a92ff098fa8747d71eb2416ba80fbfe549bc321b7864224f756c5695bac50128

Analysis

max time kernel
140s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e45a61207b1f49762e44dae6b55a530_NeikiAnalytics.exe
Size

64KB
MD5

1e45a61207b1f49762e44dae6b55a530
SHA1

71bde7b924eb7515c7e4f5100ab1ce958944f5f6
SHA256

a92ff098fa8747d71eb2416ba80fbfe549bc321b7864224f756c5695bac50128
SHA512

d3204f55a1ece158060ccbfb0e764e96f9a3f17225ed7edf65e5120ab3093e5c6387b0ee5d55824778962045e3c1366a2fdffe63c261b9a8fef9e59a47d615a8
SSDEEP

1536:V6jrdCW/AAaDNU6HAfFLoOC+4wUXruCHcpzt/Idn:VSrdR/AHU6HAfFLoO/pFwn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlifnphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgapmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllagh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enkmfolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mccokj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglfbkin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqdkkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjhbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidehpea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qclmck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adepji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicgpelg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edionhpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdiakp32.exe

Executes dropped EXE 64 IoCs

pid	Process
1460	Ogekbb32.exe
4636	Pccahbmn.exe
368	Pfdjinjo.exe
2268	Pplobcpp.exe
4748	Pdjgha32.exe
3240	Qhhpop32.exe
3560	Qodeajbg.exe
3688	Adcjop32.exe
4548	Amnlme32.exe
4500	Apodoq32.exe
4376	Bgkiaj32.exe
2832	Bmhocd32.exe
3464	Bphgeo32.exe
1864	Bahdob32.exe
4920	Cdimqm32.exe
404	Cammjakm.exe
4076	Cpbjkn32.exe
2876	Cdpcal32.exe
2236	Dafppp32.exe
3716	Dgeenfog.exe
2336	Dndgfpbo.exe
4756	Ekjded32.exe
3476	Enkmfolf.exe
4244	Egened32.exe
2516	Edionhpn.exe
4408	Fdlkdhnk.exe
4580	Fkhpfbce.exe
3572	Gicgpelg.exe
1756	Gkdpbpih.exe
1824	Gpaihooo.exe
2140	Giljfddl.exe
4004	Hlmchoan.exe
2060	Hldiinke.exe
1376	Ilibdmgp.exe
1664	Ilkoim32.exe
1876	Iiopca32.exe
4352	Iialhaad.exe
4712	Iamamcop.exe
4392	Jppnpjel.exe
4848	Jlikkkhn.exe
1216	Kedlip32.exe
1180	Kakmna32.exe
5084	Kidben32.exe
4416	Kekbjo32.exe
3848	Klggli32.exe
1268	Lpepbgbd.exe
2620	Lllagh32.exe
3192	Llnnmhfe.exe
4608	Mjggal32.exe
3608	Mhldbh32.exe
1368	Mhoahh32.exe
2168	Mfbaalbi.exe
916	Nciopppp.exe
688	Nckkfp32.exe
4356	Nqoloc32.exe
772	Ncpeaoih.exe
5008	Nqcejcha.exe
4456	Nmjfodne.exe
4912	Ofckhj32.exe
3260	Ofegni32.exe
4504	Oifppdpd.exe
2784	Ojemig32.exe
832	Oqoefand.exe
2900	Pmmlla32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ilkoim32.exe	Ilibdmgp.exe
File created	C:\Windows\SysWOW64\Jlfhke32.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Deocpk32.dll	Hldiinke.exe
File created	C:\Windows\SysWOW64\Olqjha32.dll	Ajmladbl.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Mjaonjaj.dll	Egened32.exe
File created	C:\Windows\SysWOW64\Nckkfp32.exe	Nciopppp.exe
File created	C:\Windows\SysWOW64\Akmcfjdp.dll	Nckkfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Nmjfodne.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Qpbnhl32.exe	Qclmck32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Lpepbgbd.exe	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Aidehpea.exe	Aibibp32.exe
File opened for modification	C:\Windows\SysWOW64\Bdlfjh32.exe	Ajdbac32.exe
File opened for modification	C:\Windows\SysWOW64\Peempn32.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Pjhfcm32.dll	Qclmck32.exe
File created	C:\Windows\SysWOW64\Nmlpen32.dll	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Edihdb32.exe
File created	C:\Windows\SysWOW64\Hnbnjc32.exe	Hghfnioq.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Nciopppp.exe
File created	C:\Windows\SysWOW64\Adepji32.exe	Ajmladbl.exe
File created	C:\Windows\SysWOW64\Aanfno32.dll	Iialhaad.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Mhldbh32.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Enkmfolf.exe	Ekjded32.exe
File opened for modification	C:\Windows\SysWOW64\Dgeenfog.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Haclqq32.dll	Gkdpbpih.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Nqobhgmh.dll	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jnedgq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidna32.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Eiacog32.dll	Iamamcop.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Iialhaad.exe
File opened for modification	C:\Windows\SysWOW64\Kakmna32.exe	Kedlip32.exe
File created	C:\Windows\SysWOW64\Ajmladbl.exe	Abcgjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmhocd32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Fhkkfnao.dll	Iajmmm32.exe
File opened for modification	C:\Windows\SysWOW64\Obkahddl.exe	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Ooangh32.exe	Odljjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ofegni32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Nqoloc32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Foolmeif.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Aibibp32.exe	Adepji32.exe
File opened for modification	C:\Windows\SysWOW64\Jnedgq32.exe	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Kannaq32.dll	Peempn32.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Nooikj32.exe
File created	C:\Windows\SysWOW64\Moefdljc.exe	Mociol32.exe
File created	C:\Windows\SysWOW64\Qodeajbg.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Fcndmiqg.dll	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Gkoplk32.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Afgfhaab.dll	Jjgkab32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1e45a61207b1f49762e44dae6b55a530_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klggli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll"	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll"	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjnhape.dll"	Hlmchoan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedgk32.dll"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll"	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enkmfolf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egened32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkoplk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkeihph.dll"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjkcfod.dll"	Edionhpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqghl.dll"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdelednc.dll"	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglafhih.dll"	Iiopca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giljfddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioldni.dll"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iamamcop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjggal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbnhl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1460	4000	1e45a61207b1f49762e44dae6b55a530_NeikiAnalytics.exe	91
PID 4000 wrote to memory of 1460	4000	1e45a61207b1f49762e44dae6b55a530_NeikiAnalytics.exe	91
PID 4000 wrote to memory of 1460	4000	1e45a61207b1f49762e44dae6b55a530_NeikiAnalytics.exe	91
PID 1460 wrote to memory of 4636	1460	Ogekbb32.exe	92
PID 1460 wrote to memory of 4636	1460	Ogekbb32.exe	92
PID 1460 wrote to memory of 4636	1460	Ogekbb32.exe	92
PID 4636 wrote to memory of 368	4636	Pccahbmn.exe	93
PID 4636 wrote to memory of 368	4636	Pccahbmn.exe	93
PID 4636 wrote to memory of 368	4636	Pccahbmn.exe	93
PID 368 wrote to memory of 2268	368	Pfdjinjo.exe	94
PID 368 wrote to memory of 2268	368	Pfdjinjo.exe	94
PID 368 wrote to memory of 2268	368	Pfdjinjo.exe	94
PID 2268 wrote to memory of 4748	2268	Pplobcpp.exe	95
PID 2268 wrote to memory of 4748	2268	Pplobcpp.exe	95
PID 2268 wrote to memory of 4748	2268	Pplobcpp.exe	95
PID 4748 wrote to memory of 3240	4748	Pdjgha32.exe	96
PID 4748 wrote to memory of 3240	4748	Pdjgha32.exe	96
PID 4748 wrote to memory of 3240	4748	Pdjgha32.exe	96
PID 3240 wrote to memory of 3560	3240	Qhhpop32.exe	97
PID 3240 wrote to memory of 3560	3240	Qhhpop32.exe	97
PID 3240 wrote to memory of 3560	3240	Qhhpop32.exe	97
PID 3560 wrote to memory of 3688	3560	Qodeajbg.exe	98
PID 3560 wrote to memory of 3688	3560	Qodeajbg.exe	98
PID 3560 wrote to memory of 3688	3560	Qodeajbg.exe	98
PID 3688 wrote to memory of 4548	3688	Adcjop32.exe	99
PID 3688 wrote to memory of 4548	3688	Adcjop32.exe	99
PID 3688 wrote to memory of 4548	3688	Adcjop32.exe	99
PID 4548 wrote to memory of 4500	4548	Amnlme32.exe	100
PID 4548 wrote to memory of 4500	4548	Amnlme32.exe	100
PID 4548 wrote to memory of 4500	4548	Amnlme32.exe	100
PID 4500 wrote to memory of 4376	4500	Apodoq32.exe	101
PID 4500 wrote to memory of 4376	4500	Apodoq32.exe	101
PID 4500 wrote to memory of 4376	4500	Apodoq32.exe	101
PID 4376 wrote to memory of 2832	4376	Bgkiaj32.exe	102
PID 4376 wrote to memory of 2832	4376	Bgkiaj32.exe	102
PID 4376 wrote to memory of 2832	4376	Bgkiaj32.exe	102
PID 2832 wrote to memory of 3464	2832	Bmhocd32.exe	103
PID 2832 wrote to memory of 3464	2832	Bmhocd32.exe	103
PID 2832 wrote to memory of 3464	2832	Bmhocd32.exe	103
PID 3464 wrote to memory of 1864	3464	Bphgeo32.exe	104
PID 3464 wrote to memory of 1864	3464	Bphgeo32.exe	104
PID 3464 wrote to memory of 1864	3464	Bphgeo32.exe	104
PID 1864 wrote to memory of 4920	1864	Bahdob32.exe	105
PID 1864 wrote to memory of 4920	1864	Bahdob32.exe	105
PID 1864 wrote to memory of 4920	1864	Bahdob32.exe	105
PID 4920 wrote to memory of 404	4920	Cdimqm32.exe	106
PID 4920 wrote to memory of 404	4920	Cdimqm32.exe	106
PID 4920 wrote to memory of 404	4920	Cdimqm32.exe	106
PID 404 wrote to memory of 4076	404	Cammjakm.exe	107
PID 404 wrote to memory of 4076	404	Cammjakm.exe	107
PID 404 wrote to memory of 4076	404	Cammjakm.exe	107
PID 4076 wrote to memory of 2876	4076	Cpbjkn32.exe	108
PID 4076 wrote to memory of 2876	4076	Cpbjkn32.exe	108
PID 4076 wrote to memory of 2876	4076	Cpbjkn32.exe	108
PID 2876 wrote to memory of 2236	2876	Cdpcal32.exe	109
PID 2876 wrote to memory of 2236	2876	Cdpcal32.exe	109
PID 2876 wrote to memory of 2236	2876	Cdpcal32.exe	109
PID 2236 wrote to memory of 3716	2236	Dafppp32.exe	110
PID 2236 wrote to memory of 3716	2236	Dafppp32.exe	110
PID 2236 wrote to memory of 3716	2236	Dafppp32.exe	110
PID 3716 wrote to memory of 2336	3716	Dgeenfog.exe	111
PID 3716 wrote to memory of 2336	3716	Dgeenfog.exe	111
PID 3716 wrote to memory of 2336	3716	Dgeenfog.exe	111
PID 2336 wrote to memory of 4756	2336	Dndgfpbo.exe	112

C:\Users\Admin\AppData\Local\Temp\1e45a61207b1f49762e44dae6b55a530_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e45a61207b1f49762e44dae6b55a530_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\Ogekbb32.exe
  C:\Windows\system32\Ogekbb32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\Pccahbmn.exe
    C:\Windows\system32\Pccahbmn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\SysWOW64\Pfdjinjo.exe
      C:\Windows\system32\Pfdjinjo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:368
    - - C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Enkmfolf.exe
        
        C:\Windows\system32\Enkmfolf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        27⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        28⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Gicgpelg.exe
        
        C:\Windows\system32\Gicgpelg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        31⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        40⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        44⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        45⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        52⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        56⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        57⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        58⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        62⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        63⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        65⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        66⤵
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1564
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        77⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        79⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1804
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        85⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        86⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        90⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        91⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        93⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        96⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        101⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        102⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Ijmhkchl.exe
        
        C:\Windows\system32\Ijmhkchl.exe
        103⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        105⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        110⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        113⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        117⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        120⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        122⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        125⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        126⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        128⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        129⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        130⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        132⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        134⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        135⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        136⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        137⤵
        
        PID:6568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:6880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
64KB

MD5
0368c2b595626c33ba69d59733b2ecad

SHA1
4a90e23a69c0d4455734b7f460c453fa3972a834

SHA256
e0d34d93157529f7de00ee9ff4e6104e899cc570728616f0e6641c53172db496

SHA512
c0d41f87fa92ea135b15267d5f7658f033c70b587649b16b54df308af391ec67d5d4c80c25308dcee81a2e306dfa5140a096a2b376b04682b55992e2098a0878

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
64KB

MD5
52916bd976f01aef14b74df0b1d60031

SHA1
8f9241448e93d6414f50799c31a8bb371a6636d1

SHA256
9883b82ce9736fd027492a3f7968974a93cccb76e73c40105c1abe476fee3cc1

SHA512
be66fa285d64bdfdc08d4ef7606d939810cd669b1263b0238c8a83ff8bf07d33bce0e4c32cbc013937904b13d174d32f3d10c3436104e5350ed5fff67e08a5aa

Download Submit
C:\Windows\SysWOW64\Aidehpea.exe

Filesize
64KB

MD5
acb59a4b7a30a3a1f00ef0ed666f444d

SHA1
f68d486a651cfd58da4c671978ca8e904a108e5c

SHA256
4d65d8b947d5da87f422056bbbda18031d7b6f3b6a5ae3461e80add8441c94ef

SHA512
cfcb29ab997133ddec0981c63381f4dc4b9116a3c6d096904885d9f7aef4989687ed9fca5045dbdb691b006f63c3d6b0058483776fa15e6e294d1ca28a872407

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
64KB

MD5
af7969bda65f06bfef950f968766ac78

SHA1
4922afbe473b37728838c7f29e23b5ca52b8fc45

SHA256
923f6fa2efbd904165c7ca0fcad35bd114029c8807a79a2b01a106a9dd56fd5b

SHA512
b3da795a2c2448cc3063c7111cd3208a7d7ad4c852fc0231f754e0a9c0ab0014905af41628130ee0ff05d8b86ab0eb950f40b7958d979367d6f56fdc9ee846ec

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
64KB

MD5
1c13ddda2cc9fa8fe49c5b971de35514

SHA1
143f6058bd71a9fca51bf85159f7958eeb15e721

SHA256
394480a59110dec3e04148d4f0f87b565cc89582c3b10eaa6ae6bb67e8ea9d18

SHA512
c2c0e8c7ce953a44d0b32984be4761f0d13ccc0edf3db76a740187bd38733c267c48019be8921ab163f53cf00f5d083daf87198c7b414e3d7f0dcbc2ba19606d

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
64KB

MD5
cc17e2658d476f17ea5b8b1adabad919

SHA1
e5924b7318a82f36215bf3d2f1c4405bff273df6

SHA256
a5ad145e9c7569fb81aa5e61cf18b453a68b2c33c908d6a838a1a351157db397

SHA512
032e4dbb76474a6cedbbae110ad8d15be6297d32073c30bc804521f57951b686b13e219dd817e9269e1c76cbc1fff17aa0fe0e2450908bb6e1dfaa081ece13a4

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
64KB

MD5
64ef57194b319a3007a6165b37e26ecf

SHA1
dd9626fb7c318a013f368cca293529a1c504e225

SHA256
ea96f4d693cfe09d633c3c607c9680bae71d6e8194c5a6609093bfd013134ae8

SHA512
fd832fe35e7dfa27186bb273f526d14235633454d445a0c32ffbe1486f856e1d9f014136ce0b4fc0885ea8ee2f310d01a1ea57adb073a829689340db7690cf78

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
64KB

MD5
8f431a879c18a94eb1339df6eb664990

SHA1
c3faa4b1920a405193f96f8a479455897668a548

SHA256
abebf46e7dab6354692eed9d9c82461cbf0bbe38ac574c2e5e0dbbaa3a9b27b9

SHA512
da930012a5041ea0c9fcb9a235ccd9b8e39bbe3849009e5af89e3f599b497d0245b8a864660eff662a6d871cadfec3f8b7958c6ec48a78973d0b6da1f0329681

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
64KB

MD5
934d00a2e76b0c8b02f8ff6e9322b6df

SHA1
aa9d89bafb23084ee06884bae606b009ff9c0c6d

SHA256
15165e63d50360b81a3f7888226ae080813845f332fbd24ac41655f2d3abd649

SHA512
ec572bbcbac8dff01a6d2c8a6d14dc47d25e5868e12ff0c497db85a1d7000776f31d4afd04f9964cb8fecb2f22441e189f7526006ac35e56259e345184894c93

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
64KB

MD5
74d16a9f7d537cf5cf3de425ace90d1b

SHA1
32c23ff0c62da7deee184ac314630d0a176fdbe5

SHA256
b5f1476d79ad37ed70aa4ac7b4e52f2dce886d21dedc146eeb9df493c569bcda

SHA512
f3fa294c015334847a5378cb7fe7f808c0261f26b09fb0249c5bd8be7b57341c0620724b7d5e4cf6f905daa69db93d5443ed94fce2bd918f108e5bb066aa270b

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
64KB

MD5
9a70abfb819e568414b90f837507a371

SHA1
4ee81f18dabfcb4e750702195e577ad35debc760

SHA256
0b4d41eeffdcdbaaa3a26b244625816402e1a68a7afea965f28c4a48fc429d57

SHA512
777542c6e3064054581ea6954a99eea7b64330001f03aeaf72a19be54bdf581d368b89594856b3e65f59c8381ab88e0e08b4ead1a588bbd43fe11306f66af132

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
64KB

MD5
7d40c50dae2dc810ca14c5d775a8e111

SHA1
04f776f6418e21e8532ef93161c5baa3d57df7c7

SHA256
fa5ec58eea3ea2a956929b766af046dc6b18740987455827f5765e35f6b4ba67

SHA512
34e8d5699864e739026224dcef7cc5e1afa73dbc4483ea6e15d06d1e0f5b9420fc0cf0a4b5ef6f88f2da71d31b1bf85503ccfdcfa9a40ac47802447fc63b719d

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
64KB

MD5
400c9ce7a9fa4d43432b4302e1034aa4

SHA1
418aeee80cc1046fb3137161daa99224af2eacd4

SHA256
8f36324ce814209d282bed3b39306806f9451a676491f1fc9a63105e60c1fcc8

SHA512
f2f248d5fc5af5d1637588fed8ffd67550d32f6ed7b1099e5a94ee2bfa4afff116376829021cee0f7a9b8b07b1665aa6ff515dba972f35ebc98976889f55a5b5

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
64KB

MD5
a675e40515c3570daa5f8688b4b5667e

SHA1
727d9254ca2a99bb109c3369941e2881e35c597e

SHA256
5db140aaef6dda6647119854263234a70453b444583a9b3981904d5257fed534

SHA512
12b661876f690314208af096c41574366c995cdcf22f9822e266abe853a3075cf341737a3c20146cb354a3eb1a213ea73f754917f154daa4ff176b87b10b328f

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
64KB

MD5
362cac527def8a6903dca9bfeb9d4e23

SHA1
cfae2b5b52f82947fdc0e39b5a7727c0a40eb1ac

SHA256
abf662893476de77acdae7d1196b56db714864d077b4c8bb63a65f2c29b563f2

SHA512
29fe9c2842312ea1027866cf91b14c7736f4a5de269f69d7e5360968a473086301da9dd058372d0eed0c69b3aed0497c78da37839c49c45528fd9f452f8177e2

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
64KB

MD5
4c707860bb9022745bd12fcfa8b95e83

SHA1
00fe75c526a715d52e3f766db3bfc25faece6044

SHA256
b24c44b5d59c235e75227ea77d0f057fd0d622def96a4bf38c29701f47033d0e

SHA512
88c8122df5dd074c3e56eeb46a00d859873701b07cf3e13fd2cfb0901aaa2e021ce39877098813add6797cbccf44b00bd87ae7ff873c27b634b546ac4a296a8d

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
64KB

MD5
47f1d82f7bd22b37016c058462cc151d

SHA1
5dc610bb118e96bdbf381119d3f38422f5e14b51

SHA256
2ee4dae07edf535d62e4f2f0c51e9a56b588c6aa4aa0ee22375b1bdb3e5668e2

SHA512
df548dceac1b83062428f2f62159634884bec0a964126bf06a497635dff5d7ae6938a8aa543aaa77dc73acb913e79bf4aac01ddd03dd398f6f4268ff58178711

Download Submit
C:\Windows\SysWOW64\Dgeenfog.exe

Filesize
64KB

MD5
0aa0dabee32a43e7f23b464c88305edf

SHA1
22129f7b2eb2556cf03094e57cd8fc518c48d409

SHA256
4eca0aaf1dba042e4fe85d71693e54a9b319f801ef6c88be9ed4e3aa9c2d2ee3

SHA512
7e63bfb77834c9190f5d14e9603f5aa9585f2a12ff2e5a22c69ff9731f706f8b11231eff7b783b7bc3b5e2d895029aaf78b72c88f6e620997f864dbbd427121a

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
64KB

MD5
ee10815b9758c77fbde9445355d41e39

SHA1
01bdaae1c0830d6a08c6d0bfb75972106ae0a427

SHA256
612645c43c4efa578475cf63c5250bf2c1ef6bc5a532e8e2cc8308537db822ca

SHA512
8ff4dc1fdd5bca8b04894d7c895fc78a56ada5e29dbb0b2f323292ccc3d6cdf071fe183e164d0cd5f0b108f39bc927022c6bc3aaed4c16ea90ed3173ad382df6

Download Submit
C:\Windows\SysWOW64\Dndgfpbo.exe

Filesize
64KB

MD5
53e486e94f02ea4691901929ab36a8a7

SHA1
3c0e769489494d601806c7ba29a9ec03ac33eef1

SHA256
c2788897867dd46c2ff71c74d67a2133ba17c30a62323ce3e24ee80c27e72b54

SHA512
4640d410b23356b4d7c7e8832c4364a7c21f56ba5907ebf63759aa1fa22f8c531d62e2ce2e260f2b419c77413e83761ae027289ecffed72ad4a6c09c32922080

Download Submit
C:\Windows\SysWOW64\Edihdb32.exe

Filesize
64KB

MD5
e75265c634d5a3598251dfe85b3e2d0a

SHA1
cd8fc59719310e47272a6a490c74650ba09b68ab

SHA256
b78152e7bb5f1f120e53da28abfa105760295527e684fab3d6be849a85caf855

SHA512
637a35ccc4c9c71ef573075aebeb1a24f0d6e4eef9cb0b6aaefd9ddf2d0a9851dec5a981565a3842c70dff643cb6ef4438813c10fb71b6e4e556609f01db3def

Download Submit
C:\Windows\SysWOW64\Edionhpn.exe

Filesize
64KB

MD5
59788089c80c5e30f23a9c45a5adf821

SHA1
df609c49c77b894ff3cda48652d758074e4c7c3f

SHA256
148f692bbeb49657b9d70fa74b2961bec001734e3a3dd174438317cf44a2c07c

SHA512
c5a0515ce7b66228ed4be160acef537dec0de9b5e0b3ff3d4ac7a6f9ebfb70078d143b241e983801e4f8d6c08ddce5fcd6a9aa5475d13aa87908206d94a4c7e7

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
64KB

MD5
444757e52d83760c817f7044c5fd0611

SHA1
5014b8f64a63626dce27bbd7d66104df3d2e7548

SHA256
dbce773d6e245ec80f3ee8766d6bcdbab1c1648ff7d5ae389e8a402c080712d3

SHA512
aab09df79bc0ab37b41303bb0cfb5a761c71a745c93b5f6f6a6478ae988c155e019e944754be240272fdcc14a4a76248f0847d26103c3f27f1cf76f7f68d9e47

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
64KB

MD5
1fb664ca62a4d4af87e5693ecbcb4c12

SHA1
6726687fc3f87a6501e28eb80d560fc2d81ed341

SHA256
3f88d56f0917bcefca3388d880564b57ed955e0655ec69590cbf20f8ea9fa42a

SHA512
e8693d7e7e60455f341e1fc2cd3d7059f9371ec1110c7c05d4d51aa80f18196b7d71c2362711289eccebadb4a0591296635ebb5f58f5dcdf7361889745c59998

Download Submit
C:\Windows\SysWOW64\Ekjded32.exe

Filesize
64KB

MD5
c13d28d28365a9d8102720b8e085138e

SHA1
02441ed704e52a2920349fb89e3532c6691688ec

SHA256
451c1a1d546c2b2dedf693ac48e83c1c8028298f764fcb21e3c8d44a2a07db1e

SHA512
45cca7cd351bd9f61d89b3822143d54c37d6054f1f827672f93763fb297541dddd91b5ec88c71754911664801afe91df0f680ab1edd5b4eeacb284b08826d3a4

Download Submit
C:\Windows\SysWOW64\Enkmfolf.exe

Filesize
64KB

MD5
b3e4487b2df1625dc7798ebbfa166448

SHA1
bab9a686bc2fe7681fca3e31bcf89a61dd1ed752

SHA256
7c0899dafe5b7057b24bdfbfbfc9c7565631e60b3e340b5553e794f54c8eba0f

SHA512
2161939f722e001a030b9d30f76561e1d132cb5f049cc9f872881f36445a7450bbc031640b514dee91f4ea17b6a070f141d0a35ed2b1f9e010c009aa61a8e3cc

Download Submit
C:\Windows\SysWOW64\Fdlkdhnk.exe

Filesize
64KB

MD5
d08cbb15580c2484b67d1c1a9536bd44

SHA1
7aefe12acbca69200677a99f2222b109425e8241

SHA256
d05ce88ef600ec60932ddb14e6460d811ae4e1a0c6bc3d4530f87fb6c83168d1

SHA512
bf0e2614111827c2bd3b23ba6d26f1b3c5cf8bde822ce2552ba840aa92a44c3054cbab6b5e419de69a8e0f0e87f51cb824c263065328dec78db50f158b3c352c

Download Submit
C:\Windows\SysWOW64\Fkhpfbce.exe

Filesize
64KB

MD5
9ce5af3bca574d2b68f0d3e0bbf52c44

SHA1
fcdb89d58e18fa28ef2479335eb62a9ec3bd19ae

SHA256
a23d6137309fe67f392e3c9f43b2037619ebf89b7d0802192c56fe62e050ed53

SHA512
d6d0a0bed9adb4781f6109f88540a1685442b386927639e97205897dfb167539824471442a1404608fdf0eeadc6b065179160312fcc591b4630c25686b95d216

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
64KB

MD5
121361b45ef464755859ba2bbb099984

SHA1
0c1f6c5a902c918089a3c7cda83918a6b9e6e415

SHA256
547781e29ece3c3f4ce73d617488ff6339dea439fbc8f913e78cb627c94d10a0

SHA512
ea9431195fb08ec819eb72c62dd6f4ffd6d4068339f9632cad730ab961a1e12c9e40bbde9b8aadf6c1c8f6a352a17e2f56ef4e1d6696dcb4f31cf5ab333a8c7d

Download Submit
C:\Windows\SysWOW64\Gicgpelg.exe

Filesize
64KB

MD5
4b3b384f338b19b3829132afb94c991a

SHA1
cb19bb06497173243cf70bdc84e097e94bc891c0

SHA256
be81ad868c85a3ccff93e69b48a9e58a5c1a3c983679f370584974829c3f9650

SHA512
591e5fe6a39a1c7953043b1553431859868b432cf22ea47391ee1d8c9a8ba33e04fb4942f778aad721390c69261318a013a77496f4226c911546b8ea293d1a9a

Download Submit
C:\Windows\SysWOW64\Giljfddl.exe

Filesize
64KB

MD5
9e2ab5e40041a6576445a5506ab4b3da

SHA1
08e2ea3f2c4f9f011c6c11a0bf4eea4d299a7d17

SHA256
967f6e2b880e9bd90c5fae6709b4d1eb5e0c97f59b6a665aedc948761d2989ea

SHA512
7cba45dfbc31b0d0176428f57b435eae7733203f372f4311343e1006b7988938ae9720a66a77e0b02fa5befb0caf7a7bfb9f326014b3f6667d14ffeca22a9348

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
64KB

MD5
c20d957a2f42bb29d0c48bbee0eb36ea

SHA1
b70645bc500943767f3ab942d54a6a64e3ab9a6e

SHA256
424f3f1224ac51fd4c3b6b0109f1785868abf3b7fe8b9f0f523bd4a391f12426

SHA512
73a80a30307e35b8bbb2f6232249a3b968767a8a3fa3827efbe578bac5f3e9bfe7fa4ad1b7e46b7b9e137e6939c0ba203c70b1c5dd5a25829a946ee82320f85f

Download Submit
C:\Windows\SysWOW64\Gpaihooo.exe

Filesize
64KB

MD5
68801f5db49a1bf4cd6a1dfb3f8b7026

SHA1
e57a5a3db472fde759b906a8c2e0c923ce122cf9

SHA256
0c55a13742a0345a7af77cf683e51b9e1555104d58ee8befaadf3c77bfd8af31

SHA512
8fdfecde5d219237ffa480706966fc1d88104ad82de6471db1343b37f5dde8ee9e231ea11667cb8944130e16b297a52bf7bb0b5ca4639a90d84dde2958dc58f2

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
64KB

MD5
6bf6eac5dba99810695d73f4cf61e562

SHA1
25c7b743ace013ca4060086fe28fe0a65a4c353c

SHA256
b4b6ff7a29b58b4b5baec829ea46a4d4161a6a20c7405d78b4f541880ed77ac9

SHA512
559a8a44c0f1fe80d5c5b1893511f154f8e0f6eb5e4f1bbe49df382e44553cebab1966429b48df2a3dea755d108596ab4b0431cea216742a48ea2fe3b27f0fff

Download Submit
C:\Windows\SysWOW64\Hlmchoan.exe

Filesize
64KB

MD5
d9ba57cb08bed45792568d6025c341ed

SHA1
f8492cecf456f724662dcdc69d1e4b3b3a2802bd

SHA256
f57511aa3fb0df29d06cd28a98d9d50ef045ed938ebea532e502721bd7be8216

SHA512
4d615074ba17d9abefd5fc688846d3ac349c77f22972469f9bda9a56cc4c621f4a78e2113ab7b8aa9251b24b4c898a233cf84919d1ebcee2e5d28e1e72232f00

Download Submit
C:\Windows\SysWOW64\Hqdkkp32.exe

Filesize
64KB

MD5
3aa7e55817cc914572897737e5f6ab0b

SHA1
e36f54bf5b5b5d817f603cb71f32bb499ec6f190

SHA256
a429fbd860c371d4923a272e060b3f4b344b1f905dd9a26f70459e2047d7f704

SHA512
9fbd006c482cb018425d2fa0a5d0047121fb202c3158164b2121700b394fe05c63251e824dd6a20b48223f000fddf5b18bb6411808adddfbf50909629a3aa1ea

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
64KB

MD5
6c8ef833f087f920b7433cfec776d547

SHA1
4bd52e3b80097167f431b878168263f9dc470d10

SHA256
0d502a913040ec2f92e37324157002e9a0ca5bbbcf78497bda0e4a7555292b86

SHA512
9e9f541724f5741e8a1bcdb1028b37ba3965e07c0c499813a5c856b88701b0d98d5c98a33123ed566ec0f25cba75628af11dfdebf2d354a5f8b6557c52303eac

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
64KB

MD5
a6064a6c5fd052f2441d21437bc901de

SHA1
6041ed3ab44ab64b4dc7ca70a75512850adfd1d6

SHA256
5e8a8d2f1f47def5be926064571202df68212a48a0091a8fb0eae900ff374da6

SHA512
bf42389b256594b2424fc233d314848ff3a7969724ed954aa96a4016d1fbd0b3d9e651fe5720e6837adec5e5769e20a02dd27e64eb68f110017dc0912ee02f49

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
64KB

MD5
5f84ff7243d12b33a6fbc14656eab235

SHA1
44a2170bfbb4255e6f3603d97cd9968ca04a80fd

SHA256
007b372adaa434fe71e30923a3a83ecc2f90cff2d5f3405f29d7b823157ea6ae

SHA512
fac22f75c47b6e2d2748c32339041fdb5193a41acc5fdba05db65d7e677676c5505c2d155380c91f9888cf23092fddba6f1c8d6171a6a74a56f114442cacda16

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
64KB

MD5
41061742caa65931f406e9b455e37cb4

SHA1
21f4fcd72a813837d520a53297123d3f1f64af5f

SHA256
6f9b991fc2d589a22cf169945eb9a8a984cb60bafbb49fcb2d57cea116e850a8

SHA512
869ead75b62c581c96bf8346534e58c5d9ae5da6e12c4544b04fd43e9c696df856a3e33ef711295cb6fd983b575597ea896b448d9c52059e63f91d8267fddf5c

Download Submit
C:\Windows\SysWOW64\Mhldbh32.exe

Filesize
64KB

MD5
e3d03ddebd99930ccbd693305e31cedd

SHA1
d264c09d96b14fa116eea703105eb0065e599016

SHA256
412c366176391b0293d1260b2b8fe3042ee898e1331b71ad0630a88b1343b5d6

SHA512
fd252600eedc25c7bfb4d200083969ca1465a9004bcb910137a63feba3630168d7ed79599880c5f465bfaa4e11f238dd79469fcf6ed8613815c81eb72b264432

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
64KB

MD5
c92731128e93e7fb3025a7ef5b3a14d5

SHA1
75b54a479f9117fda936404aa17282390a540cb9

SHA256
d41581aefd0bf33c1d1caa4efb44cb2276eacdfe6063ef751627519f2e25dcb4

SHA512
0d944702a854a0c0ed02097094be5dd91db4ed3ebab1478700abc9d866d7d2dbaf86db60b36c1c2f557cd05b630a55a5f7fef9a513e04bdb1f40e2a3c3da0bab

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
64KB

MD5
77d57070fb3d237ef11e956823cf9fde

SHA1
356f9f5d9095a3843199f4069728cb27aeca84bf

SHA256
bb5c520044b7cf18442e0d05409f2399e176715da0d9c40dc34ee609be0051b1

SHA512
f23c19a2ab26365d9f6ddcaeafa9f398c21f9129adc571e7a344fc725b887754c6eb3306348a0dcfd4600f56275a2a6770c9100dc3c5f470aa1066b7690aca1d

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
64KB

MD5
ac10baed0a1eda29d0199b468076391b

SHA1
3649a8e5eca74d00f73b6f67c0cff26577796aae

SHA256
35f33e5d084d7ce1b7c69784546e4633475c22083c91a4eca75752a2ad7542b3

SHA512
41fe2b73af950d441801c96013848b011977a274378c7b118804cdbf17307db809a53e3cdce32597fd0e7ceb5749ddcc63b3fb5e19513ec6f8209a6449f4a671

Download Submit
C:\Windows\SysWOW64\Nqoloc32.exe

Filesize
64KB

MD5
ef966029e6712328dcddf40190198e59

SHA1
f6f234c837365eaf3bfddf32d29426e46dc69874

SHA256
a179d8b80926ae7d65ac0ce3dc6a53184e3a51c811f69f5f317dd37ceb0de535

SHA512
36a8162e081afae26217b37c774a3a9893dddf85102d42f7b8d598e924623d179e250562b0419813a7553f23bb249dc4670a59af8d14742c6791a5609200668b

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
64KB

MD5
9468c962768719eeb1990f530a775ab5

SHA1
bc7965f74ec1148d4686a8b568ab6e4fd40caf75

SHA256
aea1b44d485460357d19e196d743deda883b0bf2f086aa869bc84d0e6c774249

SHA512
05b6030e343b63e2cd4d8e1f40c34bb84e885a5a2190fc841f3bf2caf968e1c0f05c8d6375d845d0a26996bf3431d93c17eaced8cd3a355db828517b5fe660f6

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
64KB

MD5
2fe9b227753d36b9c57381fd3a783292

SHA1
5c2d8a969bda33edcefdf56eaf235bcc9bc4550d

SHA256
89e1b785f96f973376cff41184e48ac7c28a747cac2e08366e856550a2fdcf87

SHA512
322f076411a254a7d0da75e915b9a7d2ec89cf557386fd51d3d0abb46790ad958fef53a97137c4e97b53abf309e2513960148821624e9fdc0ebebf7f6a83a706

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
64KB

MD5
9700faa38ec3bc034702313d368f899d

SHA1
3170f473d091d41cb0af2316ca825cad480e54b9

SHA256
e735f80ea358834836cba7d0fc8c6ee3071497e211103d2f30b3563313533463

SHA512
3265b6f4eb3bc7dea0bc109dc194e8160dda696a6837c425b1a84b772c50aed217714eacb8771fa73d8a5e6ae0e3ebcc232b47490ad42ec35681f4f03a6e27ad

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
64KB

MD5
c5c21887fcf67c14f8e9b898fa6cb2d3

SHA1
da0ae05d3b44f8c30c2fae4fadcde8eab4876431

SHA256
1a1dcf9f8b59df9a769b936d3311a015dca6d991a615226caf919c16ac1ebcb4

SHA512
e231e1a28a8d39ed4549214c0d963abc6bdea821c6eb0e9e3814fb7e7c2105ad1a1aca486ad226d758a53c9294740c877656751cf436a55d6b2ce8bb64eb45be

Download Submit
C:\Windows\SysWOW64\Peempn32.exe

Filesize
64KB

MD5
4388d5aa935928e837d4092fe02234af

SHA1
a639f5301f679bebe8073aa602d71d05e04e62a1

SHA256
d0423e90f47ff263234a7f6d0341e263cf15f56c675570d2465bce166f4d27d7

SHA512
46d8fc5cf519292fa2c30aeedc6c4891c750b557f64663c590a9bb0b8b52842c6bbcf3e75f70440049b11bfc806d2add1169776fbe0656227a63f2a28a91c9de

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
64KB

MD5
e18e28af9593bac25a087a2286e8c892

SHA1
6a85236f0b9ab38e278bbdd273ea55166ec9a657

SHA256
75b4969f3ef1642d50134b976a25d2f450d7cf552a2adf12a6b3594bd6fe185e

SHA512
62411651702bd7be7ea5621359e1e0e772b775da7256d6021b36c71262faba354f1e2fabddc728eb2a783d4e20485da845096710ab6a9925b2cab5cffb8d10cf

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
64KB

MD5
74e72271d8048ad9f60d3b2ad1207538

SHA1
70b3fbb3a7a239f29bac7b5561a1096334d1470e

SHA256
fdecf72caa6bf38225b1cd25ca3fe03b1c089bf8c892642b80707e72cc5be447

SHA512
8022627398481c201885356b6478c685ae265ef3a8ca129cd6ba3bcc4d064a949b9602dafc93ba23983e336982ac92a424b9e7d53cb1b550ce1b84bd1761e773

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
64KB

MD5
bc1340ac5cda55bdc4fb538cdf0b817e

SHA1
a127caf143c2d8704f1d601cdef9d19a549657eb

SHA256
65d639c932d1d4b916a62c9b7c01e04ffb986786b9e53dbe470efa49a65ecf35

SHA512
03dae78b71849d2c5d31ce2f0f600fdca8c4e36d760765f405c81954f6043b1a3e72ab69de7f30e6b59f020f9f8482b5d72728f492f04f81daf55b41ab6182a1

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
64KB

MD5
7487529e00a22796b40932c838a81917

SHA1
3c8c8e7c7c7d0b5669e09edf5ddc0c0379d1f672

SHA256
fc411c8d4a2056699e972f70a1be7b18f4d80e15b2210cc05aaf3d5200b837e4

SHA512
7f2c8392ff1d6579688e6da0d0836c71ce260874df8e5dbeb48ee811f7c5695f64949d807438a1dabc09cef17a02accc7b9707b0c8e3e247f081bd55dc1a9baa

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
64KB

MD5
091e4e2485eb4a5fa2189b4670f987cc

SHA1
fb793ba9fc4ee01276f9632c02272cba0f407588

SHA256
4a0b551593aaf19bc97aa88dfbb348e8882eab2303a0ee22cd67ab6a16d0ec6c

SHA512
c0c8b8b027a0ee318a982e5a167b975fa789d8d9c32ac22db08b345456784bf298990a7fd229731ee0d4d9c064ad2d2fe9e2bc7dd21249b7ea9ec7033959a16b

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
64KB

MD5
981be3670ac6509db1e1c0e639a60148

SHA1
420f5d7ab4913b6759e1339b83b06be2bd1aa08e

SHA256
3a3ea56ed18f4d803fd095d723297e346f5046040ccae8ac195d52630711a9b6

SHA512
a36b238ac6d38f7ddafa4f1e815acb45dd997600437a9d5e7865a6eedee7cd1999534083938f81d11e0ba296a3e87d51f2f550f2af28447b974bc13170448dde

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
64KB

MD5
31697ffb8d32530678e87ebd556242b2

SHA1
a4ff35c725fd2af14713614f87f7a61901acaa8b

SHA256
27e4512849339beeb845779a52b2cfc11e35ef437b6e397e06cdae45df16891f

SHA512
8b8f39bc7921d60ac2f35c847f51c3305b2a0dee246f59be43de21c9d9e2a9c2a24afc84564c5e0a2281336b337033152ad2eaa6d0d9d1014e80415b099c11ee

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
64KB

MD5
9e7cab8fa6718656fab2b18b1cd705d8

SHA1
b0cde1656fbe4a4419cfb265336bfcd27e1ae866

SHA256
b5893fd399a16239f2426783e4e1dba112c841b0e325dc5b0f155e4d59c4962e

SHA512
6b96c4a6b00a8ae63baf37763698103909616578f41603ae28a12bd0f092cc61ecd401f0563ac6fa066c533c5bdb855dedb2765483527fde593793da010362ad

Download Submit
memory/368-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads