35acb8e4eec0a723b78e990e4b062c5aaa803af0139486bb3f805453e06faccb

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe
Size

264KB
MD5

01608a93955f38e12a7aae253d521be0
SHA1

93f719843ccf759ffd9ff4e13d8ea55d53d763ac
SHA256

35acb8e4eec0a723b78e990e4b062c5aaa803af0139486bb3f805453e06faccb
SHA512

b9948cd7e36b9986c9ef198a6b889b6ee1a1f430addef4a4d02bef37957985c5bf218fc0c8ebad29646f99eac7e179578c30c811f3a154c8495f05aa4044ce73
SSDEEP

6144:d5S81wVGcKVRpui6yYPaIGckpyWO63t5YNpui6yYPaIGckv:d55kibpV6yYPI3cpV6yYPo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfjdqmng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kocgbend.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Feqeog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Damfao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fecadghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fecadghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmladbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iidphgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajaelc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Edihdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqppci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe

Executes dropped EXE 64 IoCs

pid	Process
3296	Fnipbc32.exe
5020	Fbgihaji.exe
2100	Fpkibf32.exe
856	Gnqfcbnj.exe
4780	Gppcmeem.exe
4956	Gnepna32.exe
2976	Gpgind32.exe
1612	Holfoqcm.exe
5092	Hbjoeojc.exe
3660	Hekgfj32.exe
4548	Hfjdqmng.exe
2232	Imgicgca.exe
3452	Iefgbh32.exe
2792	Iidphgcn.exe
2648	Jpaekqhh.exe
2528	Pnifekmd.exe
3644	Pjdpelnc.exe
2228	Qpcecb32.exe
924	Qdaniq32.exe
1616	Aoioli32.exe
1120	Amnlme32.exe
3960	Adkqoohc.exe
4740	Bkgeainn.exe
3180	Boenhgdd.exe
1124	Bmjkic32.exe
2308	Bahdob32.exe
4748	Bajqda32.exe
1508	Conanfli.exe
5004	Ckebcg32.exe
2108	Chiblk32.exe
4896	Chkobkod.exe
4048	Cnjdpaki.exe
4460	Dhbebj32.exe
1152	Ddifgk32.exe
3708	Damfao32.exe
1076	Dqbcbkab.exe
752	Edplhjhi.exe
4924	Ebdlangb.exe
4928	Eqiibjlj.exe
3100	Ebifmm32.exe
1180	Eqncnj32.exe
2864	Fqppci32.exe
4076	Fkfcqb32.exe
4840	Feqeog32.exe
3956	Fecadghc.exe
4196	Fbgbnkfm.exe
4072	Gokbgpeg.exe
3884	Gbkkik32.exe
1492	Gpolbo32.exe
1500	Gpaihooo.exe
4412	Gpdennml.exe
3188	Giljfddl.exe
4572	Hioflcbj.exe
4496	Hnnljj32.exe
3620	Hbldphde.exe
1004	Hbnaeh32.exe
1684	Ibqnkh32.exe
1284	Ipdndloi.exe
4032	Jaonbc32.exe
2288	Jaajhb32.exe
756	Jhnojl32.exe
4620	Jafdcbge.exe
3868	Khbiello.exe
4152	Khiofk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnpckhnk.dll	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Pbhgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkpjdo32.exe	Cmedjl32.exe
File created	C:\Windows\SysWOW64\Kapceeje.dll	Fnipbc32.exe
File created	C:\Windows\SysWOW64\Fmbdpnaj.dll	Gbkkik32.exe
File created	C:\Windows\SysWOW64\Fpbdco32.dll	Hnnljj32.exe
File created	C:\Windows\SysWOW64\Panlem32.dll	Hbldphde.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Ckpamabg.exe
File opened for modification	C:\Windows\SysWOW64\Gppcmeem.exe	Gnqfcbnj.exe
File created	C:\Windows\SysWOW64\Hbjoeojc.exe	Holfoqcm.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Ebggoi32.dll	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Ddifgk32.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Gpdennml.exe	Gpaihooo.exe
File opened for modification	C:\Windows\SysWOW64\Ofjqihnn.exe	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Fljhbbae.dll	Ofjqihnn.exe
File opened for modification	C:\Windows\SysWOW64\Dpmcmf32.exe	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Ocgjojai.dll	Nofefp32.exe
File created	C:\Windows\SysWOW64\Klhhpb32.dll	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Jpaekqhh.exe	Iidphgcn.exe
File created	C:\Windows\SysWOW64\Pjdpelnc.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Feqeog32.exe	Fkfcqb32.exe
File opened for modification	C:\Windows\SysWOW64\Gpolbo32.exe	Gbkkik32.exe
File opened for modification	C:\Windows\SysWOW64\Jaonbc32.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Falmlm32.dll	Jaajhb32.exe
File created	C:\Windows\SysWOW64\Ajmladbl.exe	Aimogakj.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Ajaelc32.exe
File created	C:\Windows\SysWOW64\Qpcecb32.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Amnlme32.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Nkphhg32.dll	Gpaihooo.exe
File created	C:\Windows\SysWOW64\Ofjljj32.dll	Eahobg32.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Edihdb32.exe
File created	C:\Windows\SysWOW64\Fnipbc32.exe	01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Ibqnkh32.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Bkfmmb32.dll	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Ahfmjddg.dll	Kocgbend.exe
File opened for modification	C:\Windows\SysWOW64\Edihdb32.exe	Eahobg32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fgqgfl32.exe
File created	C:\Windows\SysWOW64\Bpfljc32.dll	Fecadghc.exe
File created	C:\Windows\SysWOW64\Pnkibcle.dll	Pqbala32.exe
File opened for modification	C:\Windows\SysWOW64\Pnifekmd.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Dhbebj32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mcoljagj.exe
File opened for modification	C:\Windows\SysWOW64\Qfjjpf32.exe	Qamago32.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Iefgbh32.exe	Imgicgca.exe
File created	C:\Windows\SysWOW64\Iidphgcn.exe	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Hbnaeh32.exe	Hbldphde.exe
File created	C:\Windows\SysWOW64\Nnimkcjf.dll	Fdmaoahm.exe
File created	C:\Windows\SysWOW64\Hknkchkd.dll	Gppcmeem.exe
File opened for modification	C:\Windows\SysWOW64\Ebdlangb.exe	Edplhjhi.exe
File created	C:\Windows\SysWOW64\Anjcohke.dll	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Qapnmopa.exe	Qfjjpf32.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Hioflcbj.exe	Giljfddl.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Ojhiogdd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5972	4240	WerFault.exe	214

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll"	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll"	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpekmi32.dll"	Imgicgca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Feqeog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qamago32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqppci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcbhh32.dll"	Qapnmopa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpdennml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmdfp32.dll"	Damfao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hekgfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfkkqmiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Nmjfodne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fecadghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gppcmeem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddifgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpolbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbldphde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbdpnaj.dll"	Gbkkik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmmco32.dll"	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkfenfk.dll"	Gnepna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahhjomjk.dll"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmfmgnc.dll"	Ebifmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3296	4140	01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe	89
PID 4140 wrote to memory of 3296	4140	01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe	89
PID 4140 wrote to memory of 3296	4140	01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe	89
PID 3296 wrote to memory of 5020	3296	Fnipbc32.exe	90
PID 3296 wrote to memory of 5020	3296	Fnipbc32.exe	90
PID 3296 wrote to memory of 5020	3296	Fnipbc32.exe	90
PID 5020 wrote to memory of 2100	5020	Fbgihaji.exe	91
PID 5020 wrote to memory of 2100	5020	Fbgihaji.exe	91
PID 5020 wrote to memory of 2100	5020	Fbgihaji.exe	91
PID 2100 wrote to memory of 856	2100	Fpkibf32.exe	92
PID 2100 wrote to memory of 856	2100	Fpkibf32.exe	92
PID 2100 wrote to memory of 856	2100	Fpkibf32.exe	92
PID 856 wrote to memory of 4780	856	Gnqfcbnj.exe	93
PID 856 wrote to memory of 4780	856	Gnqfcbnj.exe	93
PID 856 wrote to memory of 4780	856	Gnqfcbnj.exe	93
PID 4780 wrote to memory of 4956	4780	Gppcmeem.exe	94
PID 4780 wrote to memory of 4956	4780	Gppcmeem.exe	94
PID 4780 wrote to memory of 4956	4780	Gppcmeem.exe	94
PID 4956 wrote to memory of 2976	4956	Gnepna32.exe	95
PID 4956 wrote to memory of 2976	4956	Gnepna32.exe	95
PID 4956 wrote to memory of 2976	4956	Gnepna32.exe	95
PID 2976 wrote to memory of 1612	2976	Gpgind32.exe	96
PID 2976 wrote to memory of 1612	2976	Gpgind32.exe	96
PID 2976 wrote to memory of 1612	2976	Gpgind32.exe	96
PID 1612 wrote to memory of 5092	1612	Holfoqcm.exe	97
PID 1612 wrote to memory of 5092	1612	Holfoqcm.exe	97
PID 1612 wrote to memory of 5092	1612	Holfoqcm.exe	97
PID 5092 wrote to memory of 3660	5092	Hbjoeojc.exe	98
PID 5092 wrote to memory of 3660	5092	Hbjoeojc.exe	98
PID 5092 wrote to memory of 3660	5092	Hbjoeojc.exe	98
PID 3660 wrote to memory of 4548	3660	Hekgfj32.exe	99
PID 3660 wrote to memory of 4548	3660	Hekgfj32.exe	99
PID 3660 wrote to memory of 4548	3660	Hekgfj32.exe	99
PID 4548 wrote to memory of 2232	4548	Hfjdqmng.exe	100
PID 4548 wrote to memory of 2232	4548	Hfjdqmng.exe	100
PID 4548 wrote to memory of 2232	4548	Hfjdqmng.exe	100
PID 2232 wrote to memory of 3452	2232	Imgicgca.exe	101
PID 2232 wrote to memory of 3452	2232	Imgicgca.exe	101
PID 2232 wrote to memory of 3452	2232	Imgicgca.exe	101
PID 3452 wrote to memory of 2792	3452	Iefgbh32.exe	102
PID 3452 wrote to memory of 2792	3452	Iefgbh32.exe	102
PID 3452 wrote to memory of 2792	3452	Iefgbh32.exe	102
PID 2792 wrote to memory of 2648	2792	Iidphgcn.exe	103
PID 2792 wrote to memory of 2648	2792	Iidphgcn.exe	103
PID 2792 wrote to memory of 2648	2792	Iidphgcn.exe	103
PID 2648 wrote to memory of 2528	2648	Jpaekqhh.exe	104
PID 2648 wrote to memory of 2528	2648	Jpaekqhh.exe	104
PID 2648 wrote to memory of 2528	2648	Jpaekqhh.exe	104
PID 2528 wrote to memory of 3644	2528	Pnifekmd.exe	105
PID 2528 wrote to memory of 3644	2528	Pnifekmd.exe	105
PID 2528 wrote to memory of 3644	2528	Pnifekmd.exe	105
PID 3644 wrote to memory of 2228	3644	Pjdpelnc.exe	106
PID 3644 wrote to memory of 2228	3644	Pjdpelnc.exe	106
PID 3644 wrote to memory of 2228	3644	Pjdpelnc.exe	106
PID 2228 wrote to memory of 924	2228	Qpcecb32.exe	107
PID 2228 wrote to memory of 924	2228	Qpcecb32.exe	107
PID 2228 wrote to memory of 924	2228	Qpcecb32.exe	107
PID 924 wrote to memory of 1616	924	Qdaniq32.exe	108
PID 924 wrote to memory of 1616	924	Qdaniq32.exe	108
PID 924 wrote to memory of 1616	924	Qdaniq32.exe	108
PID 1616 wrote to memory of 1120	1616	Aoioli32.exe	109
PID 1616 wrote to memory of 1120	1616	Aoioli32.exe	109
PID 1616 wrote to memory of 1120	1616	Aoioli32.exe	109
PID 1120 wrote to memory of 3960	1120	Amnlme32.exe	110

C:\Users\Admin\AppData\Local\Temp\01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01608a93955f38e12a7aae253d521be0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\Fnipbc32.exe
  C:\Windows\system32\Fnipbc32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SysWOW64\Fbgihaji.exe
    C:\Windows\system32\Fbgihaji.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\Fpkibf32.exe
      C:\Windows\system32\Fpkibf32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        23⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        29⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        37⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        40⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Feqeog32.exe
        
        C:\Windows\system32\Feqeog32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        47⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        48⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Gpdennml.exe
        
        C:\Windows\system32\Gpdennml.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        54⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        65⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:872
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        69⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4252
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        71⤵
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        72⤵
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        75⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        77⤵
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        78⤵
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        90⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        91⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        92⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        96⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        100⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2428
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        104⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        105⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        107⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        112⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        114⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        118⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3020
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        120⤵
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        122⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 412
        123⤵
        Program crash
        
        PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 4240
1⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
264KB

MD5
ac71d630321cea6d8f61008b32784518

SHA1
4ceb5acd56aaa76c5958bdb55f4db5264998c545

SHA256
837b48b8a6a392451e6d555f055cabad8ee13d9bdb7d3f581932e0c0dad83bf2

SHA512
f36d5c004e9d94a3529f49dcb1611a18c2facb9aa4b45e288e30cdc89b3f0906f6b45ae11182a3059b6d01b715087beb0c9e5eec1c1d8c5fcbc0b84be47d8e9d

Download Submit
C:\Windows\SysWOW64\Ajaelc32.exe

Filesize
264KB

MD5
b1c24383dde275e4dcfeb1dcc2781c8e

SHA1
aa5420b52b55f1460ef69f3d9e0afce710cf9e6f

SHA256
cc0cc864763e62071338f1cf35712deb99535ac126c8b4317454020fcc458272

SHA512
1739bf844e85b8c820affc921f2c434ea6bb1952d9be08c5b042eee02f992c1b591cba85161f0b20b753b33ee5450ef195b6b0e592bc18b0800e5c84797552b6

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
264KB

MD5
cd67343d4b6af5b5c90cc09247a060fc

SHA1
a8603b6a424969255e43e507462bd2f28db91671

SHA256
0b5f5a0e058fdf26f33ae1b65ff24646cc5607bd1e3a1872a9df9613316649c4

SHA512
9fd1df1319d5dc948a800e8c14d7a55b8637a6c909d021a4e20bc71b6c6efc24c2fefd96e8a191459d31db73dd5e1c32ba2fcef9d693a03c7cc30eb49b98214b

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
264KB

MD5
3b9fe498e33ba653d28813f46ceb56af

SHA1
acdb004f26d7fab0ff5abade8096d5051946cd6a

SHA256
86658c93bef0e431dfca29692d6e2d9c431d6b4a670005498312cdd6fe98af00

SHA512
a9153c72f0d65c4c1182d3a0141fc009bfeabd1db8802f6b70b94c07810583b525e1e28bd606dc7daac5ebc7edc7216063ee23e7200c7c690420e74509165eb1

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
264KB

MD5
f7ec786f2c43cd89282315d0f601d60c

SHA1
c26713c05697b6faaae13b6f76e1f1940d53fddd

SHA256
dfb08e3e56fd7866852a7dd9316ea405b4b5d2cbadeaec502055a5be451559c6

SHA512
73d3704388e211d93dc6c61899a46772d2ea3060362eb9a8b7af7c589e32527d95cac5f6d775381826d0136cf2356383dd68992e89ce03b3aece8a271971a4a2

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
264KB

MD5
2f2486f1ba6594fe2f897bd6f291fac2

SHA1
4da9feea416a7c24a44375eb835bb228ecbfb82d

SHA256
4426e8888c2e05704c1d2c709a662222819daa2064f15727074f27535ae762e1

SHA512
c60a287ae26a5b01f97e68ae910f977d7b43b0ab8a421c6d3b7b5e37f4b73d83e1e303de2815bbd1434fb3fc67b89c5313b7feca22801f01692027ae1769ed23

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
264KB

MD5
74ab53413cba96a7583ea50d28726e35

SHA1
9ca8d2626632a9cd477c0f50d876bf569fc24dfd

SHA256
fd7228b9061d500684399027bb4c607cfb90e82cbe43b144f8907bb00e3c040c

SHA512
4181fad7395778f43ab3b0f15b0e83b7b76e89edaf6c0261a83f1e9199c8de2c435ffeb32e8611ed3b0bf0476fe6fb5c2b7f43b68528e23f3f493322a0588377

Download Submit
C:\Windows\SysWOW64\Bkgeainn.exe

Filesize
264KB

MD5
fefc76c5373352618dc6c82bd1dc98e4

SHA1
04d3fc3b7d3b7151ec96e19202fba96571127f5d

SHA256
848a3708fbde498f322d6cdbf7da1ca574031024c4a78c9cfdffdb043acec1db

SHA512
aaed61e7d97396dd7695595e4aea1fea1374a51ad48613e064e9aad3e60031b65d0c78f36a6e5173965cacd49b18eae5107a01de50402ae91df76a4bb2d3ba18

Download Submit
C:\Windows\SysWOW64\Bmjkic32.exe

Filesize
264KB

MD5
495c49dcc82e158168d8ce7e76105083

SHA1
efa223e9444acb2951242c76fec5442a00b25ac0

SHA256
f680d31b1212547612af1a81ac677aea4507564ed4f5fefe38b459ff2fd4328f

SHA512
764aa992b9caa8a6c7b73bae7b7dad9d3246c8943f71a5d9d6bfd7d08791ac5053803de3eee7cc10fde83ccf0f65e40a908bc49a18c8d34fa3722ffe9d284c80

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
264KB

MD5
6423af2a4b716c14462ad4527b1da9ae

SHA1
545e7b5880110f41be58941643e1c0a877fdb7bf

SHA256
040e6d2576306038c331309c46a3002c344bf2657a05cf32f084da1b7f1286a9

SHA512
a603aee04a080c641e27a570218673792c07b219169f83cbf7709cf7010927a227070445f676546c79e394a8e7cbea1ac8478ffbd86db4384460ff81751ac604

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
264KB

MD5
2e13c5066d35fb37444f7861b9db6c78

SHA1
189a711a9bbb73a7ac384733c42d09d9f50957e9

SHA256
0d8ca943e2c0db155c6f85b7ed2f1363c62dea60e72e4d2b3ead6e5888457fdc

SHA512
4b81310944977462a22c1cf3dcfcc98601aa7f84374d468626c50497fc8a5c9d7feaa022230297b7a878311159a0cc4b9f3989922b30795049125ee668c43db6

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
264KB

MD5
05c6166ea00ca83b81acc0a56d13a679

SHA1
d2b73aa4afb77791a45f72b5f308405ae032f7d0

SHA256
6d7b53bb236a66311d0492edf9f8229f25230886ebff6c9626cd993d449ff153

SHA512
912e6e23e3a43148229ed897f874b3e8d639cc94b31372883c7c1ae32b66aab0a095d9bbc2753f6141f1c4171b620ee8646aa99d7e82bdab18cb0d91379feece

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
264KB

MD5
6b2f6f84184692dc8ded312c990ba250

SHA1
65a5e99e31aeb457b5ab22c1eb07e57b8d959216

SHA256
5024170a0087fa26b5d9ab557b3adfc24c1dd7744f2ee9bab260f26be0bc4c6f

SHA512
450886f85beb409a3d4546acf8a96d7db23e587655351da121613655d0560c8afb5cc323fbad8eb5fa760911ad87e17119658bb612f4eef725cce5b67a41e722

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
264KB

MD5
ebb0dd23d891a346c55d362fd0a835ad

SHA1
d07652ab885bc03f5f2cc80689393d1eef6e2a5b

SHA256
a5812c4d4f6e5eedbc906234daa209c3651e18202610138906f69cd69a701313

SHA512
1ff3e6e73ebee5df4ea04cd8a89b70fccd550743eb1735b4fe0d956e07ecb8c4967764a168defad6cb5655bedbcba6c260ae465f4428afcdd807086fbb1ad1f0

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
264KB

MD5
4a6e7ac5a595a1516bdd8410f158ef9c

SHA1
f86ed3b4ad3695afdf243d1edd8eb718188905c3

SHA256
09dc06718c704917a14301049407ee49943ce0229c2a1dd8a647cce1cc22cd1a

SHA512
28284f19f6977b1de283104c73e93844e8676c6c072f4de3c105141dcf6f15fc52c122722083c9b192338546f95b680a0c9ba73b8977df67136f0f7052bec0f2

Download Submit
C:\Windows\SysWOW64\Conanfli.exe

Filesize
264KB

MD5
63e964e5dfac223f8655155c6b37c938

SHA1
3427202e47821f34179af6102a4c78d260aa27ce

SHA256
d4814fadd22b3ff7e9ed9ccc654ccc4c84a351ce9c1b9dc19acc34ee0a93e387

SHA512
13f63be3bc2d662c7948e643912a91ad4bc0c56d26959e026c6308f107802c93fbc2df4774d23a6ab6b3e9c8574496747208007e5b494cded55eda15a5262edc

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
264KB

MD5
6cecbbf625ae1d6865146ae2c3024e7a

SHA1
1a86ee896acced90096796fa869895d9e2061e0b

SHA256
942a62ddef33496ada87681637e58f2c0af6d4a9ba2f280fccfaaedfbb2d974b

SHA512
a2dbce6e7a03ad71a46b394efd6f8a0cfa637a13a21aab778a230bc61661223b21a8d7487d15bd5a437f46a678dc9c1fac83e7e792722186126213ebd6590a71

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
264KB

MD5
965613ee148a5c55033eb63b1f211c9c

SHA1
e799e8aafc722d33db402fba477665a9e792a469

SHA256
8671a67459eef8dadcbf6f9416bdc6982a7157ddb79946fd5d38c5a6cb9448d3

SHA512
cf416bd9cdc97890a82ae6a00b721f3573ae7864dbb1c7e36d0168d85a1beacb37d4307c3eb853cf0c529d2f1a550403926510142d3d3a64b4167d9197cbd4c6

Download Submit
C:\Windows\SysWOW64\Edihdb32.exe

Filesize
264KB

MD5
c0c8d8240f9fc06f4fc398157b7caa19

SHA1
6891a93d9d9a99adaebcaa579aec4d94c927c5ed

SHA256
5d81c7641f36c4891ae86f0220cc8a9dea5dbe1d66b8ad6475044b073efb4a8d

SHA512
30666a50d8a3e7f0369ad63e227e95ccf8ee0445419ad5b1f81a9ca4f6d5f9defdc7688e2f7aa5b1d6ff5779b602c25d10ba233dd6270473513681f434d2deaf

Download Submit
C:\Windows\SysWOW64\Edplhjhi.exe

Filesize
264KB

MD5
a11f157dec2c78d15b99782621085327

SHA1
55a10c6027318502740bbd931761304ac42f0565

SHA256
bf929adc32e9bcc4e6ba6f1613d0a71f5e6d3f2c1580561da089b861a9ab4289

SHA512
8029fd6f491803c072fdf2f73c4ef4354d0ae0b476c8e0b4f89950c65ccbc7115619e73aa2a252c78dc8acebf764d30ce7a0fd8df3240863e937babaa4dffe6c

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
264KB

MD5
5efaeb16a9ed042bce60baa2f3fe7bd3

SHA1
5ee4df84d62749a1be219f0c167d3f5124e3bfc5

SHA256
8b1a63d8047f8e762865994770ef226094a077a68d9d692e36f2a53899955c4b

SHA512
4cbaf90a99291605178d06b5eaca965fcea7050942619c107a5c103fd5d5d9405b6a34c7f2674ffb4f3ca19013541814bca6f381d0e57f9fab452952cac7c932

Download Submit
C:\Windows\SysWOW64\Fdmaoahm.exe

Filesize
264KB

MD5
20ef4a641f74f013a98340720bc8bfcc

SHA1
7b86f18bb0de58f11a0a8b0d17bd7fea0402f43e

SHA256
a13603af9beceb156908ad3955f0bc1f3fa32ca68ceb2b3334e04a331533b96a

SHA512
9269617761837135594202560385f2aa2b1dbea3b09ba7ab3f40694c52f458d1533ab91200da48f490335e07d670d675affea9d51aad475c78272d98b30eaf97

Download Submit
C:\Windows\SysWOW64\Feqeog32.exe

Filesize
264KB

MD5
f5b8c390a68f0ca0b0275351eaaccebd

SHA1
c8a64a773ea766e010ae4b325f7589fb291b2d92

SHA256
3f92d2f1738084a591a5d5894e45a8dda5512ea890b7c8e4e9c99041e0efc048

SHA512
33e01ef026712e0b68f59d843085c26d655b4f0769bcdb03a4520045a1639f65d8c10ab67ef2180efff4f80043ba4f5b8976d9c706ebaffe8d0e7dda5e7d8a96

Download Submit
C:\Windows\SysWOW64\Fkfcqb32.exe

Filesize
264KB

MD5
c640a1b0540a927a1e4716be4c3d99fc

SHA1
937f562794b38e7eaefbe5ea370b4d160020a3e5

SHA256
acff2cd3367a33a7bafe4ea5ea2d35db1bb18758cc82fc6486f71da7f83e2c64

SHA512
988de9d3d792d08c1cc8402a724d43753c3aba96f2a550abfdc89cf328c56c14c8f6a4db8471f79c1875474b6d9faafef3ffa0be1eb10dba1134edb214fb0d9d

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
264KB

MD5
ecdb9b8558598fcf32815a7e4e5b2fa3

SHA1
4cbf239a026625517deb40f8fda8f814a9d225da

SHA256
9743ab5d13b735cb049c67d3cecb1f35eb6b12c83d96ccd9bc76b73743d96faf

SHA512
7fd020c2360c96221ac4f806aca5ec367224ed7790a159012e07072aafd4d5e3db20959e34f8cebcd2b7dd3ff981925476eef98a4973375f1a0edf65b95a6cbf

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
264KB

MD5
1ea2a245a64a270cafe8084cd1e17fef

SHA1
cfc0d8d26dab00c25e7b354e6e7ff4442f70b9f6

SHA256
0d643f82c73cd7b36f3b7c34e42eef35ce41ebb2e6971e70e246f8d8645c5227

SHA512
b43d4fd066daffebf6c551da819acc9fb5ef815d4047d6bd09e6fd5e94c8f032729436ac767cc421b8b02a8a3c191e834c65f0a03d249c06633ac542a4ee0437

Download Submit
C:\Windows\SysWOW64\Gbkkik32.exe

Filesize
264KB

MD5
a855e7bc7a5edb0c105ddc058055fb5a

SHA1
525dc9b09110c323967c77601f87385f382f619e

SHA256
dc26a8e4f1b4441d4322b135555cd9ab01c32be2feb903b634d5893f6c0325fe

SHA512
bd29a5d0a37bc6bd615a4bb8b0273cb59dc31485f44a5b66014d161c27d597cc3fcc11135b0def76d147633653d6918c2b722ae1ed00ca7ce64f1211275e8bbf

Download Submit
C:\Windows\SysWOW64\Giljfddl.exe

Filesize
264KB

MD5
5f0ba72dcf84d0d4f974c5ff6ee3dddc

SHA1
b46c1551aea768307a6b7af6a210f4673ca64835

SHA256
0e1ee9446443b6a321c42b7793df2a0e2ae55fdbb7c0117ee988fa173a00c6e1

SHA512
222ffdc3124ac7b750e5ceb1b2cca06ea49401e79abf39f1b8d6cf98c9599c465b565d00ca83732314e936838ebd375c2556bc64bd617c89ee94373a6d4608e9

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
264KB

MD5
edb89bc31a3c2da1ff9c859bb7761e42

SHA1
3610ce662e55edbd639e95204fc9b8a3713b2c54

SHA256
53cb64d484a60d52201f7a95405da7649b20fbfe0647947d098097e4937ab817

SHA512
b64b107cf33a3844d191ad76b5dd5eedf4d8899cf49dba1f36e4f11a9453e03516e3a5b2f8293a470e342368489a0e120c73fbe5b4b6d6ee4493106d9eb164af

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
264KB

MD5
485d892483e48b909b81ad0aa40de4d5

SHA1
026e90b65330a019f1a2df59c719f0452b6c5530

SHA256
c531e3264a3494ffa270846d10178bb331aacb1e32c3ad1cf59ce37a2cfd315c

SHA512
80057391e0a8eceebba650b57ccc0eeb3815a6cfd5465258998b7cd4b20ce68fd02fe924ea59c8c12e9134c8fd82dceb54161b35a100fe95fcaba69d6aa0d94a

Download Submit
C:\Windows\SysWOW64\Gpaihooo.exe

Filesize
264KB

MD5
f36c841adeab5e83ad565a8d145dfc04

SHA1
167ce3e1823b5958a244688c88fcfdb53c36e3b5

SHA256
4a734f6d6c5e67bb71a3c0f7b5d17c82eb341c0cc6a02ba6db291ea7c992eee2

SHA512
09687d703e0476ddda283c733bdeae619f0531b7c6eae7476b66537ff8f7476cdece2c141d0bf4c64d00a2b2718597ecd013a67bd7e2d0416a505635fc85143b

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
264KB

MD5
77ad78e196dbadb316e97472487f851c

SHA1
102a950589a1064f9cca945b2b42df8ecd96823e

SHA256
ee1e0a560e081d0d37892cbfce1aa4121e877a0d09a4250c2ec97284371fc25d

SHA512
d77445d22d21082aaa57aeccc635b7d217b50324cdda39e5160c131db46f5bdfc0e38073142ebfc3da97638a3e02f37e842a847404fddad24c2680d19d433810

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
264KB

MD5
44e08f2ecae22cc55d599ad8a06d4cd8

SHA1
d412d45a21ee08383826bb731e73716c062c5e0d

SHA256
ce2c52d8258fa86c25c6b461f6d97fc6100df812caba5c7756ecc10d291bc77d

SHA512
7f26f9f42e83c3478c242610dc8cc2490b2bc613604a3e93a423b93f9acf69710d242215df8ddc2702fa35bfce3261dbfb673e195ba6fea344f204ccbc430099

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe

Filesize
264KB

MD5
f5a5bad4068b290a0f3fd02a714ff23c

SHA1
d9912ae54dd7d26cbc7b5f86d56091a991916ef1

SHA256
ec3257df6e522195df9d9d1515bfbf44a265eb53d26d474137324b67a153112d

SHA512
bee6cd04791eda66148597d705b6337463c23ee9fa7130ceb86ca17ce511fe071e1c311673ecc0c55a4822e92fdaacb528e93be562ae091a33507af9222b44b9

Download Submit
C:\Windows\SysWOW64\Hbldphde.exe

Filesize
264KB

MD5
90b3080fe18e27c856a6845be2fb1d4b

SHA1
57acfdd5fa59c046b311f7f0c2d3ad4a150b9a13

SHA256
e1fdf0db633410459df53eadc34c4dbb641323e2f81ed0f39b1c0e26e8bd1b82

SHA512
b16e9fb21294975b39f8e2401c7d0b379acfd06bd80043c97247f8108b170ba849a582a96cb66836bb071b91205111db71749f8d6b8b74ea0e1a1e4edff28635

Download Submit
C:\Windows\SysWOW64\Hekgfj32.exe

Filesize
264KB

MD5
da1a304a028cbd0eb822693b11f4fd00

SHA1
b0e872fb0a96b3fd133ac76d54239ab40d19a362

SHA256
8ac5ccaebc9ef5f91298f961037e1fbbb16bffb9376dca5738c5a4e693562bc5

SHA512
74f1d5f2cafdc259c8748927af1700e43a92e26edc1a7f381e320e1c2ab98319042548d097e7637b29b294c4c6ac881dfd7fc14ddbbbc7a2f60a1cb9a0388e76

Download Submit
C:\Windows\SysWOW64\Hfjdqmng.exe

Filesize
264KB

MD5
8b3f63767ea2c8583f65b2a5d2b621cf

SHA1
a36f7800608d876f0a57e576a090b0cb572f7259

SHA256
d2167cc6a2db6f90064f9524e289fc065e3422702118c3fe128e76894956f9c0

SHA512
c6f12c8fb954dca16646a437e2eaa55c2e31c64717949fe5654396ea4a0b119776d0e0aed66589ced0bbec0421feeea2126135db569d50c52b9165e5c775e10a

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
264KB

MD5
aaa1acee29624fa7355a5fd4a00cb504

SHA1
381ac811cda1878160bd141a15f47bafa17a2133

SHA256
5bc80df028bf80e7c25c10ba7392d36484dab4b8439d5753a76f92040b527dbb

SHA512
4d44d1ec7e66c34dd47c5b40f66fe79d4462417cf4fcecac2f7243a7e57220f29dfd40d1fb231b234e191da6b1305d13420cdb55f4160e35ebe0c11b55a22148

Download Submit
C:\Windows\SysWOW64\Iefgbh32.exe

Filesize
264KB

MD5
63590eabdafbcaacc01d1922e92e4855

SHA1
71259c69927fe1fe5dd14b005a9511f7efa844c5

SHA256
1c61d01ab7c05fa81c79184652d90560875dc12ca6308b4eb428b131c9570666

SHA512
eb698b64e0d8c33d26e222d860f5224e714be5fb65b6cb7e4c9893051963ff1670405dc7fcfbd7566c860eea425527889c880935706ef71fcf3e9b2837d5a754

Download Submit
C:\Windows\SysWOW64\Iidphgcn.exe

Filesize
264KB

MD5
198b0bb937be7c7e30fe1566ab3358a8

SHA1
20e04b0be4cccf5affdafc528f6eace287aa1b03

SHA256
3e82e59a3e45c4e65f5167dba226d68576fe8c073a4fd59f57464c8d70c197e9

SHA512
ea240d7db99ca9d1a528176985f93b6505b315ac07febf4dc404e332fcd379e91854b0d72f40ad9552cb797e80fc90e63d646158ba6611f9ccd088f49892d094

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
264KB

MD5
1ec0224f7550d6d35554e0790f0db31f

SHA1
c6812a1c69744788c17cd14d70e9959c864fe00a

SHA256
b8387c9b1114cc68e23f429a384b013aac6cc844a86f7d7cae0f747f02503314

SHA512
ea9979709b6e2d9a2a587d4ff60f54c668b442f857a1eeca0287d2fb76b89e26f96bdc06de4e03cca57ed4c022a7bc4b849bb1e32f40c4b26e1f51c4f4a8bb2d

Download Submit
C:\Windows\SysWOW64\Ipdndloi.exe

Filesize
128KB

MD5
a2b41bcd2509cad23db5f703bdac9e79

SHA1
45500582310a55a08a7ab8ab79d48c8c7b9974ab

SHA256
bd059444c5b195229afbb714688ea01925c176d05e8a959bfb8328944897f6d0

SHA512
eef399c5098288e2c96850053ddcc235d32f99608f7fcf94c32360501fe45b8202b9a2c50ce113f931da01576d9dc445b0537943f28525f4ed9b45fcb5179444

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
264KB

MD5
922f8feb3057cb3aa6172176e3881ddf

SHA1
9911672477bff4135b7804c8738712d7ebe34468

SHA256
9dc33167c7deb7a3533c21cb948185b23d90f1193da3af0bdb8142f75cfd4be7

SHA512
4b0c7bcae6e3344af9136c5cb6371061307c2fc9f04105f334fe4816d230a7457a24756429da0ffccff346a65ed2bcab8b885e361715f1341e9bd11cfb1ece1a

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
264KB

MD5
8dbe589f131cf29af995c1f23cac5dff

SHA1
7c750ffde497f5019c73337dab8db6a8751dd32e

SHA256
7f3aea6bd5cd92ebcfcdb7edc1abc14674aae885dc3e0c8a5dbea5fc379c65e4

SHA512
59eeb1491e5c085ae952c31491b4c9a15e429c309fa7cb60e626dfe1563c948539447d77828f41bd0948bb2f95406fe36aec97e0d6629e84fc39dc49bc15f96d

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
264KB

MD5
255d97f3e062d286e48ac0caa69ec340

SHA1
27ffd3e16bbf136eeb861382a9acf1cdf30ddf44

SHA256
882e5408348abb0261000f3fedf8b29758ac2a10fcd176f9330171af93eccb9d

SHA512
7e8323d24a17a527c0af2b026e44f446c1b46d1a89d41a157085335a0233adde16b278ff7d0f90fa78301c9b1d02e9765b7daedc62479e1faaea20ba1fd7eebe

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
264KB

MD5
28f649d733beb2f1a4d3c11939c850f3

SHA1
0c03441fefd72c21386c2404015ad43b3a057bde

SHA256
fabe9a9215cda234c55e925895ce397521af2fbd3313890ce336167376c80013

SHA512
ca742cf548a514ede76c64475afa36c5031f502264f1c7c0ee75d4e90434e211cc6d9aa1bb6af226ebfe4dedb54233d5ac208aeb77b90e4877c4bab96b647fcb

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
264KB

MD5
3827f15f43935a9039ec15136df6552d

SHA1
90dd05e486a53bd7224be5737e7ac28f89c85912

SHA256
f48614552e8b8281d5ba5672435d4a04b563fb8a48e0b9874e0a7b1760e8dbe8

SHA512
dd1dbd4f81e70bba63a2b220de24de12aa8a72f7cb8405319a44871b713a25e83dc3e2c9926ca58678f89ce6e15c179ff8069f0e45c2fdcbac76e6ada9d6cf08

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
264KB

MD5
4609c77696a9ac9c106450bbd19ec249

SHA1
c2136ac75fd0624fe11fbcbd630703a8f2a5528e

SHA256
07ead81abac1f62bd721ef305952ae7bfe1ff2b573e3230dc743d4f53b03508b

SHA512
26b85228c630cdbc25771fe20f7656e7fdd875b2ca3753b3a93d81e098a2fc280c3457e67848caac956ce598fb1f991c55b9a25039bf64a1fecb25b4e0282385

Download Submit
C:\Windows\SysWOW64\Nbphglbe.exe

Filesize
264KB

MD5
7c9f8d8b3fdad941e6da6a60caf8d0dc

SHA1
6f1453d1337b2c3b437b065f2c13003e2665400e

SHA256
f46c74b923ba2729f6c8f8455ecf636b0a41c2dc484f0c23df85520aaddde43d

SHA512
71a0a517f2c5eeaa7c7ed1a454ffbc6e04777b64ad4d43376bad8fc8ad2224dd1c82c5c14b4171be4195a147dd08760ec51d59ae3adaec64a7bf6ca9c2f24c9f

Download Submit
C:\Windows\SysWOW64\Nmjfodne.exe

Filesize
264KB

MD5
e5a17114038777e5b79ce8f1f3171002

SHA1
c964ed1e26026ed23a60cd8cfbec300c63f97096

SHA256
d08f40a5ee27cc06ab9e292f9922c477fcb7fd37c235d9ac4a90e8df91381141

SHA512
6bde9f0c3e5aac68cacb0bd97d2405e1ee29c8b3695138ec86f07123e86e3f6fb57ac4195c35460f62a798479a2792d12de187159a6bb20307e76ef5eb320e25

Download Submit
C:\Windows\SysWOW64\Pfnmog32.dll

Filesize
7KB

MD5
05e28079a8a18bf50e96474967279f1f

SHA1
9428823f05ae33533fdf5998f65e5bcc4f031f80

SHA256
74771b75d1e3460cbcd0fee1d51d508727e4c6752105095af986d081a5bbf5c2

SHA512
dfc47f7a1d06922d3509be1d77279424292fae9b3b3b6dd4a4144aafb5b8f197fc51fd36d858cae7ea62a1e1107e5a43f7ec87e614bbfc37a8d9bf7000a00ace

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
264KB

MD5
9a54e7783d48bc585d229c83d6235f41

SHA1
9356d77222ba79934465f30d1009a14c4156fe93

SHA256
ba4960028de8a8dd08207ff690e126c2dbec778f63f23d96ee7cb3a9d7280df4

SHA512
f638ebf6aa6154349bb6b1e119ba9b227ddeed6ef99acbb282fc5c7b55b94eae8ed1435d3c1caca3758d9a047f36e8cfdb1999f7d26ed1cb88911630ae7d1c6b

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
64KB

MD5
418b68ccc79c89f1118fa033f032495d

SHA1
fcff07408b8c7d1fb6e7e1cb9fb94b87f8c8ccbb

SHA256
1142d81eafcba7f9cadf8979eed08d8d2a96e75f5847aca2c8202f653644dae4

SHA512
f9a0ac6e61e2b0212da7e053dfaa3b064a63466ae57d603eb12a689507f3e7e2871201baa0dfdd30fd0d1bcdb1207ed8fd61aef6166d188775c13d449c9158b5

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
264KB

MD5
6d13aa2660dacf2046729cb30924ae3d

SHA1
d12737ab74ed68b4103fc8d5cf7100f46cd9efb5

SHA256
3c44286f86d412754033cc14011b4e699b41859fdc13c1c1466fdac8b0e1dec0

SHA512
28df36f856ac6faab9f04c4086351a76b1ef98fc7c92c544e67570f997339afbda34d9a3cb1fc1599e182a9d514bec0fe29d2fe25f18a38a50ef629bf2cc9784

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
264KB

MD5
ca4fb87edd8a74dc0967c5a23ef2db5c

SHA1
2da3dd96d24a271e7a1d19cf117f6be68834eb48

SHA256
783844b18d530f76ebb13b189f1b170ccaac1c20cfed3f31028986af694ddaf4

SHA512
7b1a764da5e905595e4e53eb0627fab0eb2ab50f2f55afe1a48141f5026a8b22c862bc4ecb50249f6b1202478644a164c6e5ad3974fdb5e0b0a7248b7c0e4e20

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
264KB

MD5
86440e06c7aa0424d14dc1150ea4ea46

SHA1
3f63613a121b25b47f2f5ab0eb2094c313b45cc5

SHA256
1e3ecf270f1001eb379a3d6f475a64073d4d79f0ac050a6bfbd3949f0f8960a1

SHA512
ad3f2098c2a19a291b20b95bf736a9bb226d141ecc605fa87ce3ab98caa7d936232d6bc3e0f01b563689092982456a6c843a41176a61b4a2080c51b80dd9bd30

Download Submit
memory/408-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-659-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-679-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-707-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-734-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-672-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-742-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-640-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-721-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-700-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-686-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-699-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-750-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-741-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5200-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5244-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5288-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5392-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5472-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-608-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5572-858-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5576-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5620-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5664-632-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5712-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5756-641-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5812-647-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5852-653-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads