396ee3b12af10474c9694760dfe0a3524ac661037ec2873e3c5467a9313415ae

Analysis

max time kernel
141s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a638800968b0c586ae6f184398825b0_NeikiAnalytics.exe
Size

307KB
MD5

4a638800968b0c586ae6f184398825b0
SHA1

69c98c58490d1f41446f8cd020f9721478138eaf
SHA256

396ee3b12af10474c9694760dfe0a3524ac661037ec2873e3c5467a9313415ae
SHA512

5bf74ec850b056ae3680d154ac7307c34a3fc9f1a6f30273169a653fc45b70a05d63fdc795d9db304c8d7efdd76f08c952ea28a2550dd6853883043d71b63bcb
SSDEEP

3072:WjNOjXMclYXbF2a+fkQg+Q+jS3AvAniOktt61ky/6DiKT:WhOQ3JxCkL+Q+W3LVkO1ktj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beaecjab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hchqbkkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekonpckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgeihiac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe

Executes dropped EXE 64 IoCs

pid	Process
4732	Chiblk32.exe
536	Dpiplm32.exe
4004	Dnonkq32.exe
376	Dggbcf32.exe
528	Dndgfpbo.exe
1776	Ebaplnie.exe
4752	Eklajcmc.exe
696	Ekonpckp.exe
2320	Ebkbbmqj.exe
1052	Fbplml32.exe
3140	Fnfmbmbi.exe
1636	Fqgedh32.exe
3448	Gicgpelg.exe
2364	Gkdpbpih.exe
1808	Gacepg32.exe
3452	Hnlodjpa.exe
1172	Iefphb32.exe
4228	Iehmmb32.exe
2416	Jekjcaef.exe
3476	Kbhmbdle.exe
3332	Khgbqkhj.exe
4340	Llnnmhfe.exe
2008	Mfkkqmiq.exe
844	Mhldbh32.exe
3100	Mcdeeq32.exe
4548	Nhegig32.exe
2388	Nqoloc32.exe
5060	Nfnamjhk.exe
4484	Ocdnln32.exe
220	Omopjcjp.exe
4184	Ofjqihnn.exe
1156	Pqbala32.exe
2488	Pbekii32.exe
2120	Pfccogfc.exe
748	Pjaleemj.exe
2128	Pfhmjf32.exe
3356	Qcnjijoe.exe
4480	Acccdj32.exe
692	Aiplmq32.exe
2284	Ajohfcpj.exe
3900	Apnndj32.exe
4808	Afhfaddk.exe
4248	Bboffejp.exe
5028	Bbaclegm.exe
3668	Bkkhbb32.exe
4216	Bagmdllg.exe
4676	Cmnnimak.exe
4472	Ckbncapd.exe
2592	Ccmcgcmp.exe
2900	Ccppmc32.exe
232	Cgmhcaac.exe
4324	Dgpeha32.exe
1948	Ddcebe32.exe
432	Dcibca32.exe
2136	Ddklbd32.exe
2560	Dncpkjoc.exe
1136	Ekgqennl.exe
3040	Eafbmgad.exe
5104	Ecikjoep.exe
3608	Fkcpql32.exe
4476	Fgiaemic.exe
3980	Fdmaoahm.exe
1200	Fjjjgh32.exe
1760	Fnhbmgmk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hchqbkkm.exe	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Ciiaogon.exe	Cbmlmmjd.exe
File opened for modification	C:\Windows\SysWOW64\Nqoloc32.exe	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Bboffejp.exe	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Djojepof.dll	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Dgdgijhp.exe	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Apnndj32.exe	Ajohfcpj.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Apnndj32.exe
File created	C:\Windows\SysWOW64\Gggmgk32.exe	Gjcmngnj.exe
File created	C:\Windows\SysWOW64\Lcmgbngb.dll	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Mkocol32.exe	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Ejahec32.dll	Hgeihiac.exe
File created	C:\Windows\SysWOW64\Jabphdjm.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Kjmejc32.dll	Dggbcf32.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Nqoloc32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Pfccogfc.exe	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Ddklbd32.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Hgeihiac.exe	Hchqbkkm.exe
File created	C:\Windows\SysWOW64\Ekgqennl.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Dggbcf32.exe	Dnonkq32.exe
File opened for modification	C:\Windows\SysWOW64\Ekonpckp.exe	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Mdhbbnba.dll	Gicgpelg.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Nnmmnbnl.dll	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Dgdgijhp.exe	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Dpiplm32.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Omopjcjp.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Klhhpb32.dll	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Acccdj32.exe	Qcnjijoe.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Hepgkohh.exe	Gdnjfojj.exe
File opened for modification	C:\Windows\SysWOW64\Kbhmbdle.exe	Jekjcaef.exe
File created	C:\Windows\SysWOW64\Mhldbh32.exe	Mfkkqmiq.exe
File opened for modification	C:\Windows\SysWOW64\Gjcmngnj.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Kejloi32.exe
File created	C:\Windows\SysWOW64\Gfomcn32.dll	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Obkcmi32.dll	Aeffgkkp.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Nkapelka.exe
File created	C:\Windows\SysWOW64\Ocdnln32.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pfccogfc.exe
File opened for modification	C:\Windows\SysWOW64\Aiplmq32.exe	Acccdj32.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Ecikjoep.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	Icachjbb.exe
File opened for modification	C:\Windows\SysWOW64\Mkjjdmaj.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Cmpcdfll.exe	Cbjogmlf.exe
File opened for modification	C:\Windows\SysWOW64\Dnonkq32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Khgbqkhj.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Kocphojh.exe
File created	C:\Windows\SysWOW64\Cdebfago.exe	Bbefln32.exe
File created	C:\Windows\SysWOW64\Cbjogmlf.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cmpcdfll.exe
File opened for modification	C:\Windows\SysWOW64\Eklajcmc.exe	Ebaplnie.exe
File created	C:\Windows\SysWOW64\Hdeeipfp.dll	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Gdnjfojj.exe	Gggmgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Nfoceoni.dll	Mkocol32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5228	5348	WerFault.exe	212

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hepgkohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiocnbpm.dll"	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdnjfojj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcklp32.dll"	Fnfmbmbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll"	Icachjbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibmbgdm.dll"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll"	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acccdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddklbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggghajap.dll"	Gdnjfojj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkeki32.dll"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iefphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acccdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbnba.dll"	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famnbgil.dll"	Aecialmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnonkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gggmgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdgijhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmkg32.dll"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdnjfojj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 4732	3248	4a638800968b0c586ae6f184398825b0_NeikiAnalytics.exe	91
PID 3248 wrote to memory of 4732	3248	4a638800968b0c586ae6f184398825b0_NeikiAnalytics.exe	91
PID 3248 wrote to memory of 4732	3248	4a638800968b0c586ae6f184398825b0_NeikiAnalytics.exe	91
PID 4732 wrote to memory of 536	4732	Chiblk32.exe	92
PID 4732 wrote to memory of 536	4732	Chiblk32.exe	92
PID 4732 wrote to memory of 536	4732	Chiblk32.exe	92
PID 536 wrote to memory of 4004	536	Dpiplm32.exe	93
PID 536 wrote to memory of 4004	536	Dpiplm32.exe	93
PID 536 wrote to memory of 4004	536	Dpiplm32.exe	93
PID 4004 wrote to memory of 376	4004	Dnonkq32.exe	94
PID 4004 wrote to memory of 376	4004	Dnonkq32.exe	94
PID 4004 wrote to memory of 376	4004	Dnonkq32.exe	94
PID 376 wrote to memory of 528	376	Dggbcf32.exe	95
PID 376 wrote to memory of 528	376	Dggbcf32.exe	95
PID 376 wrote to memory of 528	376	Dggbcf32.exe	95
PID 528 wrote to memory of 1776	528	Dndgfpbo.exe	96
PID 528 wrote to memory of 1776	528	Dndgfpbo.exe	96
PID 528 wrote to memory of 1776	528	Dndgfpbo.exe	96
PID 1776 wrote to memory of 4752	1776	Ebaplnie.exe	97
PID 1776 wrote to memory of 4752	1776	Ebaplnie.exe	97
PID 1776 wrote to memory of 4752	1776	Ebaplnie.exe	97
PID 4752 wrote to memory of 696	4752	Eklajcmc.exe	98
PID 4752 wrote to memory of 696	4752	Eklajcmc.exe	98
PID 4752 wrote to memory of 696	4752	Eklajcmc.exe	98
PID 696 wrote to memory of 2320	696	Ekonpckp.exe	99
PID 696 wrote to memory of 2320	696	Ekonpckp.exe	99
PID 696 wrote to memory of 2320	696	Ekonpckp.exe	99
PID 2320 wrote to memory of 1052	2320	Ebkbbmqj.exe	100
PID 2320 wrote to memory of 1052	2320	Ebkbbmqj.exe	100
PID 2320 wrote to memory of 1052	2320	Ebkbbmqj.exe	100
PID 1052 wrote to memory of 3140	1052	Fbplml32.exe	101
PID 1052 wrote to memory of 3140	1052	Fbplml32.exe	101
PID 1052 wrote to memory of 3140	1052	Fbplml32.exe	101
PID 3140 wrote to memory of 1636	3140	Fnfmbmbi.exe	102
PID 3140 wrote to memory of 1636	3140	Fnfmbmbi.exe	102
PID 3140 wrote to memory of 1636	3140	Fnfmbmbi.exe	102
PID 1636 wrote to memory of 3448	1636	Fqgedh32.exe	103
PID 1636 wrote to memory of 3448	1636	Fqgedh32.exe	103
PID 1636 wrote to memory of 3448	1636	Fqgedh32.exe	103
PID 3448 wrote to memory of 2364	3448	Gicgpelg.exe	104
PID 3448 wrote to memory of 2364	3448	Gicgpelg.exe	104
PID 3448 wrote to memory of 2364	3448	Gicgpelg.exe	104
PID 2364 wrote to memory of 1808	2364	Gkdpbpih.exe	105
PID 2364 wrote to memory of 1808	2364	Gkdpbpih.exe	105
PID 2364 wrote to memory of 1808	2364	Gkdpbpih.exe	105
PID 1808 wrote to memory of 3452	1808	Gacepg32.exe	106
PID 1808 wrote to memory of 3452	1808	Gacepg32.exe	106
PID 1808 wrote to memory of 3452	1808	Gacepg32.exe	106
PID 3452 wrote to memory of 1172	3452	Hnlodjpa.exe	107
PID 3452 wrote to memory of 1172	3452	Hnlodjpa.exe	107
PID 3452 wrote to memory of 1172	3452	Hnlodjpa.exe	107
PID 1172 wrote to memory of 4228	1172	Iefphb32.exe	108
PID 1172 wrote to memory of 4228	1172	Iefphb32.exe	108
PID 1172 wrote to memory of 4228	1172	Iefphb32.exe	108
PID 4228 wrote to memory of 2416	4228	Iehmmb32.exe	109
PID 4228 wrote to memory of 2416	4228	Iehmmb32.exe	109
PID 4228 wrote to memory of 2416	4228	Iehmmb32.exe	109
PID 2416 wrote to memory of 3476	2416	Jekjcaef.exe	110
PID 2416 wrote to memory of 3476	2416	Jekjcaef.exe	110
PID 2416 wrote to memory of 3476	2416	Jekjcaef.exe	110
PID 3476 wrote to memory of 3332	3476	Kbhmbdle.exe	111
PID 3476 wrote to memory of 3332	3476	Kbhmbdle.exe	111
PID 3476 wrote to memory of 3332	3476	Kbhmbdle.exe	111
PID 3332 wrote to memory of 4340	3332	Khgbqkhj.exe	112

C:\Users\Admin\AppData\Local\Temp\4a638800968b0c586ae6f184398825b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a638800968b0c586ae6f184398825b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\SysWOW64\Chiblk32.exe
  C:\Windows\system32\Chiblk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\Dpiplm32.exe
    C:\Windows\system32\Dpiplm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\Dnonkq32.exe
      C:\Windows\system32\Dnonkq32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ebkbbmqj.exe
        
        C:\Windows\system32\Ebkbbmqj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        25⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        28⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        45⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        51⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        59⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Hepgkohh.exe
        
        C:\Windows\system32\Hepgkohh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        73⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        77⤵
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        78⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        79⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        82⤵
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        83⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        88⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        89⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        95⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        99⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        103⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        104⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3800
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        106⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        107⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        110⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        111⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        112⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        115⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        118⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        119⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        120⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 400
        121⤵
        Program crash
        
        PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5348 -ip 5348
1⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3664 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:7052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apngjd32.exe

Filesize
307KB

MD5
a30b36b37bff0d1373c75879a0d62a9f

SHA1
ab1fb022ce9a2e16a964f9f56509d9efb5641101

SHA256
20c058c7cdf9db9198edce7d2feed22d13094a01b717b220daf4f6a021dc818a

SHA512
1510e2c66d4af7049947f3b4d23ad1f01fc40dc60198b5d8c64b96ddc82aebf36fd30e559778e4df4328449a4252eef282f9bf86ac512e98f8daa4b65e66a389

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
307KB

MD5
71c068b74da0ccb1d0d5f54244c044b2

SHA1
af5a0c67e7597e6971425127086a0d7d1381b0e7

SHA256
b7172cf896064c9a44d66aeae704a4591b8e1383343a2d02e00ee5528305fc8d

SHA512
b5a59c4316a4c8330d81c94f4c6c3be78a2fd50abaff5f446bca4ca275f0adb8c7c27253c11f881e7d663d7b6e01b4cb78570001279e2f23723e67567ecc596a

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
307KB

MD5
25f6443763f048d9481729025569f496

SHA1
a199b144c117700e4f53835418e2b593a15a39f8

SHA256
5b3e9b23d4162ead9492febc7cf16e0564f59d7a32ce3d6275f7c9a20e371ce8

SHA512
a688d0e48257d54beccde3e0c85a847053b76d30fe9cb54aa2696c26de28027f7284afb3f4958c8dbc731547ead9032ab8b2689938c88c8421182eab87be758c

Download Submit
C:\Windows\SysWOW64\Bboffejp.exe

Filesize
307KB

MD5
36eef683cfcdb3cd11b24f88af196bb0

SHA1
969d4f567e07c92608ac25fcce9ab54d6c841c59

SHA256
88a76ad8a76e3cc8c108eda17c995948090ebea569a64d97618b36e018e96312

SHA512
b6308cfb9157854ac64503ef0e7aecbf2dbe8e12a68940e51ef1401fb09e1443bade9144b223a31e1306594cc7fd326ca1b3df56c79ba9516ea4ea3052ceb17b

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
307KB

MD5
6a291592a74120b03a09d31a0599c21a

SHA1
92f7633d99b2fca77a89db8ce0805ffaeda31c4b

SHA256
738065d86ca41bdd61fb1798f85fb8f7384735e25e56c90ef0256d6b56e0cd64

SHA512
fd3f8dff39fd2c9238b6c1aadf2511bf81c4ecd5609dad20199f3a1bfd7834353d9789faf6ba08a5af4f41a4a19111d71ab976674df9df69d18461332c4c32ee

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
307KB

MD5
95f3ac3e40a9ebdb9dfd1aa37c392234

SHA1
c69fb6710e5a94e71f76057e1f4dab94bd9b4b65

SHA256
ae98c6359bf1e5b288278de56610862f65a530115d61db267d25f9a419466402

SHA512
352da2fd5227b8cc9425a732a97a4f003ddaf1eaa685a6436657185810cbe539ea1af0ec1349a69cc19648328b1865f3d007356a0137d1728c9448dd062d0cec

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
307KB

MD5
fefefae3903b0eb2f6b3e1479084a6fd

SHA1
50b8e41fa169ba33bdc914c953275c08a4321684

SHA256
b55a3668c914e1ba40e8803c6d48345224170cbb403e297d62c855e42cda2e99

SHA512
e1bd3b435f4e56a601c80a11f772f2459a8400f00320ae7c2150c1727a826e2abc6752060f5c02182aa8d221662a1838f910c9cc8857adefab658baea85ac448

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
307KB

MD5
03e4d0f6fadee07fb3dd547bac2979b3

SHA1
7b79152cfe7d1a56f3c424dec4996c2381527492

SHA256
47a41475c221f4e3dc48a35c56520fbdc70e521dd541b4cbc8603b008ea89545

SHA512
b043bfac012921e37d26a22a95cb4b741d9cd0e6f4b24ca580db39304c914cb4238463ad26e33ba926c21c1d15ea7646f7c0f56eb527ee0e34a7e0359c4d744e

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
307KB

MD5
fe36d1e039b3f2ae00513bf639cc6245

SHA1
90e22e747ff9b346bdd9e58f00ffc817de92f821

SHA256
1c65ea9445bb8d1f56d656ab151998206677a471b1391fec7283a90f6ccd2a29

SHA512
196b0a2f4a74ef83bc339c36dcd8e067657d79fce8363d5604feac381a003737279856f66e06f92029dfd79f47a71a52bb0cc39f52ee480e45894f600041a4d1

Download Submit
C:\Windows\SysWOW64\Dggbcf32.exe

Filesize
307KB

MD5
681698c86f053b7f0a3cf04c60fc9ef1

SHA1
753c05f37d304a811784d2e45bd2f76766b9ce8e

SHA256
dfd49080067361c843f38353348fd68af34f56e6a338f8f05fbdf7f6725f08dc

SHA512
665512fca2438946c05d19ae4ddea7fa210c6bc42ca8a5b46452b317cb3b7df3566e9e51134432811be2a54c310df5d3d9c1f9185c4ba09c23f1e5eb2f15cda8

Download Submit
C:\Windows\SysWOW64\Dndgfpbo.exe

Filesize
307KB

MD5
b8924c7592275fd4c90741914523f9c1

SHA1
d52c286bd903ee683ce88b1dc64b5a67b2ed77bc

SHA256
52ddc44d29dd758666f2acb5d44277b297dd8953446e508d2ea50fbcf73f169a

SHA512
c348caaa7ce7dbb87dba991d4a1c79da6b21ee5681ba5c2dfd9886c8443e902c029bd25a79d90d73de4722515c66301f1ddf152ea5a7ae3553163320bab2911c

Download Submit
C:\Windows\SysWOW64\Dnonkq32.exe

Filesize
307KB

MD5
3c34d13a6692958f1c45ed574dd7cd02

SHA1
7d964b217b93c60d4f94320f78e88c0f284f289e

SHA256
da1a1503624a1672d42435ba7a2d5deb887a038c52b3e42f85a9670a728a5c6b

SHA512
af65235efe6f0b588eeaddde1a94dac35809a57d45588f0362fe65ffcd0393f36a65f6b7a16d38056d17bc23462c1faf3524d499b21ac80c07e892161234a4c0

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
307KB

MD5
0392449d62d0c2f72de998771c331bdd

SHA1
d8f9a0f207ad560490b1597ac3c2ac9132b63965

SHA256
a41b422519b376786a58bc4c124e9b0053d117508db02d574e84bcb8c588c6a0

SHA512
15121abddeaeb39aada295f109e7f45ec6cca30720f8894cafa3d0d12df200564ec53d4cd2162cd42d04dd8bdccf17469684f5ef0f407a6405ae2f23ac9395ab

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
307KB

MD5
0d8accd248a3dff3f8ddc37c04738904

SHA1
81c2e9f4a6e1d40c863a0155d2b2b6ece3a8b5f7

SHA256
57f909d27066ff5a5fb5fbf3a30dde8d23dd743cd02e118725f53b2c02c5c31e

SHA512
dd69fb58f72faea3a04b105059a54316ead3fcba02777c69ada38f7d811690a2298e7ad72846e47c9e6fbdaf613b64f4d291733e4b46f7a067e14d00666825d1

Download Submit
C:\Windows\SysWOW64\Ebkbbmqj.exe

Filesize
307KB

MD5
ed470eba9819019d8c1ea5b8845dcb6c

SHA1
b688a91c723d7d734621ac924ab9895fc5f6574a

SHA256
3cad4c6323997674267b3788764ef6236dc96d4317fdba7f11b938da3e0bd8d1

SHA512
f6d1fcda5a72d37cd97a644aa0e08af953d4f91fe994d300b395acd97163f00f578f4202ad0bbade4f788742498e48342accc01aa517a8391e21f9ef4b9b1b9b

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
307KB

MD5
986954f14d5df11d0d2fe87a1427324d

SHA1
49b7ed757ba946ee858f785a834ceb7986aae23f

SHA256
f9c6c36dafc12ad7c0b2259cf6ac8127bbd34858189da32b762aa09fae2b86e6

SHA512
8e271b881cd53ff506da2d57087a8ce352e7be575af4d7f6af220b98aee036224257713362c5fea1f2c7e08d9e8cf7922d55a37cf41a1cf951f2f1aa669e4477

Download Submit
C:\Windows\SysWOW64\Ekonpckp.exe

Filesize
307KB

MD5
7bb25768a417bcc13d89ee721d116056

SHA1
d56db1379ec01c590de06553f34a725fcf3e3f45

SHA256
e274bcc4df94b5549c82878156a5a0da084a3e6915a8fb23f08ac7d3f0169a9a

SHA512
a0c6a230545f48b665c16b783a822bef9babd63555cef87c28a733537b4003911a7fcd1ae779aead83ba5c3602b1927e00e8e89845b06de9d45bf182bf4fbf3d

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
307KB

MD5
128b7b7cbc9aabb554738f28a87cd45f

SHA1
5f0edf8545d5384bf99f775d1da41d8a14d29b61

SHA256
9bc2b50c652adc53bcf8e33338e30588c1c1888fa02013c1d4770ab0aac936b7

SHA512
f87476877dd4a6e669b77c051f194a035a8058f0b27f80a10c4743e9e0f172a7e1716ff62b2c1e26a8567affa429985d79263295bac77bd6025663052acf6573

Download Submit
C:\Windows\SysWOW64\Fjjjgh32.exe

Filesize
307KB

MD5
cd149eb9a661ef204b8998577b6a1d4f

SHA1
04a499ddd0f3acbec2e2d4cff9cfd97ba07d3ba1

SHA256
c628a1f1a3376d8bce5198e841398c4467fc1cd4da7470ccb5ae93d0ca51186d

SHA512
2024747bd4a4c7dcd310246733d40a4131636200a6cb7a633474112a6a580a93dbc900fce0102bc5778ab7459cc0a1f4553f2ad323f0baf00f752f5a428f8a33

Download Submit
C:\Windows\SysWOW64\Fnfmbmbi.exe

Filesize
307KB

MD5
8974ad1a8e41f6d7e4f764d694391c32

SHA1
7ea07acd921e463f1ed79cea13aa6a0b797b400d

SHA256
ba44193125d451fc704b9478650e3f9007c674b502d9f486222f76713ab09a84

SHA512
afa4f5b593fd5560414db4fbe7818f6cea0887cf9e973198d7b99b5f156150447a6f76c639e79d02f566d2bb4cb18f37f46fd0139218b4cb959a60bb88a171d1

Download Submit
C:\Windows\SysWOW64\Fqgedh32.exe

Filesize
307KB

MD5
e74807320be5e610262ba4a9e72cdb7d

SHA1
4fd99b4fd68008b2344f6765e12318e7d4b14300

SHA256
356e2960a668430b02fb5de478015ca4e1e55e428b24bad66233e77c8885784b

SHA512
2a7de02ab0866d521c180a0712b3bbcc9c57d0e110be90ce7bda8bb2803dec27c5b2ca1d7cd33c2a9184a820e85196aca37e9e7b504cf1c871814752dbf94924

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
307KB

MD5
c766896b4c6e036f69f3ff8d04d8380b

SHA1
41617c54b6f590353142d78608b8d5508ab810cc

SHA256
c4f56aeeda1d1b16a40096ea6dfc8e1fc2b965d292f857307e6ae2e9ffb8eaec

SHA512
ca22cc677cee27a65058abc81415f20deff5bfd7bb6a209433a689eba6b0470d59282eaddfc86ac2312bfedb97c5d7ec922d340ab3a319e8033b118b98ca3e7d

Download Submit
C:\Windows\SysWOW64\Gicgpelg.exe

Filesize
307KB

MD5
df7cb35d1513c668365e80330f516858

SHA1
725f82acf8df7f8d203761b6c3e63d4c66a72709

SHA256
21c90a81d4c5307a5de687df766a3cef005560fb94f9b51053ea319f697ff5d7

SHA512
ffb28489da26c361e9ae2167b464bbb2f6cb4f66d1fd060bcc2c47c48132852f7a8ea07e9ed5dc41987f0473cdcce42528737e4baa3c50219b8ff4fea5495d16

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
307KB

MD5
9e4906da15189f9b28f7554476389bb5

SHA1
366089cf7b9f98405d06a94cd20fc5990974878c

SHA256
069f60b2d761a32753d18eed92418e77e53a740ad3b8fb13ffc7b322afa79bed

SHA512
545a015ff18f7fcc6769e399ec865197aa6e7bbaf56e8d0ba291820187c2fb020618d67513f8b8df986f9249527b2841d35bbbf3cfbb41705bc75b30d82650dc

Download Submit
C:\Windows\SysWOW64\Hgeihiac.exe

Filesize
192KB

MD5
3b112bf8af0c7aa539319acee794b6a4

SHA1
1bede04225e987031dfbfab1b1732cbcf5560158

SHA256
88b98398f3b485ee2e8a0d1f7805e969eca0678797b5fdb1473f4be110c1a23e

SHA512
65cf21d7f8f7b869e1a6deb62929aa748a82fbb802b4cfb3c01d129ee4863e6927240c6e4cddcc0ef02458af6aaa408fbd6d14215379b6f45e189a61552f3ab6

Download Submit
C:\Windows\SysWOW64\Hnlodjpa.exe

Filesize
307KB

MD5
ae43282d2162580b735b5702f44e24d2

SHA1
cf1511d17315ead956157a2e72a0975774be9100

SHA256
ee19774038f63a5b28794f3176a3c0303006dbfc5c3d180333ada6d796027a39

SHA512
0e240bfce9bc992efadb1d9221acfc1cb757ae2ae3be73f192c0d829527ef7476ede5c087ffc34555b64f17c8a3360baff4bad982998b85807b98508da070560

Download Submit
C:\Windows\SysWOW64\Iefphb32.exe

Filesize
307KB

MD5
7a3d8bb50f19ea50178034bfc1a6d0b8

SHA1
bacf2a3fc88d33324e2ab589a84bf443b47694a4

SHA256
1e056ee3657464dd73d51d2e2f32bea7938dbe8e65600dc30e646aaa4d776398

SHA512
32f76fe3878aaf9286708277ef208e5e8a4230b4725e1e5b40eba49d61f22bfc9327a0ac4106c7f76f2c44e874f2b93236f97b224d8430e4cc2621b73f5cae1d

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
307KB

MD5
2ab8a87318a1b9b2ceaab108cd5cf26c

SHA1
bf855e5fe93439db0ddc68bd5839d3e065673c14

SHA256
99e9787cd66fa309ccc385a454df2e2884bdabd2a099106f59178f632cc9e909

SHA512
5e4827faeb517df000442b3451c7668ec2c0d6d98053704f3ec952a922795c759cf25f8228a5fb36a8f455aaeed61f9bc8cfa7e8540b279d5e0861b81de85dfd

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
307KB

MD5
42e750879c3210f2ed2c130b75acae5c

SHA1
8d13629f069564df109a9852ecb9c4157e070b15

SHA256
4e22174c875d361dc082174fef0cd00fae04a2e6da0f6ebea30c02944cff9944

SHA512
7c6cae4a105be92b1507d70a5c723eded8b2fd6304b52833eea6fa95ac0cf170f7f83e7510ab01ad104f41ec66d43019ae4ba71bae66fee0c9e0d7e5c993dec8

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
307KB

MD5
3d032487d4e56c94c13d140ab12b5d05

SHA1
396bcf5ef02e9e82604af0a399025fed7dde2ce6

SHA256
f785fe813ac03714875513117130ccbc871b1c238d2f5cb2d2536a855cdfd2db

SHA512
d519588fe23618cd824719ff90ae45330bd43ed482f5ee37686ec4da4bca9012c201c540e5c588e4bd6a969f5477b94a066fb0d6e58642345da292c67227c6d7

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
307KB

MD5
453ab40c173ae266baeb9af9d2a3560b

SHA1
de910f2427b0019e7e86a5a2e06fc24a95e0935f

SHA256
63cf826d8487837e1daf3bfc8da59db4562e2d4976646d8e80a87fa3dad006fb

SHA512
a39f44e112af7389f1321cb88ee0b9ca8eab070e0c21b73bc7269cadf416773dbc46c8dd280e92ac45f804ccf71d17e4c331a0e53a80504c2ebd6c8949059ce2

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
307KB

MD5
633b6f916e12c2930525d289c71cd85b

SHA1
0e97fdb6bfdb036ed76c801bce6df9614cae171f

SHA256
ffb693f0acf780389dc80c0e5758a3ebcc1439f655adb74316ef4274f9ec5b85

SHA512
b200d40785243bee090f3df80ff65ea6360d69ce2def7e1108f988a4ce0fbd1cb6529222a0b6ee2e04810133dcc454dab17e249b5aa4f65f4416a0cdaf772a5f

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
307KB

MD5
0963df06da96a584a8863abeac74fc86

SHA1
5b331a32cf44ea152b3d1ca77b3da225e50a4ae4

SHA256
7983c1357b51637a2aedac17aa38ec6f0eadd4c215d9e467e1ab0c6b7ca71fde

SHA512
23aba3475d237cc519c7d11b191c07de13f0c1d328ab8e386c047b5d3969fc7f5a4ab1c75657b0370cb6297b48a7bbde2bb93828b3f9c069e34a531de5b73a18

Download Submit
C:\Windows\SysWOW64\Llnnmhfe.exe

Filesize
307KB

MD5
b114122bf7c086924ff6c33cb2be8f7a

SHA1
3ce4cb57f94bbbc2d7e6bc5e471993aa65b6b5b5

SHA256
369f322c8bc4ee456f0b120564b47e1a678c4068ab47549c759e4fc56f46c265

SHA512
ecd29dde856775509bd007175dc8cc15e07fdbb32f92938d7f2541742430b62888066af2f17649db230564d4aae9544ec78165441ae6b7305f4b4a1310aab46f

Download Submit
C:\Windows\SysWOW64\Mcdeeq32.exe

Filesize
307KB

MD5
4a0b5049289c06cddcdcc2387131d7a5

SHA1
15fcc7dca42ea0ec67fe4b28a7dda005628f8096

SHA256
497152c28ed5906e659731f8f984ee7413902aba7077ef9ba400c6bf97144398

SHA512
55fea83e642391f92f9dac23ab2137ecc5f2548f9f3c6fd2c177ae7343d0c9a2298ddaf424a766a68468a87b12e4155ee9ca650c77c797b99b6e6d2ed5e36e00

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
307KB

MD5
d6a34e0d5b22fedaf7da26b967bc21c4

SHA1
a54f7db2be1d15a0bc11d55cfe87bd943d5166ed

SHA256
54b032abeb83245186a3d6f38a0787d42faf96567722f197a4693c970bebfc9a

SHA512
69dec016a46648e36e5e5378d4c0808e28e0d742e3f7af9299336c0853d654963e635b44014adbd2e839fa38c7aa16da115874bf437949e61ac6ece47d899095

Download Submit
C:\Windows\SysWOW64\Mhldbh32.exe

Filesize
307KB

MD5
42cd7b502168cc3988370f27f5a51a23

SHA1
67bd76e61f8de71b39a37b0a5e040a67a14773a7

SHA256
21ea21c16d98d989b8fb5d126d97a8568195b12951992bc21ef10535fb420c70

SHA512
bc08016cc0be9661aa79324ca9ac6b0f23f389ca89a03f2e5563c2ad9714d199e7483cec5033b3512abd6842397e2901dc1fe66bb6f92b473a661c7752c28fb1

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
307KB

MD5
c13fb95ab6a1eb6bec4ab8a830e01b98

SHA1
4336e7a91bd4e3a30c1f2b275d9c6a462f54572a

SHA256
5e87da3e3ebedc130c00a2740d6031cb0563338525b41bf25e2877cf06a1a2e4

SHA512
90cf867e090076a9373860b18d427d2418f14cef2938778ffd3179fb96bb8c3a06af8dde58dd70619a989a68f8adf1e24602180f9d05385a94f4f373591f00fc

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
307KB

MD5
38ec1be4f9a6b9da111c8794eda33896

SHA1
1f85a58e711187934f17826232133ba55fb7ef17

SHA256
d1d17794f00eb716a8058f98603deae7b865da888bf26e0cac8881037a588731

SHA512
7ec694710990620dc3278245b398098fe0ceff75d4331bb9eedde56d412fffc58e3acc3fa396a06c46a90869ff8eeb2145cecced157302dd03df24cbffe1dd27

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
307KB

MD5
0901fdeba2b693393d504284f97eaf39

SHA1
a9bcb8726a3684e7f43cdb75ed75d130ac001a0e

SHA256
60877d8108cb44718922866c882fcfdecea42bf006d5f5af12f6a6d83b2fc58b

SHA512
16dd0e5e64746dad9bf6953f2939d52eab909acef0f64cc6a29b3d248e9684c5a5953a9ca62c46bfd7719835eec65157d2082e6c3d0a4bb208829927019df82b

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
307KB

MD5
27b17ad35d3c37250b044425317c46c7

SHA1
fa934f80e9ba0dc4a5313d27dccc4a0b169459fe

SHA256
cea110638c7e9dc8eff2fe44389fbc86cb6476794430e4db2d4450bfb71d068d

SHA512
03b1cbd366c431753222fc9a02dbab3a143224b6dba3fe8a25a23b5854c14e01e2e7fe978d72a307426b51074cf40ff807b1a1a6d3828b9dcbab0322f53a9461

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
307KB

MD5
18e220aed74e653267e4ff9df51b2573

SHA1
d17ad0af13b04a5ba721147f6d1f36833d472419

SHA256
c7276618d4c473f333a1e4c887e4a05bf1fad81d4241f5107d3b6aca9ad7389f

SHA512
c967ea8cb1d618492dbccbb76b98b7b4febe72fe884ad0e5baed1d8edf96df52cfea9a15a5c5373962c4e7bd9ee1196352d6d28784426d2d134a31b163ccfb84

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
307KB

MD5
9d0998502444b48c1842a66ca70fb14c

SHA1
2954208152bcb3d376d75cf99240cc2867037fe8

SHA256
34a421504baadb5a3ff2f63aad93064873002445379ad98078977a3b95236f84

SHA512
b065aab701851544d8d73f10e680c992734dd3baf920bdb36d0704c5f2193ce498eab0e72473c178582560eeb3c780d5f2cf72c9b3f043cb90600d3f5e0e4ae2

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
307KB

MD5
e3ecf4fa592fe1c5fa6208785fe30a91

SHA1
3fea9a78a001def185e3296161f06a0cf254eb20

SHA256
0e2a8b802ee85142f0ff2b25ecec8cf349df6d1df869cf559f56732db00979fb

SHA512
dae95614139797f0ca792c99b4e75f14a98de32f10898c9d89b9912a619879f04fed2f39e19290826a4d87c91a33e4d9aace8c584f36bbb2ebedf97cca419e87

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
307KB

MD5
f4356d6d5be3db91a4493da731dceed2

SHA1
999cb21a57f944f1228203fe3d785e7d3394f183

SHA256
8d255865092e274690c3c23acf3c0af348b55acdd8195c99f9c4704c74b57c62

SHA512
faddf3bf17f6672127171151e194861bdbb092f295b252600be9a43b8df677b99d0e4199c975b241fe8becf53e9766b1476fd20d0b6cae4746875242e77d0b85

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
307KB

MD5
99132940324f24ef50d84c42359edbf5

SHA1
9f415b1dc4f5e222e1824e4f8479135b8fbd58a1

SHA256
0af1fb6eacd82c878e2d198106470affbf56b2cc6ec83c9b7871a7e3e4f28a1e

SHA512
2b1c6e6c277c756635dc4f7ab8a2445d05a81cefd3081b2768528d08665e29ac7375b9ef3d774dd19dac37d413f769355534c0155148ee302fabdddbf604289a

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
307KB

MD5
a134b825d4198071b3a6835b64f81d5d

SHA1
ae4e0d9557ec340b5875399486332bbf286cfb34

SHA256
b86f5d85bc1bce203c7a5707532664682b6e9d4569f5bb5993aa07e169db64ee

SHA512
32ddd0ec2d42fa78f430211281176b9767d89c90e4b6a269589f1a3762049b4eac93c60d104881de31e474296b53e3b53afd552b90512060124e37222b5c7687

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
307KB

MD5
609788d368b05389f859c606f1cb4646

SHA1
b916baa5e1fe7e9d4c63a90f07202a23d6d6e5f9

SHA256
7a705e02fa71c403e1ce54ea4fab888a5824133f09abde5a56f779b878e946c8

SHA512
c7adf10f54e10f070520b69b1e902d0491e9f38d2f4e5e0f5a4f42c9774aae0e6733af6c51979019de01081a080bef5b36839c3d53a445d25e0e5b0b9256037c

Download Submit
memory/220-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3248-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-637-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5144-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5416-622-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5460-635-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5516-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5560-644-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5668-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5716-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads