0a5b2185c94735e780e5ffcddec3fdbea8b7a0b2a0fc24002eb71b09980ebbc5

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe
Size

96KB
MD5

ba6d6736a85db18e599c7f7c54af3ad0
SHA1

d5f9a44edff102a9cbc612f9cda9c1518490a23c
SHA256

0a5b2185c94735e780e5ffcddec3fdbea8b7a0b2a0fc24002eb71b09980ebbc5
SHA512

881ea83a82a28a4ef6e5ac73ff4d8006857eb64a7323378fdd365b4580dd5bc34dec2efaa9bcf0103637ab11ec141e40807ab32c86a22f1d23552a18ec7ca5da
SSDEEP

1536:Djm5XQZZ/1JCzUSeJ/o9Rr5fV3iuGLfnUy7QR8B30JBQ5mhrUQVoMdUT+irF:BZ/QUL5YiuGUDRFWMhr1Rhk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enfckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modpib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebifmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlkfbocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imkbnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qamago32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ganldgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kakmna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocgbend.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpchib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiekog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkofga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekjded32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgicgca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cammjakm.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	Goglcahb.exe
4688	Hfaajnfb.exe
2568	Hefnkkkj.exe
4888	Hmpcbhji.exe
3856	Hlepcdoa.exe
3492	Hpchib32.exe
1272	Imgicgca.exe
4512	Imkbnf32.exe
4048	Ioolkncg.exe
1260	Lmdnbn32.exe
1704	Ljhnlb32.exe
4832	Mcifkf32.exe
1984	Npbceggm.exe
4728	Nqbpojnp.exe
5100	Njjdho32.exe
2856	Npiiffqe.exe
3384	Ocgbld32.exe
3632	Ocjoadei.exe
4640	Oclkgccf.exe
1096	Oaplqh32.exe
4944	Omgmeigd.exe
3116	Pmiikh32.exe
2460	Pccahbmn.exe
4676	Pjbcplpe.exe
4928	Pjdpelnc.exe
1128	Qmeigg32.exe
2208	Qacameaj.exe
3892	Aogbfi32.exe
4236	Aagkhd32.exe
3428	Adhdjpjf.exe
4612	Adkqoohc.exe
3952	Apaadpng.exe
3780	Bdojjo32.exe
2144	Bpfkpp32.exe
4380	Baegibae.exe
3396	Cpmapodj.exe
2040	Cammjakm.exe
2840	Caojpaij.exe
2804	Caageq32.exe
4808	Cgnomg32.exe
1728	Cgqlcg32.exe
4716	Dafppp32.exe
408	Dpkmal32.exe
1508	Dhdbhifj.exe
3460	Ddkbmj32.exe
4660	Dndgfpbo.exe
2864	Enfckp32.exe
4528	Ekjded32.exe
496	Ehndnh32.exe
4684	Ebfign32.exe
4884	Ebifmm32.exe
5044	Eiekog32.exe
4252	Fbmohmoh.exe
4936	Fganqbgg.exe
2700	Fkofga32.exe
3008	Ganldgib.exe
4284	Gijmad32.exe
1092	Hlkfbocp.exe
628	Hnnljj32.exe
3052	Haodle32.exe
2964	Ilkoim32.exe
4332	Iefphb32.exe
1804	Joqafgni.exe
3480	Jpbjfjci.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ebfign32.exe	Ehndnh32.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	Qmdblp32.exe
File opened for modification	C:\Windows\SysWOW64\Qfmfefni.exe	Qmdblp32.exe
File opened for modification	C:\Windows\SysWOW64\Aogbfi32.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Mcifkf32.exe	Ljhnlb32.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Njjdho32.exe
File created	C:\Windows\SysWOW64\Ilkoim32.exe	Haodle32.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Iefphb32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Nhoped32.dll	Pcpnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Aiplmq32.exe	Acccdj32.exe
File created	C:\Windows\SysWOW64\Hpchib32.exe	Hlepcdoa.exe
File created	C:\Windows\SysWOW64\Cnaqob32.dll	Nblolm32.exe
File created	C:\Windows\SysWOW64\Gpkehj32.dll	Aibibp32.exe
File created	C:\Windows\SysWOW64\Deiljq32.dll	Abmjqe32.exe
File created	C:\Windows\SysWOW64\Ppadalgj.dll	Kakmna32.exe
File created	C:\Windows\SysWOW64\Nmiadaea.dll	Npbceggm.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Caojpaij.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Dhdbhifj.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Ckcdlpbd.dll	Fbmohmoh.exe
File created	C:\Windows\SysWOW64\Aqmiic32.dll	Hpchib32.exe
File created	C:\Windows\SysWOW64\Jcoiaikp.dll	Iefphb32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdnbn32.exe	Ioolkncg.exe
File opened for modification	C:\Windows\SysWOW64\Enfckp32.exe	Dndgfpbo.exe
File created	C:\Windows\SysWOW64\Hnnljj32.exe	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Hkhcdb32.dll	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Lfiokmkc.exe	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Afockelf.exe
File created	C:\Windows\SysWOW64\Aibibp32.exe	Aiplmq32.exe
File created	C:\Windows\SysWOW64\Ficlfj32.dll	Goglcahb.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Nepmal32.dll	Ccmcgcmp.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Bdlfjh32.exe
File created	C:\Windows\SysWOW64\Pqhfnd32.dll	Hlepcdoa.exe
File created	C:\Windows\SysWOW64\Kajimagp.dll	Aagkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Lgidjfjk.dll	Qamago32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Epffbd32.exe	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	Fdmaoahm.exe
File opened for modification	C:\Windows\SysWOW64\Hefnkkkj.exe	Hfaajnfb.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Djojepof.dll	Fqphic32.exe
File created	C:\Windows\SysWOW64\Jfdaia32.dll	ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Oingap32.dll	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Fkofga32.exe	Fganqbgg.exe
File opened for modification	C:\Windows\SysWOW64\Ilkoim32.exe	Haodle32.exe
File created	C:\Windows\SysWOW64\Egcpgp32.dll	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dcibca32.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Oaplqh32.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Kjmejc32.dll	Ddkbmj32.exe
File created	C:\Windows\SysWOW64\Focanl32.dll	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Lfiokmkc.exe	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Fofobm32.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Fkofga32.exe	Fganqbgg.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bpjmph32.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Ccmcgcmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6564	6456	WerFault.exe	224

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbmohmoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll"	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebfign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gijmad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmell32.dll"	Gijmad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll"	Hpchib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpnmg32.dll"	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfiokmkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dndgfpbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hefnkkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll"	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blknem32.dll"	Ganldgib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll"	Hnnljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkofga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddkbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnnljj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dajbaika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Ccmcgcmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4940	3604	ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe	90
PID 3604 wrote to memory of 4940	3604	ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe	90
PID 3604 wrote to memory of 4940	3604	ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe	90
PID 4940 wrote to memory of 4688	4940	Goglcahb.exe	91
PID 4940 wrote to memory of 4688	4940	Goglcahb.exe	91
PID 4940 wrote to memory of 4688	4940	Goglcahb.exe	91
PID 4688 wrote to memory of 2568	4688	Hfaajnfb.exe	92
PID 4688 wrote to memory of 2568	4688	Hfaajnfb.exe	92
PID 4688 wrote to memory of 2568	4688	Hfaajnfb.exe	92
PID 2568 wrote to memory of 4888	2568	Hefnkkkj.exe	93
PID 2568 wrote to memory of 4888	2568	Hefnkkkj.exe	93
PID 2568 wrote to memory of 4888	2568	Hefnkkkj.exe	93
PID 4888 wrote to memory of 3856	4888	Hmpcbhji.exe	94
PID 4888 wrote to memory of 3856	4888	Hmpcbhji.exe	94
PID 4888 wrote to memory of 3856	4888	Hmpcbhji.exe	94
PID 3856 wrote to memory of 3492	3856	Hlepcdoa.exe	95
PID 3856 wrote to memory of 3492	3856	Hlepcdoa.exe	95
PID 3856 wrote to memory of 3492	3856	Hlepcdoa.exe	95
PID 3492 wrote to memory of 1272	3492	Hpchib32.exe	96
PID 3492 wrote to memory of 1272	3492	Hpchib32.exe	96
PID 3492 wrote to memory of 1272	3492	Hpchib32.exe	96
PID 1272 wrote to memory of 4512	1272	Imgicgca.exe	97
PID 1272 wrote to memory of 4512	1272	Imgicgca.exe	97
PID 1272 wrote to memory of 4512	1272	Imgicgca.exe	97
PID 4512 wrote to memory of 4048	4512	Imkbnf32.exe	98
PID 4512 wrote to memory of 4048	4512	Imkbnf32.exe	98
PID 4512 wrote to memory of 4048	4512	Imkbnf32.exe	98
PID 4048 wrote to memory of 1260	4048	Ioolkncg.exe	99
PID 4048 wrote to memory of 1260	4048	Ioolkncg.exe	99
PID 4048 wrote to memory of 1260	4048	Ioolkncg.exe	99
PID 1260 wrote to memory of 1704	1260	Lmdnbn32.exe	100
PID 1260 wrote to memory of 1704	1260	Lmdnbn32.exe	100
PID 1260 wrote to memory of 1704	1260	Lmdnbn32.exe	100
PID 1704 wrote to memory of 4832	1704	Ljhnlb32.exe	101
PID 1704 wrote to memory of 4832	1704	Ljhnlb32.exe	101
PID 1704 wrote to memory of 4832	1704	Ljhnlb32.exe	101
PID 4832 wrote to memory of 1984	4832	Mcifkf32.exe	102
PID 4832 wrote to memory of 1984	4832	Mcifkf32.exe	102
PID 4832 wrote to memory of 1984	4832	Mcifkf32.exe	102
PID 1984 wrote to memory of 4728	1984	Npbceggm.exe	103
PID 1984 wrote to memory of 4728	1984	Npbceggm.exe	103
PID 1984 wrote to memory of 4728	1984	Npbceggm.exe	103
PID 4728 wrote to memory of 5100	4728	Nqbpojnp.exe	104
PID 4728 wrote to memory of 5100	4728	Nqbpojnp.exe	104
PID 4728 wrote to memory of 5100	4728	Nqbpojnp.exe	104
PID 5100 wrote to memory of 2856	5100	Njjdho32.exe	105
PID 5100 wrote to memory of 2856	5100	Njjdho32.exe	105
PID 5100 wrote to memory of 2856	5100	Njjdho32.exe	105
PID 2856 wrote to memory of 3384	2856	Npiiffqe.exe	106
PID 2856 wrote to memory of 3384	2856	Npiiffqe.exe	106
PID 2856 wrote to memory of 3384	2856	Npiiffqe.exe	106
PID 3384 wrote to memory of 3632	3384	Ocgbld32.exe	107
PID 3384 wrote to memory of 3632	3384	Ocgbld32.exe	107
PID 3384 wrote to memory of 3632	3384	Ocgbld32.exe	107
PID 3632 wrote to memory of 4640	3632	Ocjoadei.exe	108
PID 3632 wrote to memory of 4640	3632	Ocjoadei.exe	108
PID 3632 wrote to memory of 4640	3632	Ocjoadei.exe	108
PID 4640 wrote to memory of 1096	4640	Oclkgccf.exe	109
PID 4640 wrote to memory of 1096	4640	Oclkgccf.exe	109
PID 4640 wrote to memory of 1096	4640	Oclkgccf.exe	109
PID 1096 wrote to memory of 4944	1096	Oaplqh32.exe	110
PID 1096 wrote to memory of 4944	1096	Oaplqh32.exe	110
PID 1096 wrote to memory of 4944	1096	Oaplqh32.exe	110
PID 4944 wrote to memory of 3116	4944	Omgmeigd.exe	111

C:\Users\Admin\AppData\Local\Temp\ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ba6d6736a85db18e599c7f7c54af3ad0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\SysWOW64\Goglcahb.exe
  C:\Windows\system32\Goglcahb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Hfaajnfb.exe
    C:\Windows\system32\Hfaajnfb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\Hefnkkkj.exe
      C:\Windows\system32\Hefnkkkj.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        24⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        29⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        41⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:496
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Gijmad32.exe
        
        C:\Windows\system32\Gijmad32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Hnnljj32.exe
        
        C:\Windows\system32\Hnnljj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        66⤵
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3088
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5068
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        70⤵
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        72⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        78⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        81⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        82⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        88⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        91⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        93⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        94⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        104⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        106⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        108⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        109⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        111⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        113⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        115⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        116⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        117⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        118⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        120⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2924
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        123⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        126⤵
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        127⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        129⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 412
        130⤵
        Program crash
        
        PID:6564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 6456 -ip 6456
1⤵
PID:6528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:7152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
96KB

MD5
d1cdb34d5362f33e2433111a689eb9e1

SHA1
f8446d72a998a3f8b875288b1f141ea0f9bce814

SHA256
ce066e589721a605d3564fd4ccef185dbcf98ecf2ded4a07b1c0ace27eb77fb8

SHA512
bb42bb3794d80017f6a5fb6907a8072ac5a62a538afe54145a6c9af26e02a70233c86ce8286e6beace41c6ca65cb53c43cf6dce56134235a4aa98060c0fa0c0d

Download Submit
C:\Windows\SysWOW64\Abmjqe32.exe

Filesize
96KB

MD5
dd4cfaaed5667429201936acfb311a7c

SHA1
7fe47fff32e46d23bbf30e0fbfa875441cfb128a

SHA256
82a2e090db96355d8c780711805c3386f86a430a9e3756fbd76814e9a5540af4

SHA512
54a8bfff1313cdc1e020375656fe0d71243b36b256d5797ce9e89c092c9d21393d3990dae0dc6a3304c4d8a9f16cd69f0991a315a963137e4dabdf1ce25013ee

Download Submit
C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
96KB

MD5
04bd0e56374f52e4d357e3e19a22ae24

SHA1
2dfd56960fc34ea15e9ab085b0fe9cb013a86a30

SHA256
8cdb084c4372588ed6359865df3237bcc55f605841b7c2e026dbcf7669566cd9

SHA512
668f5cb13b61b30c9002425a6849b056c05f03a881143a711fc56871a48468d9740529aee6ef4aa71470b8336fe178cbfdccec4863e5b9f1ebe85c667410931b

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
96KB

MD5
e7ee0af6090585fcd4d1e6aa4533836a

SHA1
3114430c5eec6112c4371193216a58c2a55ca70b

SHA256
bd602c49ff111442962b58919f9a9f22537bb1f1d74f357216c77d9596ed8d29

SHA512
c8e9da4954495340f30fd6b22483416ba44a58783033bd95b1161f4708ce7234f77ee28fcbb8a077b927b4388bf420618b8d5929a7ab0b9c59d39dc20f95debd

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
96KB

MD5
0736e10a09b2155efa051c5221e2a634

SHA1
bba1b06e3563b1273d6caade90c8cc5981d01fdc

SHA256
5352b699964239c917c93926e81a1cdd87cc1455b35d4aa384b72c5cfaea3d26

SHA512
5fe64a6d88b76c8b35a33b48ce9f6a525e220873dfc29dbfb312c123f06332bc7c5da6b65ae17131289bc2f44f49cd126894e060b31807fa2a31826a585acbd7

Download Submit
C:\Windows\SysWOW64\Aogbfi32.exe

Filesize
96KB

MD5
d17ab2e87443f97b2ec7e47e556380d3

SHA1
a30e2fcd856429c5d789e0950aca13da14a07c3b

SHA256
b8c27cfc542150f62cd33234c7d7c7cae2860187fe8bf8f662befaa1a317d2d7

SHA512
8da69096fddb8014e697b1ad7719f3c18f5105cd4d2cdb386f79af9545edb25d9d61acee8cada454dcfdcbbb25926860abb2e7e189c0a08a4255f5195ce5f480

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
96KB

MD5
27cf53866f293407a3cd9c95973ecfe6

SHA1
646a138e495c8e6ebaf8d4f345a8a7c6c4ceac92

SHA256
3b7ba236838f9d0cd68ddd295a22252134aea9ec68372e76f7d5ea8c2fcc4377

SHA512
c8adba03620554d45f50eaa5fccf936d3a0e35ec769637ba71f14e8eae3547ac51873318f332540f84c0cdaba45f7ba49bd280cdff364fdca87d5f890c938af7

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
96KB

MD5
7606ab2e891b217745744db30414c29c

SHA1
74362fb17c620d669e424037492c3de1207d3e8b

SHA256
3e3543acf3007954d00ba2a9a7087ca1785c91255aaf86e064fa852ffeeae0e4

SHA512
6381fc9fe17b89257ac9834e88819c02a117ce478e9ed99bbde068e102f0a6c986b3d749705cfd057986fa51a4360df5b6d0587968e5cd91693b1e9201e13b19

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
96KB

MD5
d0286e52ff241da770a881d56424c222

SHA1
a5aca682469e548fe0510e0d782398e577ca63fa

SHA256
53f3b8e9b04220dbac8224fc1e00b1a3ce28a3a2560ec4f49a48e567e6f5de5c

SHA512
d529ac5221992d9fb7fefb89f5ddb84730950ce0f0173ebd3f86651f03efa365e91381211448bcd3212dc7b4782defb216e9f7641bb373591ee9f7e131b90e20

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
96KB

MD5
5baa24ea37a8e2fdee37a14982b01628

SHA1
c49ff897f5b953b48ad57f1ced186f431f00648d

SHA256
ed0d679d96548251db21b75cb40ed8b3102965e06e7fa51fbc96fa23ab73240c

SHA512
599dedc0a11ba54a5787aee9e41d1766890eb0eeebbfb767f979365ba9e8b9b5ea3249c8adc023f3617ff06f734a4eb8e3e044d70f26b4103390c1365883cb38

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
96KB

MD5
3ef57bdc87da11d49caae359dfdcf3ac

SHA1
166b7521c778800c4091824800f1e8b0350f6360

SHA256
70a8663e7a9ff3fae5be65fd7dda3af9cb7262792955422ae0af484d55ddaaef

SHA512
53e8455489593ee16ed01b3d33381a933a3a8b10754c5146dbd15618aa5aa64d0973a85c478e841abe2cd115a3934d8608e7ba82865ce9279cbb6dc5eb7a842e

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
96KB

MD5
7b38ca17e0951f91323b5bd37fa57fc0

SHA1
17cec92c3aa5854ccbd896e3dc94cc465b79d886

SHA256
2af77a138c042df9fc246b2ad92f34e1bbd92dddf25a3d35a4d39c593b8be59f

SHA512
a9f37aaeb5431e39c4b81342f93e9cbc667b262f19a336c5bfc6a1089146f83cdbcb68b1904ab457b26e0c42a5e7733f5f20ad79922085e797c998441277d8c1

Download Submit
C:\Windows\SysWOW64\Cikamapb.dll

Filesize
7KB

MD5
a1bfbf0afedc22215f6de9aca1f53f34

SHA1
361a31bdd6b187666b24ce564036bb09138371bd

SHA256
83d131393f46bb2aa3c55fb1680fe3eca768ad13b7ed792c5e7177287edd9e03

SHA512
5f0e2c86cc27051fa38cf708a5221cc902ebe6e1743452e4b139d36538e0e3c56740d765b8bb1050897271dbddfa7134815de546fa2673cf744893540f485890

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
96KB

MD5
5ee226eba0fc61c56fb4295138bb06e1

SHA1
3ae301bcd561e08ddd5ab6eaa16d8d33a8c70745

SHA256
58be8d9f6a930ceccc53ed17e0aeabd5add2a6b3b0d1b58589fba68ab4d92863

SHA512
4209681fa0565f6565815427edf4ca8b364c0263b250e7d873fb389ded60aa173f3875f73b8fced3a48ca49d2a3c1918a00310b5fdb33a243f5731221d6d3180

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
96KB

MD5
4ec7b269d1972e96e63327e826347d5c

SHA1
5abd3b1c29dde773352e6af5d8560f992fe51c42

SHA256
a4f338417168a585c845c7dbaad58161b29b089d15a2b334bbcdca32c86c1e31

SHA512
4e61ff1982d9605a9a5b0fef9a5f495817bea539db6e6ec4c7a6f8ca561de7382e10382c13cf74591e441da6557984895bfe7398d81933bb34d41ae9ab50f98e

Download Submit
C:\Windows\SysWOW64\Dhdbhifj.exe

Filesize
96KB

MD5
f919e0677cd8b227ded599bf2ef3c47d

SHA1
f3340aa22db86d3f12f1626d3b50afe183b65877

SHA256
82040f002af6c6640bd38b19effa380cde01c7feebf5e73713dc34a50da617b2

SHA512
fcb67e66a2ea3a73a2af488dbb5277543bc2aa0673f4b407cc5784ecf90f9eee137c456532904dd5effd0962487fe130fc55b07df35ab4501948bcef25fcbfca

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
96KB

MD5
64570f13d6f3931cbb32850549469a8d

SHA1
d27c915542ba2b48a8ff4d0176514f95106cde00

SHA256
5529ed385dd300b80e16edf85dc7e6ab1427b5249e65e64eaecf7e8caede74f6

SHA512
22512196fdc8baa4f0df8e8a3957b639e66d15c0ffdfe373976550b44e8514a82d159b1b8a9fd98bf1b9eeaf23e23b0316b46ee7fa4f5866194aa4ec677c7350

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
96KB

MD5
791807e1c1fad9f3d88166fc0452f4fc

SHA1
f1000c498df1f993dff9454845bc197dcb9ebb16

SHA256
134a67576ea046e2a5aa3f08046a693a4ad0f56b58adc4959558d2f35dc292d4

SHA512
b9ff5b82a2eef5ff6666cbd92706be8911c3f5b24b0aed0ed9343fe8f6a61e16124dcfbe5b72d8b6b7443082555caf31a97a8632ba7af9186605f1a2eee06f2e

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
96KB

MD5
49d3793e47ff6fde71267dc35d433acc

SHA1
9a341f422fc7773fc83799e924022a62a40c9c82

SHA256
123d61aff811f89faaa1172a22cfd9781214b212483499c68f132f7a705ccf9c

SHA512
4888996a033a90361759e29c237dc0efc5f01c6cebb33d22b7e31dc2124f50c80d8d83e872960e7f0e446f713a767b44767d01bccdb7a32bc019e8e53462b617

Download Submit
C:\Windows\SysWOW64\Ganldgib.exe

Filesize
96KB

MD5
b0764a1f0badb458b23a954d84b81250

SHA1
92c3e4fdf4fc948bc08758d2d7e6dcfff17918da

SHA256
ae0b1ec9578762889188fdff4540885e8ca99d8e3654581362120a05f3372e24

SHA512
3e378d5e84fd4657f1f974c8c275f377fcd5971f177e979d7ee75a47b70852ff737965fb3553a65f9c8558cda7955e3b16f9e8e46e1e05a05b04244618ebc266

Download Submit
C:\Windows\SysWOW64\Goglcahb.exe

Filesize
96KB

MD5
a821f43f13b0ba5cd39eb0bef5b8599f

SHA1
5bc832d6f5457b57e95d714f6b8a734c51cdd5a2

SHA256
e7620d471e3f7603d6c2a46ed5163d92d8559fdccc8d442bcbe38167a33e0799

SHA512
36dcba9dc52e86b1dd1ee5e1b800dbfe80f5e77022bda8ea86f13ad2801fdca92a644bee4f0bc86a22820472916c62689f51310dbf6d01429fe50564ddef1007

Download Submit
C:\Windows\SysWOW64\Hefnkkkj.exe

Filesize
96KB

MD5
f94d3a3e2a636e55bdabe8d128e3b79e

SHA1
5121b3cd52db637844bc7e094ba550af7f0a8da4

SHA256
b8ef992fbeecdcca1aec0cd79c15d8436b3ba568d00f5159322bf23a2f53716c

SHA512
b073261291697e291bcf6f929db14266e6bdd256c0d23327c89d92512026e76a1638eb27bc2280bea3fe59206086c388e6e98fc4f04cf300ede5a386cf00ac73

Download Submit
C:\Windows\SysWOW64\Hfaajnfb.exe

Filesize
96KB

MD5
5fc55b8bdbaaf2f424ab6d1f3c688276

SHA1
683d295cd97a1f85b22ee3ee737dad2398401729

SHA256
8da142e0757ce2e7240fc329eb79a30e427c11cb412f0610ef791a88d9935a9e

SHA512
c108ac29f8410c1dcb7a59ed4b9ee1bf25098ba5582f9f788137cf34251211c13a87dd8a5f01a3ab5fdee57085233e644b3c0b5c1637cffcb16382a2a36910fb

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
96KB

MD5
fa7b7f70612d419e27e9320c3c261839

SHA1
c01786b08ef65f7586be76b76db4aaa998d77a10

SHA256
e9039f97ae1ebf578f40b452592b6e38cf8bc88d79ee0da99f25f8d23bcaa372

SHA512
29550aa6658bfebcc3d6272501b61a7be724f893bee6789d29c6a36ba85c99882b1ceb91458a9b02ca7b99a61766aa533a664ca5ad819001961f3bb67cbdd2dc

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
96KB

MD5
7a93f84a5a0ae050e56468ac265999b1

SHA1
030afc763c1f4b51a1736fbec1bcd3fe52909812

SHA256
b080089850f6be764ffee263f70f733cdae4d9b9f6b6525bc365f1df8545e51d

SHA512
f36bc83a57ca59973b2ab472e06b80ef30764b19f73df505aea890546efb41cd215c68694b370002fdc2c0260d6e3b6e6f6f5c6b38dfafb853c43174efa10a94

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
96KB

MD5
110b5e4e2d51abe86edd712ebee74add

SHA1
2f9b57fcdf9c6f2bc73e868fb610d285edd91488

SHA256
3737561f7e2a2dc222813a5981ead2c914ee15f7e8587c909b437467cbf24fc0

SHA512
2d5ddd9e61681006000d1dc3f2431f2c9785d9d82d8bfe55300fb71f9c705905ff689151fbb2189970882ef2465af0f15ed1f0f2e1ff616cb6c8b311eb36c765

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
96KB

MD5
e5f14deed5e16d854dd9cd7739a52425

SHA1
c5a4ddcd06e460e7b8ceb5539793d566c8383235

SHA256
968ab5e2749a6277d2dffa56a80b260b78e7c107f582ac1f2d6d4a3da7e1c683

SHA512
7fcb201bf96a048bab2256f5f5902b9ed1254be04a9d3d59c06d470991295bd7c40061ab8cbacd9e2b7953d82ef182c7196d08e21f55f766611bb8bbf4e583b7

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
96KB

MD5
0dfe92191849a5676a5afad197cef766

SHA1
84b140d406c4f290f39a53ca7ff85e37103e6825

SHA256
f4386450304c5312d1a0b3daf61ae572fbacc091dc2e6ac9901699f75994b3a7

SHA512
4b024e980d44dd64543bdd63ebff9b113c795806fe455bacb2c3295c7b1f4e6726a6ddf7db86d5acce5e8af7b902b5ee07036eaf058dbea9a761e7d155caf302

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
96KB

MD5
33f99f4b749ebc00c788511bd0d5696d

SHA1
bb758881ce27db3d8ead72e5d7540020c4321f25

SHA256
5cb1d433a7fb51fffdae3480c5bc1bda9675b22ca234fb64d113af1f0d35a3b0

SHA512
4baafa932ae73b707671b26df8d4dfbb9f353657603d471aaeeaf5bb0a63d0ff53a7ac5ff5aa442d53abb2564e60c78d558269daa4ee70ec05ad84635b7505b0

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
96KB

MD5
e92f5e328763602c896e5ccc530cc58b

SHA1
5d5ea9f98edb66ad54ec52145356ac8c8ae8a8ca

SHA256
4699039e53eeff3b3f58e3f1a71daa9011c7f959b28b6b82b0be3d126aed8cef

SHA512
f8370bc8408813072dbf61cc7ce24147c6a67a250092f965d6193a23dca6e99777a3cbd899fae3c16ef8d9b7d4f7111c9e1935193edf816031925b19af52890f

Download Submit
C:\Windows\SysWOW64\Ljhnlb32.exe

Filesize
96KB

MD5
a537b937ce78fce4c00cf814c010a1a7

SHA1
06ba51f832161a22a50092c0c024589552f3434e

SHA256
5242f4fa279863a60c87e77b5703999c84fe05cd72a50c1c5d677dc6412ad9b7

SHA512
a49c3568728d63625b7f86553d272e7fccc93f7c9c0f1fd0da76fd47867b4aae391bf7a72b1ee2595238b69252d59585ba2a1853a747a37060874adb58a9b2d6

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
96KB

MD5
55f7e6bbcbe911caba2e95c35c37f950

SHA1
bec34ba3de8544b0c8c27ba9eea25d79b5047476

SHA256
73f9024dcf2dafd7e3b86f99aad0ed4a72bafe4b95ceeff89fea312cb19c4fa9

SHA512
630da4eed3083628203a5c53d41ad6fa08c715efcb00429160fa7ffdf8750480ca8cc46d4df7ce1a0a1b0b9f6e3d0fd66b8c8c39c41174552183fe8ee48b86bf

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
96KB

MD5
5df3c26e4a9d6fad25a57a3ae99677a8

SHA1
96ad667bccdbb3a655844b6edbc7fe027db6aa5d

SHA256
dde6d2d834141c42a9d753725d0c146845e52712ef6be256790d58dcc0f058be

SHA512
f8c6afe89fe9b519c8049506c87aae134a77e63a9204860a74a90db1076f9778255e2ce00f8d1191d7844e0c2de180f53a0dfc7d56f937a634de1bf833ac1ac3

Download Submit
C:\Windows\SysWOW64\Nblolm32.exe

Filesize
96KB

MD5
f4ca5c64be474e891f2954bac421cd78

SHA1
2abc0eecdca455ce12d80104b0dfc5a7446b9ced

SHA256
8c49d2cacb5633a3a30f17bcc4232c906914e4ac1746d8e3dcfdef48ede13ecf

SHA512
7d8fffe67af8ed9c780d915027a0d186d590a23db47e80da4284b26a84ca19a50285cbbf204fdda463648d02a033f6c931c293f8be39363808beb7dffcdcd0a6

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
96KB

MD5
c87d237ce2c1c466e8d037f09f8043fc

SHA1
ba47f0da126a6ef21e4fd3143654803698468577

SHA256
f49269a2f2d406bd7475775b991856ec7387b24e60dc511e4e965e9b3b5b3df1

SHA512
b5043e96d0e769e7d32746e4bd25c85b58f0c38aa076082fac0478d7a822ad8450123f6ff8b9ef60f8ede0ddd9f328636c6cbefb1e34b9276c19c3db2af971b1

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
96KB

MD5
f7b626ef6a23535f31594aaf7f2f25a0

SHA1
ee90fd58a2c05323c50bbb52d67c457b3f48877e

SHA256
456ce1dd65cd4892da8bd233ab696354caed7bf0c3227921eea9589b6a670d9c

SHA512
590b3634a280094e8ce780f6cfe3506607e38d4978ed8fb4564904f2ad32af21c21c34b9519338f694423a9dbff8146f3952a022675b21a2bef7b808c33b3fe1

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
96KB

MD5
fb2329ee9c69c1632ded6e4837feadd5

SHA1
28a05c1291ceab27f389c0673f9a42ac7df94e3a

SHA256
401d5b7aa7e7f71d4988bca0fe130b7d9a5359e27c3741f25873cea2c50d4e78

SHA512
81f78985bcff5e5294609a7ff796147e1e94c5d426ce8a6c7f6fd30ea9323d5ae45adc96686174f3712cd4318dcfa662bd2d0ef3400e53dbc004b7b9cc42d780

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
96KB

MD5
82ad455443a1e4f08fb7ecb9619bbb92

SHA1
5c357f4f19235bd58b30eef2c147fbd4b8a5d410

SHA256
d84045419a215c43515bb728ad9f48a0ddb683cd71a732ea65dda700e4072185

SHA512
f48f56acfd1b9761c1ac10e5f2941ad299c47bbd68f22811d1b8509cc2570b238fec41fe361db34fc0f76bedc8207154d2ad05165c314dd46067aef49bd2fdbd

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
96KB

MD5
b4cf7267ef6a52b15a66d9c4935cfedc

SHA1
9db039c89b187d330b24f783ddf97a9e4ef48d59

SHA256
4c904a817cba4524ab6f5c756d851c24818f49773ea0ade469e88cc760dd743c

SHA512
75b6ef92493dd86c191159bf64c137c139767acca103fa8e4329b4e7b0bbb7d99c8ec1f8c9affdf535471e314c55b5cebc62dcb28caf1e4137a4b8752efba8d2

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
96KB

MD5
1d43154df0937ca5dbd8691fc0044f80

SHA1
db1859c4d550ae516434ff6a234a8a2e40d55178

SHA256
40a539f6e84447edaf098c8e636045fc078b63bfb9c4f6503207fc5a4afb9526

SHA512
64e34256fbd66bfa9b3802bd7cc91ae4beaab738fa9f1e8d009d5116dba27dc9c9f6dfd86cec0cfad2e79e0f8f32b3cc21ddc0b874c9249f63f6f97a56361055

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
96KB

MD5
502da340017689809ae7943a0de7fcd4

SHA1
9e502039e1b6e7a6eead7da42ac8e3b6ecbe4271

SHA256
e07582f77edcc92c0c2125aea81cb535e6b5cb08e162c70488bf2b3e039b4e3a

SHA512
3ae16d9c7b9351e99b4f69451ce62e238ded32f8507ac30b87622bdda004c6b2b684307b05708533ac797470ed96690d3dc64e0d7583c3c894593094a25deee4

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
96KB

MD5
b603338384e72fb24d2eb8c853974433

SHA1
0e93aaa35f5b2eb0c01d52b45f79cbcceca4a789

SHA256
4c0d5cedc3e39d7a3a917db19d7f06bec1d8c7c48c87714209187afe101d32cb

SHA512
6454e528e7a4f5af773cdb44bee9ee3037b782d1cfffec21ec3090a793761c353f884f304436be7c001050473f119c3333550dd4e4eb17d4d00ee2e3319d70ce

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
96KB

MD5
d6fdab10c14851fe7e16d2f7473a680d

SHA1
0893a626cec307d62e7acc264f8720f2f70425fe

SHA256
3138c6ad9774d5dc8177456e8d07256f226ef6a4173c5f69004620b36318aa3b

SHA512
f480caedcff0ab1a40da4223580186bf1d53e4333f8d9b2805bb34a5b7bd0dd670304bbc6622a1c78e6d420563322c51a857e8842a3529fe666d37ec1c4d6e37

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
96KB

MD5
affe29035a57f7516b3aebf28efc392b

SHA1
97812921038b03cb7655f7dae0eca24a8847fc39

SHA256
e5f48645b6dc0d1013cab3d25b0f1c25f7a9702d848a60ba73c7befb91cd319b

SHA512
71908f474fd1869a098760693fe9bd75146ee090ae1d1164368ebd09d1974fbac1a7639af552c934adaffe736636513e6fbccb8532015b2692d47d0582dc0727

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
96KB

MD5
7ac65a02635f8a8ef6b6c33713cdf7bf

SHA1
ac524738c083ca169040a3c117df686686125616

SHA256
3fc1808fcc42eb8f7dbe54e740d0007b4d69e27c44922580820db9a1c8fc98b6

SHA512
711cf0c4fbb86ce0a0e84f91bef9998e14fd54c4a1de7f6c14efe1f41d2321c6201b7fe3dccf2213a67d2424190a528f2c895bfd1336fd0e71c16282da3aa6cf

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
96KB

MD5
d41af4102551031c92eba13f07f0a9db

SHA1
4a6bed2f1b4e9610603a908a0fad156608c962ca

SHA256
7726c333177ef6751c64ef44d1ad5360d558b8799e901f98f4edef3f838a1fbc

SHA512
97b2c8cd166217aa84e9aaa80716ba6e5cbba88cd9d32cf623179212c6242b7092040d61ebf45491fe2a7636ac3b737e5fc31f730a3ada3c4e30130874d25d56

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
96KB

MD5
7e86b413bf51c8b8b9ab11e6772c7401

SHA1
209d6383b8600c39c2d7093eebd27fa15ac7b8cb

SHA256
de4dae9d93a294b5140e5ab05ddefe7db18a1c389a35cf22c03de0318cd9d6db

SHA512
1d325df32615f8cc17aa728a70ebbfd4b7e658a48f44f36158f906cb042a2e1b8944d30bc509bf6a2c1b5c4eac88bd44d8ab924f7a581f8170c4fa6dfeb49211

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
96KB

MD5
c5fdabdf935484b7f2f5c54bc08a56e5

SHA1
2526b13c2c1d56306d49a558d5411eef5b4986b0

SHA256
040e5a4d9455f2a4c9c94bc5e20c66557af2a1475f35f7bf66bfc954ea13b464

SHA512
79a5c06dbdc6902000a6a835250449207252691ec8dc536bc5671f9fdb478ff0e1d387e3ebc505e19f0a15f5339cda260b87cb17cb75f23fc8721224fd985607

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
96KB

MD5
ecc67dde44cd7efcc25721b51626fe13

SHA1
85db89d81d35586e5d143712adf27544ce7f18a3

SHA256
02db3b45d2a71318be857c8ad92f355e9f32c464453c2e73a69af3a1a3424951

SHA512
3fed2d951e8d357baba78cded9f65321c137b379d534b8189b25f596b7207338042acab2180ad458a7162f93b17907e30f8f8fddbea0737b45f307f3bee468c5

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
96KB

MD5
7acd2336a9ac270aa27c587971891dda

SHA1
c555c3e7f657ef0e81ab6a429ea38965faa37978

SHA256
f21adb321f10c4da0600d92db15b9c9bdafa6ca41b100b1569c3532cb3b50bbb

SHA512
6eb2dc473fea0bea6492e56ea8e6e4c25a6db64d4ba0b588cea7fef19239ab6209077c036845b3c03d64c20d8a1aab12ade47b37ef30776647cd701c7b33967d

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
96KB

MD5
092ee2972838c7a6a0665f31e7482333

SHA1
d1cf1788ff0b2e0951dd59bd097113359475a38c

SHA256
f59909a77971ae65ad7ab4e3d11411b558ea3bcc23de3eaf36ed251235ee00a8

SHA512
30adb9ea9b9a0ac97391435d92fd862bb9b5ebb575b55855c8657c6427a7307ecb6cdc3a8fa1879346c1af9c9a3bdb2a4894fe2ac166d021fd593b80efe77e8e

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe

Filesize
96KB

MD5
e02b2c0011de1cd1f98cfa007867461e

SHA1
5edc7e951efcea00de5326a4cc30cbc9db06366f

SHA256
beee0a04228c2b17592d40d21bd99e6a44f824b671bea5c99d50e5a978ecef50

SHA512
150189e13fbc99c9ea960461c22a33d7964f630e540e4df638d1ab613d2c3d28d42e38fc88c8630abb9fe1242476245f5164e7561d6d387ad247d8fb812095d4

Download Submit
memory/100-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/496-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1096-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1128-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1272-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2864-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3396-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3428-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3856-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3892-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4684-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4728-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4808-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4884-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5140-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5192-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5232-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5276-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5316-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5356-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5396-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5436-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5480-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5520-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5568-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5620-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5684-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5732-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5776-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5820-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5864-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5908-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads