dcbe899

SHA256
20716c9602a0ed9b0c8eb74efa3d9cfbd0009aec15226f3e259e9ce4dbb3be10

SHA512
12657c0622e1ca8d3d3943514c0f56f4cd2ab6ee641bc7c98c794d295c6218257a2ac2d4cc01d21e38167ab1dbb32ac19b61302854d9ebdd25fc97fe11e7dd30

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
1.5MB

MD5
5f2c8a142f8e614921163cc715e315f8

SHA1
151084b70646aee00d047cd651e6bb8817942b9f

SHA256
e12e2fe14b68f837ba2828e14b27d7688f1d31336582ccc4fedadd981a776cc3

SHA512
0b7160514231546214664feaaacf0a240f082f7f861a728f12447ca1cb1b267b99bcf90d75c8dd2276818ddc4b8a73cf413d041b236e699a2803b4596710e9de

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
1.5MB

MD5
552d2a1b0aea03bf21d3796a3f00d45b

SHA1
7daaddb75a7bbc2dda0f597b51e2e1cf42506904

SHA256
2058471237822e7cd79a7a1fbdcc604f789507ee8d0fe3dcea2cbd363b8e56e6

SHA512
b40779343f167a20682c62967065d6c75e603cad2d96cfc54cd06864195d6408a0b7c39be03dd130147fcc9af30a6dd36751201e46a569ced8b454f56bf018eb

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
1.5MB

MD5
b4ca8fed69aa0def2cc0abcba4cd3de9

SHA1
8e096aa1e0a91034d59990067fa5c29283579635

SHA256
3854e79871e416b2006c55ffd53ed8406a8c9c0fcb723f2313679c20797dedb1

SHA512
3ee1594033636a5dc1ced0df1c32b26004b5fad9cf5c3dccf294dc481fd91d0b25eb2a2c761d958ee674def4abc0d3532ee5585d59c252c57c32999ab0fada73

Download Submit
C:\Windows\SysWOW64\Hfaajnfb.exe

Filesize
1.5MB

MD5
466f45cea79713a2ac7601983c873feb

SHA1
7fc0bbf8b76dd4795a015256e8e1ee273dc71f56

SHA256
fd674d0f7b529cd5846684a521cde7fde176d605215587d44bb2f4b7576568f9

SHA512
07e0a09da578c1d0beae3ccca29e358998790299a623ac4aa719f7ff69c925c8d2b05bec4fb4998fc726244231564b4d5643e5537ed556d5bd221575dabd38be

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
1.5MB

MD5
cb58bb26059af113fa5f0cbb9a38f2a9

SHA1
343b2c565a021cca7a44cb781058257c9f859190

SHA256
10c12ece27589c993c20c9f038d7e7cb893f7fb3e5b9149c66c329761b5fd64d

SHA512
31fd2b435097db9f388837d9f53a1b64e5137d73170fa09a31befecff9575904bb92975af50bb576145c7d889c7ef846a5c9fd928a4a9ab575ce4bcf07f7c2eb

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
1.5MB

MD5
e18fad490c214dcaa111b86e990fd80d

SHA1
92fc33b1346cdeb81a087f62060f622c6a456943

SHA256
e0e67be69f62d4aecd7ad15c875d0bc061bd4bbf78eb3979150dd1656f0a8ae8

SHA512
bc313f0945a73e24939a6be2a1db1650c639c50752023a087a761f748476ce237509691ac135ab37d14ef89ee41b8e71d55250e3117659d8aebc1b12a1160578

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe

Filesize
1.5MB

MD5
6becec4b57dc5e21a5ca8d2ce96148df

SHA1
0096defb46a6df038dc99bdda830661850c9137e

SHA256
c9a430f60a05758066dcc74b8eed902bd8c17388dda74e9872824fac51f6f0d7

SHA512
f3de40c64b13151cd472ef67f7ecf6957a4dff6fba4a0e25ef84ac5b71ea73de753838f33d74edc58770d80300f43e705795da07510b5fdb02b293da9ba2da19

Download Submit
C:\Windows\SysWOW64\Ilqoobdd.exe

Filesize
1.5MB

MD5
f710b2d9c85902927711a1e40a0c0543

SHA1
23a62af903a5a18944d92a5c37a650db9a935d69

SHA256
e27e820ebcd6b965a2a0f9b0a799b195fbd250ff9d988b45ce1f50ce3847a056

SHA512
1c6ba2b3f15e75a2f6165e90230baabc05641383fdcf1d5ae5e24dac1a8b561bc8f57b46369e1d0a504580fbe4556c972ccdc484ea1c5077a2ef4455bc8f27c9

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
1.5MB

MD5
65f08266230d405c97b67af96d898122

SHA1
7e1f766af6e0c9c314f39996f199a0b06a6b4b04

SHA256
9e0f6ceeb0f50e6f38f33320948d5353a87e2feb80ea86f6a33ad5e590f26a20

SHA512
4439636a8d8dd0169ebf4a00a67279002274e3ded589c1160d731bd1da35565378d014631d3dca199d3441290eb531121685b89eb3e420c6d8bc4b57d1ccf8ed

Download Submit
C:\Windows\SysWOW64\Jcanll32.exe

Filesize
1.5MB

MD5
49abc692d01aded4ceab0880931e79d3

SHA1
90cc2f78e084f54d77cbcedd849ac27a28bda46d

SHA256
fb12bb29d21113178bc7ea4cc0cdcb8d95e80e2542a6672a193af99a3181f2f3

SHA512
6d52a044df56ae2a03df0aedd59e04e1418b867d11526b17c0389b74b48657b86f75321ab6fd691f1e43cb7e16dbd86eeff09b43b08fc125bdcfb109d72df04f

Download Submit
C:\Windows\SysWOW64\Jocefm32.exe

Filesize
1.5MB

MD5
2b177660d21f8d0a77b8bdcad2f8fcfc

SHA1
828ad915dcad5e02b5079ab6dd7dab0628980ddd

SHA256
c31f10d496ff41b25cce01c72fcf9c0523fb5b89e2489827cdba241e6de3ce24

SHA512
0449a5cb2b6cc66827f85cacf4fc09ce2480e653c9e520048c45fcb55f15c02b56e17cf7086ca9f839193229b06f9e3976f552082a6f38e9da9e73f08c0062b3

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
1.5MB

MD5
c0c35a13f91dadddc821f4f05b3fdc4b

SHA1
ce05b594d54e5f5b0b06d0fb154cd06ad795547a

SHA256
0c7eda5f3405a76ec59d357c57ee415f57345745d9305a841dc39f158668dc35

SHA512
f72d8de5e27ae541b60b921ad869af7d323f7fdbed61b2bdbe18c653c3bd4aef8c3930c279ba52516fa132679b70e21db7392466b05bc2aa10ba1732d75c1306

Download Submit
C:\Windows\SysWOW64\Klahfp32.exe

Filesize
1.5MB

MD5
dcbeff467b52031e54f2d0aad4b0782a

SHA1
f4efcf40d3075f451e324f0f0add15ca9bc27458

SHA256
ca650b0bcc27e7f95a8e53270bbf97b88dfe0d61966e656ed1d8c9bf04312512

SHA512
0610989ec30283aee23467ef7fb2887d97db6e3325a2b450c4763fb748abd48b5b87bd46b0aa6234e6a2413a79873a96b0c4c7073b9f0139dc9eebc9bf69a823

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
1.5MB

MD5
ded6f92fc2e10ff510ea94d63265cb5b

SHA1
812695a09ae8efdcaefc2f8becb8e589c8a55ac0

SHA256
a464e81709059aebeedb71b4b9730a8e9e44534c7054ff93d1abeea1f0c83758

SHA512
533d999a7edf3f17d78705ee8c40c1b9804fc461d99f021ca43d6429e4fced1cb53f0181185f2e20447aa16881480fcd135ee0a5112dc0b3ba1426ad0af0486c

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
1.5MB

MD5
e69d0ad2ed9a7c46b8aad5ca604eefee

SHA1
a1d8f1db80d4cf782d04b9bbe4be792f0cd723eb

SHA256
2d2113e349cefd14ee314fe22711df4ac2d0a559d8b7246387f05353db017dc1

SHA512
4596fb47d8e144b3eb9a12455f957268e9dc3b329527758cc1e960d3531ec13bb7cbb1995c35f7ab3172e5c25a421f6b4b7d60b2532df41ce35048795090c67e

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
1.5MB

MD5
bef6a096774cce5d0c36c5c8a593c758

SHA1
e68068474c67217dddc1366eaaf59e6be269bce2

SHA256
ef8439bbd99cf2f5cdf18814376bcb85b40a082cdb54425307a03531c19234c1

SHA512
0f52fcdcea57830f845d04f3b44a654fd4a3bd33a31c28afe31550f88ba0bbbf407e9bc8e82cbff5373c2a8d2c9ba604a77c4e794e6ce885791c4f8f49c0c7e7

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
1.2MB

MD5
cf053bf20d27e28ec644e2f899d77966

SHA1
2dc86bad56d03d483819b7a51192ab0df2670940

SHA256
c742fe9585d212c3008ebc3973a541b7c4f7a489c48dcefe57323c5b76c2ccf4

SHA512
b433c2cf84c052976053aa2fd13886ef75e7aeab90cdcf7b18bcc6b5d162a86832a8c6d58d61cd675389c84808be617a3a8eec2f486d4751cc0aeeac159d22a4

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
1.5MB

MD5
ee0f590e06593924cf8cb5a21fb37a0d

SHA1
fab5e5a2a5aca9739b770dc298201627ce950b2e

SHA256
08f2879ccd9c244b488d6d6226d0a1d01099394f630838a8d5f1053fd0efd873

SHA512
88cd2532411755229713fa66eacf48d133a304da42d03e7f8b5571a94f0f49d94ae39f17b7eb24d9069e7673390d83805de280e6d3132316f61dfc79bcdae8b8

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
1.5MB

MD5
cb4ce339bdc3e335cb8bee4bf25604f4

SHA1
73dcbecb9a9658d4911a9e7839a557988c9c542b

SHA256
f6817fb805e18855dde2bd59a9319b3190a202d41098109e1dcbeafa40f6a1b5

SHA512
eb75cd795125c07b2cbd1d6b4211d70701e31c417aa45eb4407cce1db175f2d677c7256e229783f3980e347f06d206ae32e81acc48be607e6371af0de302a703

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
1.5MB

MD5
81810e6ee7eedde3be7061be0581d1da

SHA1
d7739decb0b030ac23ad24af18d1205d6ac70791

SHA256
8c6526c13c9cff5cbba2ae71e9551d87f51fb63e4bcf762edd94251f5bcdf742

SHA512
67b574c92f50864267ce1380f68dd736b4261ce599249c5406d9dd649d794b9f0cd7d431e2fe970f821b9bcb1cc0b5a98df0d60794b4992ed865b0c50ca14930

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
1.5MB

MD5
06296f229d3028a6eab6c7133bd2437c

SHA1
bd94ddbf8322941bb2674edcef61350f46eeb2af

SHA256
5eeb2684872fabee1ade2496be352fabb9f0f88557a91849b8f9facd3337a71c

SHA512
3fa0fac0a4aaa593af14b774c9be746ae284b1e561e1504fff96b85502cf1f4b46f2d2ed15ec6011907ae6cbc0bd8e7dc15e7e37d1c82a0c2df39ef14451df34

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
1.5MB

MD5
b4b60002de62d9221d9c2820925d34ea

SHA1
732accf6e20dce85f3ed308d8e45c7635f05bc16

SHA256
b7ccae6fcee683c0121e9b63ea0674b0285673007beef25ca5739e638a6d3317

SHA512
1cf8cd3329700fea1d43968f50f2401c2c1e7af8145ab3d6a3b4d34caea159a3ff0aab1b23fc827e52fc5d976328d3304c3de04870596ba8ba26cb5eeae7b833

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
1.5MB

MD5
e41e27f5cfb746cf481f3ce00a3d4ff7

SHA1
2e361d184c45e180b48b65449556f71748cc4826

SHA256
a67efa78919af72a452ff68509b204af6940c7f1922bb6d94268ad4bcbec59ea

SHA512
1fbc045e87d0f1b6f12d56af90194f5dec6d567ce3bb8a45fc71e99a4197c90c7fefc2c82eacd47766af2e9039da8965a69381e85d4c1337b155b04e1e4c0d24

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
1.5MB

MD5
77778bf0d8ff729f2ff7f24765b749aa

SHA1
7cd0da4faf89f1fa5ae7cd193404ed14ef25c342

SHA256
fda355a283ee63f7557a8f091834b8d8510bb5ccc84bf29e701395d35854b26f

SHA512
4b5f2c4d1c6ad54b90adf1950824e8aabe7a240c9caf98c5a4cdf004d01056b6b9fc0747117936d1124486e093f888e9dff8c58f20203534ac66eb2bab20667d

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
1.5MB

MD5
c3afdfd6982a5d291abccfa27fe62bdb

SHA1
edf647383a78ce9cf4dbb1b3eb4dedc75d822a4b

SHA256
6f2c88b6ec4160cf4e7a33393a64ef8e4b0aa59af4cbbad36317ee4fab373574

SHA512
fa7e44dc077dd0ba1c879b0c87a2a983b2cb072127aab7dc649665c69323d71291d8a9834c1fb9ba5f43dff113dde3f018d23c38037e44ff0ccc466895475f28

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
1.5MB

MD5
807cd89d20074dd4dcddf1e2775559ae

SHA1
a0fa58f4094022ec434aeef9ac5b86431624c45f

SHA256
962d47d01a2d767a47660b05fe8a45b3f97064eb55667409b20ee42d0afbe0b2

SHA512
5c34ee5ca5e0a4c02e1aff08cec9e41d8febddf64c13c894d9c156a478ffa8eed9a4eb81b6012f1aa18e72d5b360ce88f3300e7c1f5c58365c89a5cf8bd562cb

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
1.5MB

MD5
2ba41465cb252a270ed0829e4d857954

SHA1
04d68f90112e81384f0bbe77442bbcdf7b3a5790

SHA256
c20fe68bd096001f4f5706a39a441bfef74d86c7bd226b8b452c3d116e02add4

SHA512
d9b0dae2915d585bcc8d0504fee1bb2e16a84d49ad9130f3ddd50ca00b1f0a7fa4721998a57f51d1a8294b44994ac3677cadb2300bbcc5f205e609e504839de5

Download Submit
memory/116-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/328-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3108-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5196-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5316-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5396-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-859-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5460-818-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5476-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5516-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5556-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5592-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5640-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5680-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5728-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5772-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5816-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5860-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5904-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5936-807-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads