12d28cacb07a779a6eb94479fffc6fb4bde8d8111f96e70df836c9a427aba83d

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1501719336ad94255953105179ff930_NeikiAnalytics.exe
Size

318KB
MD5

a1501719336ad94255953105179ff930
SHA1

f821975867bbf0c1691fd4bfcdfe5f5c937fea81
SHA256

12d28cacb07a779a6eb94479fffc6fb4bde8d8111f96e70df836c9a427aba83d
SHA512

18bb04badad2606bc8b06e2c29ae978e4bf13664babd30798d40ef48f8b87f404f85623029b5c7d31b4826492bc7a3eb22a31745588deada2c381dc3c6180365
SSDEEP

6144:H6TgSy3LRVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:H6TgbO4wFHoS04wFHoSrZx8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpioin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gflhoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iliinc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbpchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiipmhmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlbcnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a1501719336ad94255953105179ff930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaebef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokkgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fndpmndl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdndloi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepleocn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ondljl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmojkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe

Executes dropped EXE 64 IoCs

pid	Process
4340	Dkhnjk32.exe
4428	Emmdom32.exe
3356	Ekdnei32.exe
3304	Fbpchb32.exe
3852	Fnipbc32.exe
1112	Fbgihaji.exe
4708	Gmojkj32.exe
4696	Gfjkjo32.exe
820	Gflhoo32.exe
4460	Glkmmefl.exe
1000	Hlnjbedi.exe
1952	Hlpfhe32.exe
3596	Hlbcnd32.exe
3844	Hiipmhmk.exe
4084	Iliinc32.exe
2124	Iinjhh32.exe
3556	Imkbnf32.exe
1348	Iibccgep.exe
1232	Joahqn32.exe
4896	Jepjhg32.exe
3512	Jokkgl32.exe
3352	Kegpifod.exe
4612	Kjeiodek.exe
224	Kcmmhj32.exe
2576	Kofkbk32.exe
4384	Kngkqbgl.exe
1312	Lcgpni32.exe
4720	Ljceqb32.exe
1108	Lnangaoa.exe
2188	Lflbkcll.exe
4768	Mjlhgaqp.exe
4064	Mnjqmpgg.exe
4760	Nmbjcljl.exe
1864	Ncnofeof.exe
3476	Nadleilm.exe
1816	Nnhmnn32.exe
4176	Ogcnmc32.exe
1484	Ojdgnn32.exe
1780	Omdppiif.exe
4364	Ondljl32.exe
1528	Phonha32.exe
1948	Ppjbmc32.exe
2108	Pffgom32.exe
3172	Phfcipoo.exe
4636	Qobhkjdi.exe
1600	Qpeahb32.exe
4308	Aaenbd32.exe
2732	Aoioli32.exe
1036	Ahdpjn32.exe
2076	Aaldccip.exe
2380	Bgkiaj32.exe
732	Bdojjo32.exe
2272	Bklomh32.exe
3552	Bkphhgfc.exe
2984	Chdialdl.exe
2248	Cdkifmjq.exe
3108	Chiblk32.exe
1624	Coegoe32.exe
1956	Cgqlcg32.exe
4596	Dgcihgaj.exe
4860	Ddgibkpc.exe
2860	Dqnjgl32.exe
2064	Dbocfo32.exe
3004	Enfckp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Dkhnjk32.exe	a1501719336ad94255953105179ff930_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Iinjhh32.exe	Iliinc32.exe
File created	C:\Windows\SysWOW64\Nkbjmj32.dll	Kegpifod.exe
File created	C:\Windows\SysWOW64\Cfiedd32.dll	Kcmmhj32.exe
File opened for modification	C:\Windows\SysWOW64\Iefphb32.exe	Ibegfglj.exe
File opened for modification	C:\Windows\SysWOW64\Jllhpkfk.exe	Jlikkkhn.exe
File opened for modification	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lcmodajm.exe
File created	C:\Windows\SysWOW64\Jlikkkhn.exe	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Npldbgic.dll	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Gabfbmnl.dll	Mjlhgaqp.exe
File opened for modification	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Ohlemeao.dll	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Mmdaih32.dll	Kocgbend.exe
File created	C:\Windows\SysWOW64\Lcgpni32.exe	Kngkqbgl.exe
File created	C:\Windows\SysWOW64\Fpmfmgnc.dll	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Dmcnoekk.dll	Iibccgep.exe
File created	C:\Windows\SysWOW64\Hemikcpm.dll	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Lnangaoa.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Ppnenlka.exe
File opened for modification	C:\Windows\SysWOW64\Bdojjo32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lcmodajm.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Jbepme32.exe	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Kpiqfima.exe	Jbepme32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnenlka.exe	Pcgdhkem.exe
File opened for modification	C:\Windows\SysWOW64\Nmjfodne.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Kofkbk32.exe	Kcmmhj32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Ghfedh32.dll	Fqeioiam.exe
File created	C:\Windows\SysWOW64\Ffdihjbp.dll	Hemmac32.exe
File created	C:\Windows\SysWOW64\Odibfg32.dll	Pbcncibp.exe
File created	C:\Windows\SysWOW64\Ghjnkpdc.dll	Gfjkjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ibegfglj.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Eeeaodnk.dll	Ledepn32.exe
File created	C:\Windows\SysWOW64\Mjidgkog.exe	Mcoljagj.exe
File opened for modification	C:\Windows\SysWOW64\Kngkqbgl.exe	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Coegoe32.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpepbgbd.exe	Lepleocn.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bdojjo32.exe
File opened for modification	C:\Windows\SysWOW64\Dbocfo32.exe	Dqnjgl32.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Ledepn32.exe
File opened for modification	C:\Windows\SysWOW64\Lakfeodm.exe	Llnnmhfe.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Ppnenlka.exe
File opened for modification	C:\Windows\SysWOW64\Nmbjcljl.exe	Mnjqmpgg.exe
File created	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Anafep32.dll	Mcoljagj.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Ceknlgnl.dll	Glhimp32.exe
File created	C:\Windows\SysWOW64\Hpmhdmea.exe	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Hlnjbedi.exe	Glkmmefl.exe
File created	C:\Windows\SysWOW64\Joahqn32.exe	Iibccgep.exe
File opened for modification	C:\Windows\SysWOW64\Enfckp32.exe	Dbocfo32.exe
File created	C:\Windows\SysWOW64\Nlbkmokh.dll	Egaejeej.exe
File opened for modification	C:\Windows\SysWOW64\Hpkknmgd.exe	Hpioin32.exe
File created	C:\Windows\SysWOW64\Hlqeenhm.dll	Kpiqfima.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Oblhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Hlpfhe32.exe	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ipdndloi.exe
File opened for modification	C:\Windows\SysWOW64\Mjidgkog.exe	Mcoljagj.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Ndnljbeg.dll	Lcgpni32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdndloi.exe	Iacngdgj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6520	6424	WerFault.exe	229

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbmgdb.dll"	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll"	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll"	Kocgbend.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnipbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceknlgnl.dll"	Glhimp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqncnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fohfbpgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqcmdnk.dll"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enfckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldbgic.dll"	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a1501719336ad94255953105179ff930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmmqg32.dll"	Emmdom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjpkd32.dll"	Fofilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll"	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfjkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll"	Lcgpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqjbddpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emmdom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjeiodek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll"	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a1501719336ad94255953105179ff930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccopc32.dll"	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Ondljl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll"	Jppnpjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjec32.dll"	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll"	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqeioiam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinjhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iibccgep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phonha32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4340	412	a1501719336ad94255953105179ff930_NeikiAnalytics.exe	90
PID 412 wrote to memory of 4340	412	a1501719336ad94255953105179ff930_NeikiAnalytics.exe	90
PID 412 wrote to memory of 4340	412	a1501719336ad94255953105179ff930_NeikiAnalytics.exe	90
PID 4340 wrote to memory of 4428	4340	Dkhnjk32.exe	91
PID 4340 wrote to memory of 4428	4340	Dkhnjk32.exe	91
PID 4340 wrote to memory of 4428	4340	Dkhnjk32.exe	91
PID 4428 wrote to memory of 3356	4428	Emmdom32.exe	92
PID 4428 wrote to memory of 3356	4428	Emmdom32.exe	92
PID 4428 wrote to memory of 3356	4428	Emmdom32.exe	92
PID 3356 wrote to memory of 3304	3356	Ekdnei32.exe	93
PID 3356 wrote to memory of 3304	3356	Ekdnei32.exe	93
PID 3356 wrote to memory of 3304	3356	Ekdnei32.exe	93
PID 3304 wrote to memory of 3852	3304	Fbpchb32.exe	94
PID 3304 wrote to memory of 3852	3304	Fbpchb32.exe	94
PID 3304 wrote to memory of 3852	3304	Fbpchb32.exe	94
PID 3852 wrote to memory of 1112	3852	Fnipbc32.exe	95
PID 3852 wrote to memory of 1112	3852	Fnipbc32.exe	95
PID 3852 wrote to memory of 1112	3852	Fnipbc32.exe	95
PID 1112 wrote to memory of 4708	1112	Fbgihaji.exe	96
PID 1112 wrote to memory of 4708	1112	Fbgihaji.exe	96
PID 1112 wrote to memory of 4708	1112	Fbgihaji.exe	96
PID 4708 wrote to memory of 4696	4708	Gmojkj32.exe	97
PID 4708 wrote to memory of 4696	4708	Gmojkj32.exe	97
PID 4708 wrote to memory of 4696	4708	Gmojkj32.exe	97
PID 4696 wrote to memory of 820	4696	Gfjkjo32.exe	98
PID 4696 wrote to memory of 820	4696	Gfjkjo32.exe	98
PID 4696 wrote to memory of 820	4696	Gfjkjo32.exe	98
PID 820 wrote to memory of 4460	820	Gflhoo32.exe	99
PID 820 wrote to memory of 4460	820	Gflhoo32.exe	99
PID 820 wrote to memory of 4460	820	Gflhoo32.exe	99
PID 4460 wrote to memory of 1000	4460	Glkmmefl.exe	100
PID 4460 wrote to memory of 1000	4460	Glkmmefl.exe	100
PID 4460 wrote to memory of 1000	4460	Glkmmefl.exe	100
PID 1000 wrote to memory of 1952	1000	Hlnjbedi.exe	101
PID 1000 wrote to memory of 1952	1000	Hlnjbedi.exe	101
PID 1000 wrote to memory of 1952	1000	Hlnjbedi.exe	101
PID 1952 wrote to memory of 3596	1952	Hlpfhe32.exe	102
PID 1952 wrote to memory of 3596	1952	Hlpfhe32.exe	102
PID 1952 wrote to memory of 3596	1952	Hlpfhe32.exe	102
PID 3596 wrote to memory of 3844	3596	Hlbcnd32.exe	103
PID 3596 wrote to memory of 3844	3596	Hlbcnd32.exe	103
PID 3596 wrote to memory of 3844	3596	Hlbcnd32.exe	103
PID 3844 wrote to memory of 4084	3844	Hiipmhmk.exe	104
PID 3844 wrote to memory of 4084	3844	Hiipmhmk.exe	104
PID 3844 wrote to memory of 4084	3844	Hiipmhmk.exe	104
PID 4084 wrote to memory of 2124	4084	Iliinc32.exe	105
PID 4084 wrote to memory of 2124	4084	Iliinc32.exe	105
PID 4084 wrote to memory of 2124	4084	Iliinc32.exe	105
PID 2124 wrote to memory of 3556	2124	Iinjhh32.exe	106
PID 2124 wrote to memory of 3556	2124	Iinjhh32.exe	106
PID 2124 wrote to memory of 3556	2124	Iinjhh32.exe	106
PID 3556 wrote to memory of 1348	3556	Imkbnf32.exe	107
PID 3556 wrote to memory of 1348	3556	Imkbnf32.exe	107
PID 3556 wrote to memory of 1348	3556	Imkbnf32.exe	107
PID 1348 wrote to memory of 1232	1348	Iibccgep.exe	108
PID 1348 wrote to memory of 1232	1348	Iibccgep.exe	108
PID 1348 wrote to memory of 1232	1348	Iibccgep.exe	108
PID 1232 wrote to memory of 4896	1232	Joahqn32.exe	109
PID 1232 wrote to memory of 4896	1232	Joahqn32.exe	109
PID 1232 wrote to memory of 4896	1232	Joahqn32.exe	109
PID 4896 wrote to memory of 3512	4896	Jepjhg32.exe	110
PID 4896 wrote to memory of 3512	4896	Jepjhg32.exe	110
PID 4896 wrote to memory of 3512	4896	Jepjhg32.exe	110
PID 3512 wrote to memory of 3352	3512	Jokkgl32.exe	111

C:\Users\Admin\AppData\Local\Temp\a1501719336ad94255953105179ff930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a1501719336ad94255953105179ff930_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\Dkhnjk32.exe
  C:\Windows\system32\Dkhnjk32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\Emmdom32.exe
    C:\Windows\system32\Emmdom32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\Ekdnei32.exe
      C:\Windows\system32\Ekdnei32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3352
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        36⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        37⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        38⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        45⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        46⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        49⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        50⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        55⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        59⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        61⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        66⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        67⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        68⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        70⤵
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2368
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5032
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        74⤵
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        75⤵
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2848
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        80⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        82⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        84⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        85⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        86⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        103⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        104⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        105⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        108⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        109⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        111⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        112⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        114⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        115⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        116⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        117⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        120⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        121⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        125⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        126⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        127⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        129⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        130⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        132⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        135⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        136⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 400
        137⤵
        Program crash
        
        PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6424 -ip 6424
1⤵
PID:6492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aoioli32.exe

Filesize
318KB

MD5
c2b98afb613984b1705e25dcd9a9ff08

SHA1
9e72c0398189307255544b482954f530531f03e4

SHA256
98b4621f604742205c6b9c9a798ef47d391008ea673aa25e91ebd4f68c92aca9

SHA512
d1b0dae53f35b0bd320764251425d28d508083c28e91dcc0ae173e988dd0429f117027e59f9d7e197ab220aa2d09c866b97e22f1fbbaabb5a0dbb45d9a34dbd6

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
318KB

MD5
50684dbaf9bbf77348b0f734d8287377

SHA1
0619f34de5a978508a99d119039fb07c7f1cdd5f

SHA256
bb59755714c1d6539d6cddf568d05703d33bf58f2e694a2d1cd7dd54c1a9a430

SHA512
44316dfb2689022e71faf5bb0ae5a5ff92b73bfa314a6e884bd91b1e07886601279cd0b39c70459ad56fd5ee5380c6ca5ed9fbf4531019843180a925ff7227b8

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
318KB

MD5
7c2e84a4283c9b863924f0cd835d742d

SHA1
280b0d96f7ba26d4da17b564d1534e82dde129a7

SHA256
c2ec3c494d6b6f53879770a52109d5295ce8ed3e22b2e271b28d71dc94d68bc8

SHA512
ec0d67a4673215984b71f9eb53bee09f1486735adae84141b72ecc2f62000ab9818aa6f430bc0e48468a9fcceb1666ab4bf0ac06382f097f9f343dd0156353e4

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
318KB

MD5
805abdb5e182f722fbb076a0d59f3d40

SHA1
e6bc2e6f950531a2ce5254a81c5ccc0c2ab8b7d2

SHA256
f91f8d4f7c31aafe11078481b05b452c4cfa8c3eab3df94aea07efa8a69aac1c

SHA512
52e667d16daaebdfbfd154a0cf9f476207d950ec42d9d76c59ad5f1c0bb27394cf30997bd3faab975e58824fc12a1f5973da2b53270a54f2e38a22306a30063b

Download Submit
C:\Windows\SysWOW64\Dqnjgl32.exe

Filesize
318KB

MD5
3bf5cfdda95830dd0a77f8341f00e6e8

SHA1
c2df8a0eb71292a7ae01317b0762f94cac302ead

SHA256
54cc96003b381a818fec57fafcfea4dd5ba2335f3a508c0bf4c2befe004ab8fd

SHA512
0cb29dc9f98dde167280308bfa395551c63e6ee623eebbeb144e4d9750eda2e1c0b00e1c81c7aaefe41c3bbe86c783c21f49bebf9c3a54d8235db71e6ca6d9f2

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
318KB

MD5
ff6a6beb768a4b955cc74a0e67b7e2b1

SHA1
03095e7cc52b9ce77ef3d42d0503bb8cd5bc7a53

SHA256
bdca9bbf8eb8adab2f4eb44b638e68b0e2f2c95ebf1be278b1596b9502292716

SHA512
e5501be99fb34cd00c3039e1a3dcf86802f38fabf8d2b857223e2502cde62dbf2e830c3cbbbecd232f3b1614582d741a578b4b2dd45d05f22fe237607889aec6

Download Submit
C:\Windows\SysWOW64\Emmdom32.exe

Filesize
318KB

MD5
592ee57e8d4cf8223719ca5c464eae05

SHA1
e40d3c5ec659661f3af689cd225f7b177dfc97a5

SHA256
888b7d924e6fca389975fb5d2cb63cfdff78e5e761d7b2c624f261d95a71296f

SHA512
5ec39f593783e7caccc166546af2ce5303c257a5b262a10f137537df1a63dbd665dec48505c13f698870159f421bc9e52a07a81e000a4b7a3890702cd2bc3937

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
318KB

MD5
740b0c3a36a09f96f4e13efb7059c47e

SHA1
d6694cbce0e896284bb188ac204c4c90274cdb1a

SHA256
6dd71516e8e246fb278afcae5482962fde5d39e8439461813ad5058e7a6249c3

SHA512
2febe825b28b5c329ac3fac42f73f1016cea826bad57f9c8cf7f218bca3b3ecab3b07d09e8b9191b5a2c2fc6e5d50ca640ecb0ee98cb5098fd5db3354477134a

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
318KB

MD5
521c887436ea8de866b21f5c1b1674d3

SHA1
859f12d1846a53ebf34dc09f6529404fb78c7a7f

SHA256
3402c407123a1db32c76f78cfc9cd30c6b31e6f863e2746dc26ceb87cd68902a

SHA512
b6a2d865b11e45c43aec9e48076d6346edf9c31e28daa844db72f109aa2441cbbeae625ce99e41df3deb5dd5e1b7206a0058615144e46dc98709f8556d8f2b8d

Download Submit
C:\Windows\SysWOW64\Fndpmndl.exe

Filesize
318KB

MD5
3fabc53764adefeed16ad9042702ea8c

SHA1
694b122288f71f773325aee7781818ed2e01cf48

SHA256
e676e9b2db3ef00b0cf54672de374ff08aac3ea4bbdac46a3e0441f29008ca6d

SHA512
265f24457f0c7fef59abf4af108c382a595259daeb2efe1219d23c3759408783ae7a6a309b5a82712070c94a66cd19171bfcc09da6a166973a5f45ae1c38f134

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
318KB

MD5
59a9ab27cf2cb7a43787ed2119075a95

SHA1
28956495dce7bf35986ae59b985e6533c50eaf3e

SHA256
35b1305d0b962fd3345bb2a5e819a5a13b85649b37ce9f994e5cafdee6ecee14

SHA512
cf0c954a29655aad36355c619564f6840d6d7e8df25f23de9093e5f3a9c9dd5dc26cec95827b4c2f21d942d928037852d844845b01fda5bbca08f1fd891a101e

Download Submit
C:\Windows\SysWOW64\Gfjkjo32.exe

Filesize
318KB

MD5
6ce65a1851b21c16ab2f420d50d46d5e

SHA1
60686d355582a1c82bf46078f197943e1fa1c192

SHA256
b42fe2aea2d09cee499ff169978e73fbc135eb1965bf1ed4243474f31ee4cde3

SHA512
47146a30bc929b065ab279e229f1de946e874bc2aa875ebfe30b5a8b93050c71ebb30fa7c73952b77c6e09af581e703eb17e2569291f6dedd578218a97a5c16f

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
318KB

MD5
6cbf56a6006b58d5abcba790594dfb3d

SHA1
625e80a9634024964407af4593fc7bda8a1f8fd8

SHA256
d14eaccdebd9b4a7cf616666fa42ce3cb5ebd93a923bf0f602def332553dc13e

SHA512
71b1a21682f836fee94e52e920df9f9f801e6efb4ccbfbaa32212df961a5c36abeae7a6355a5f9f293c4a77a806dd45c9e75308319c7e2668caf7f8db953f08d

Download Submit
C:\Windows\SysWOW64\Glkmmefl.exe

Filesize
318KB

MD5
68b568421aeaa170b3e135636e530e2e

SHA1
3870bded2a3f4ce875a96a6e7b6cf70a8b122098

SHA256
f40b1ee120e0a6edc9012b431cb3746e0ccbebd7336c9f48da224cd74ff1a23f

SHA512
ada4823f1c1a4a6c7644ee4ab73ae5fa6274bec1b9bb2aa3f57a4886359bcf474127181877f4301c899aa18806cd9c8357fa73931d649feb729d9807bed916f5

Download Submit
C:\Windows\SysWOW64\Gmojkj32.exe

Filesize
318KB

MD5
c11042000419239ae74edf7fba552d4c

SHA1
794aa8116da5fe68e505bde8fd427688250b6b92

SHA256
facfc6596cae7a175aa21e7c6bfe6237cb8fe58f5d38875bd6f90065ceae2ac6

SHA512
5649cc088b7d4dffa5ed23ab54dd0e92adc1c1fd00445eef332e7cc26c7e1754d04638d2004f3597699bd11330782cb2a276486a9afd90b437a10ea52e9adad6

Download Submit
C:\Windows\SysWOW64\Hiipmhmk.exe

Filesize
318KB

MD5
4ce142f596ce29ec07a756fec7ea32d9

SHA1
4efd54faffc665291726ff11e35dd3bc09533734

SHA256
a1650e68f5c1565f2e160ff7f191c49d571f4372801f69cf85a0274de1992e6b

SHA512
d60624a3b29e7dbf206458fb43177455d7e6704c2b5cb0598c0309741feea306629b876291bbb5a7390b9355e96207f04ab2f175d7adb2738df978e8cea5544f

Download Submit
C:\Windows\SysWOW64\Hlbcnd32.exe

Filesize
318KB

MD5
b17a522529a06dc11e63a99019480b56

SHA1
898902211813ff9dbb1cd707c07cfb4d43cddf6a

SHA256
fb8687ded89d9ef47785c961b2344c982dd9262c577fb6fc492cf75ebdaa6bc0

SHA512
eb03c8c8e0c72c571027ca81214828d1287dfa134642b663d460231cda46bc9ceb5a0857f0754a3ff12ff082bed290b10a0ae93cce0fa4d8596d5834499a5ff1

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
318KB

MD5
40c444f3936af4becd70e8904f45467d

SHA1
1b9d3e36dc6893a6da007c3e411ff453c60a4504

SHA256
7167893b399fb673d395d43131a10ca45466f0919807896baccb0673c571ebbc

SHA512
3c3426b79e35911a5fe9dab51fd813b32350dae5055bf6a0acd9c01e2d88c3b3b633cab10bec3c971a67e5caa14f9c030d1bcbe6eaa61dd4e65ed1486f59e8ed

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
318KB

MD5
e5ef2add09da2b9e50058972a1ccc002

SHA1
d2271730e893825ac87eb59539207620ecea9be6

SHA256
5a92aadfa038ede31ac88c6e34af94fe0afeaebfbe2319e91afc043f51d4c1e3

SHA512
2752b06b8acb6698ffc61f50f121045919b008279a5461852b180301056c11e06502d3c1df3ca734b2b4a5d768356b9d535367925a21f72f0e671af3e93344d6

Download Submit
C:\Windows\SysWOW64\Iibccgep.exe

Filesize
318KB

MD5
3407ad66a26218877a9748fda3d773b2

SHA1
aa1dd6d5967dea0a2cd1e05b35aec7a1a35641d7

SHA256
9dd11586976e6a3ed065da7c8b8d91c7c8081f38ec9ac69592b78570a85b250d

SHA512
2cb8087095e6e83026ed310cee19879cc47c811596d9f29c6a9294a417553fe9a6c886292612eeaa801fb40586035ce6d8a7dbb61b95ea5c9cdbfd3d68ef2e68

Download Submit
C:\Windows\SysWOW64\Iinjhh32.exe

Filesize
318KB

MD5
cc48795a2df99c1f63f05ecca1696e7d

SHA1
ba290d13dfbe4914cd1a48879aa17ea666f0fcac

SHA256
408fb978d994f621aad5a47360d36273ac93a5eaa075ff37560acb5e3c95d308

SHA512
8b202ab8e586be5374ada4f4a6d62a6c142e0ef179cbe345aeb349641d32d85f9ed0870d62e3781a4a5bd483bbfa3f824de6d2646837b3d2336a0bb14a068a7d

Download Submit
C:\Windows\SysWOW64\Iliinc32.exe

Filesize
318KB

MD5
e72bdcd9057142452f005c21bd0c3fce

SHA1
2db9f84a5858a9b1a040431b06315f9fd0d79a6c

SHA256
16be09f840be319c136e6dea7878798c2dec4e38085adbd91a70867975ee6f48

SHA512
dbcd4538229372282746f65c59724f818506dd925744ed1ebfe86ada8dc8f9fa1384df5814ecdb641d1734b2fde3dd3a43bc70a6095bc1dfe0a9e28947c54979

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
318KB

MD5
881c9c493ee9f83c16f3bfbe76af2d23

SHA1
1a9382ffc4bbb529402482d0370d550685db3fb5

SHA256
667cf9890bc100c7409ab8959827ae40a941ed4eaa4e5a6f5d026b52d474f7d7

SHA512
d0c76d1003af67a9b7254ddcc238c6c2dca217e5719ac952c9da804eb91b5960f7ae07a5b63488c61c95135d7842d8e18fbc83ccb2e0f4ac0fcf9be2bb4ca693

Download Submit
C:\Windows\SysWOW64\Jepjhg32.exe

Filesize
318KB

MD5
41a290f8c6650629d3e71295ea497b68

SHA1
bf13682bf4d8e69392273226e4ef903b839dbf9d

SHA256
d8aa855d08ee079fded57110ff69d20f8e155ae98b05773ae4f6a170ad9b75f5

SHA512
6287f83e24b9def0e84ca60301328c4771edc97975114f52a04f9f3574eaad3c9aa163f5d2eb585908f2751addc9dc4c48ca65d736a166709e888fc7fa7dbf3a

Download Submit
C:\Windows\SysWOW64\Joahqn32.exe

Filesize
318KB

MD5
5f554269fb1e12ea1fb42bb2f5215139

SHA1
a735800068b04521e29dfece7dfdf9f81281f03f

SHA256
fbadfceef73280e06c0885afa1c8ab2e0d0b31adbf027ffd8f946611f1508bc6

SHA512
3521118a42655d52a6cd03e0c2addf1a483e08e3eea7d9034f07622a465d81c50898d6fc4580e1899d989daa737a24d13358dd8ca4eaca32960dfb17f40f07aa

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
318KB

MD5
9e4c7983d40afafa5951c5801679e11d

SHA1
81875a26ec1b2ef038601bbfb432aa0a9dd9b762

SHA256
de3d888f1929b89be4be1d0ced6bec0be7fca82b279e0830d28b2ebfb563431c

SHA512
e024823d5599a7ec0f323c3cb15235bc5639f8d6ad5ed74844124896412d7bbf7c3337a0a0c6e35381148fdf0f6ce7e4fc42c21732d66cb4b26329332ef8a230

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
318KB

MD5
890f102f4c6c2d3957486cbec16dd49b

SHA1
57b84bd85b1bb21ca192e368b25be828c610f650

SHA256
865fb1acc2f2cb95a8cfb33555ea2cc0980c4f728fdf9cf2534cafb8ae2fb395

SHA512
d855ee10264352c339aaad75a4c76d9ab2b3562c932a377acb056256531f0e4cfadd6316e27a7b3f586048d6141df655cc18619c5fda0c41ef3a6ded333edaf4

Download Submit
C:\Windows\SysWOW64\Kegpifod.exe

Filesize
318KB

MD5
982f91d7f8f9b50cc62ea7629945fd90

SHA1
c4b9b9154588e91adfdba67bed5011b4c95d71c0

SHA256
8db0c4f5631c3298d0e04c1f02fadce31fcaeb32a4c65e0569a0a195d98c0572

SHA512
c601afd552caf945cd6bf36298729bc5adee96f3ae1743d7a730b238cada736b6032109f33111ac35ddda66d308679315c2f75ae5fd127d908b7a734086c5177

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
318KB

MD5
fc5f258f3d1c3040fc3a4ed862f88ef3

SHA1
7562c5f7747ca882fdcc77af2d145430b6465ec8

SHA256
d3ee00d66a694bbb76ff4edb7e030b988b351c8dadf76e3795681d1dfee9076f

SHA512
2f3b4e51cb07a2e47771483e542c6cc3381c9f0bba38ede2473882052227bb53666e2524feb1f44a6bafa3d72f63f59b194dd9a33f2804f3c0ffde9e0d622320

Download Submit
C:\Windows\SysWOW64\Kngkqbgl.exe

Filesize
318KB

MD5
91ce4c3b8e8e573847f5b90ece7f1536

SHA1
8140c75a337dedab3c451efe61419f39a7e7c8ca

SHA256
299d3d9ca96944cfcbf35a802a9ffba7891f1654087fefcdcc701fcc535f5e75

SHA512
72c56dfe70ef350b4a4f5f701374bf472d27b0e4a31e01c23775327aa1258a4267b5fc4ea2e92d15c782e7d1114ff8074bf6c388db60d9a745f5823122137f9a

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe

Filesize
318KB

MD5
201b5d36a1d66fcd37355181e941baa6

SHA1
b57196c2b92abaf4f267fb705e0912979d093d78

SHA256
065817214a32de55a305f3fc4913fe96b2cea625a91f930c5f086af24734de0a

SHA512
9cef677c18ca9a432e1ee999ad1b0ead5289c7420459ccf33006cd8b96f4417f17946e90c4546cda0c289b598d52872bb381ffb02e54b021f909bfd4347ce2b6

Download Submit
C:\Windows\SysWOW64\Lcgpni32.exe

Filesize
318KB

MD5
88eb81f64b6ce1af98ab482e3b11baca

SHA1
473e3bff010896853003a08a78a3e4a91ce96876

SHA256
2b4197a99c00f244a12d46b64cdd3847e39c6f4231f73f4971eb77e218725713

SHA512
39be743a2fd64b6b618915286ce9a99e8e460d2aecf9c1dcf030e446202e6da9c79e0e857bb18166b371dfac1520fc915a94561eebe6d296000fe3180337c9e6

Download Submit
C:\Windows\SysWOW64\Lflbkcll.exe

Filesize
318KB

MD5
8e247279fb38f52904a4c21ce6d78702

SHA1
d3067dfd24afd5b27e4f5813abe68563225549e5

SHA256
dc9c38a94cbf259f9ab45126c40f243c989a4205d7804eff8763fef76998cea2

SHA512
3a6d57d7fe0893672b0b3c90ffead0e9a8e7e1bc7be8eb3d1a7dc03c1c890279a9bcf7b08c8ffcd208bd1cc42df0c064b1118071c40986d43c566342b60db033

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
318KB

MD5
2096f884a28290af3807a4b0811c4a76

SHA1
992fdcb851c82addc3f841cd2d3c3b9747c14620

SHA256
1ebfd2f14aed8609a77490412f1633cd806c3abd0cb246c63f1a07e81f6deff9

SHA512
bb2d60f054ce8a5c61b74d5f734b3945d897b51fb463da359850a379fabd750c586f0cbc0c4b47cee93580bbcb087deb2f3732caef29a8b9713a3777cc1bc166

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
318KB

MD5
077c6ab14cbbd71223e7cf740330bd64

SHA1
201ce38bd4c8b7b00e6cce8cfb4b8228b96abcf4

SHA256
5f48d286a9f68204ee7d95c64ec5a3798c86e80e8c8885f845f1fa91e53b0820

SHA512
7223697777e2f8e42dcf8d8e64e2b10600145b0d02db629af9c58072daf7a3438f9a3d3d793d8248ca103caff6d5ab500aef279d5efb2bac2df388196ae71d62

Download Submit
C:\Windows\SysWOW64\Mcdeeq32.exe

Filesize
318KB

MD5
c8aadc97e37306883bc950741f40191f

SHA1
fb801a0385715b530e6b40a2037d5b893a72e55e

SHA256
ac034e537664256328d9594510b170f0972084abf0f1bac4dccef11d8160d6fb

SHA512
0216e9082e1913891cceed6d06e57d43325e12aa1d16a12d56343fa705a9236db4ba3a868120163442286f468ade5028229a9c41da9fee3df13e5b51c30976c7

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
318KB

MD5
d69935f491f1b2abc31841bc17cf8db2

SHA1
ed64bf8e855e86f0e72905e7648a30be7d2fcf5c

SHA256
d011f5f564641f08fb9a83adb9c8fc2cfbbdf37229bf561b304d8dcc5fbb4215

SHA512
50e8db53100763e88eeffbe00748c0b97a05e72037cea7bfd5b485aec519fcac27af681630b6556067e37143425354f789cb20591993ca20458798e43f934ba1

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
318KB

MD5
a5b286d1ebc078e45a49551ec93dc942

SHA1
9a0911017d8cbc389e2150c11746c8709f4bfb1f

SHA256
e4d8e2f9e428d5dd6b38a65afb82904e690386c3957176fc2643731b7fca85d1

SHA512
5baac1696e8a9214c2890e8f063743d6d1a02e432a2521919b25cdcd214b51c98e6d0ad63521f1350b40f4a28d8ef9a22e6f7e546d372068d57920d9f63ddeda

Download Submit
C:\Windows\SysWOW64\Mqjbddpl.exe

Filesize
318KB

MD5
25c433b2920d42e89be0e5447ed55dc5

SHA1
a1cf4ff676246a8c903b6d70e2614c077bf39908

SHA256
9845cadeb775be5d7809895cc307cbcde7195d94bbcb38e19d734a8780d59b39

SHA512
5a66505308ca430d64d5ad45ce56ab22db682c4221bba6c03ad5cde0d850560112e8123cbc790f6968c071515c8d8f2c85877ad1e9af94d2b31c8990ef5426f9

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
128KB

MD5
fc4b4a4c9a57d2bc318bf9f66fcac3f6

SHA1
6d8dad293ff6fba285201b584302fcbbbe6e8e6d

SHA256
12abb4e5f2cd07511790c143aa350330282a9b01774c53b0436eb39a687e162e

SHA512
e261d7980d6d498d1ee2f8666359b75397ce73e7d9cb0d77813babf0e7e246b69f651928908675a32f78a2e671ac72461103adf501d44edd21ffdebda9161745

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
318KB

MD5
bbcf4ab3cc2d5079cfe99413d46d6272

SHA1
f075bd89224fe52a8b1294be0dd88ca8adceec58

SHA256
069177226a5b383f15f51eeb413ef8758f2b5ce07581aafb75ea0fe76ec1aaec

SHA512
09ae31a365e4d595b45c4615240f22e202d929091afcda8a5af93474f07714189d1d4ef9382b38419951e6ee0b8fad60b360b6972e9ca5c5b775313acc904759

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
318KB

MD5
049912abe9d085e1cac72574c36db07d

SHA1
25b7e4fcd8ade4c6a9ce92bf629b7e8c6093ec7b

SHA256
845177cec49c4d75da76d0d8ee96fc27400eec7bb15c93253ef95cc515b7cf03

SHA512
a4edfcfe07916fe8493686ff1c557bcb2c52b0da00349cec25b3aafedfe79e9c4df83d48e89811dfe3f5d39d8333139262b2e07c8f2c1774140903fecfdce2d0

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
128KB

MD5
34c3a91c90986e1acbff51082ec8e444

SHA1
486f4eaa16787135a297b1112ce1a435d815966c

SHA256
e5ceb1340c1b7a4bbec88ce97d9a78dc0afeb1c63ec2b9e5f787c7d474c29607

SHA512
89f629952b4a1a01f51e53ab88545ba699c0fc3d73a3b33cee5c62d22229aafde87660be52811b4ec059a575492eb6702e87f6c28c69543a16632f09c4249f24

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
318KB

MD5
394934877a2f0e14da054f22b4ddad7d

SHA1
e22084f4c842c109c54bafbb205155b93ba580cc

SHA256
2e0e144700b7061398df0262088a311686cdceab92c3eb3ec323bc4650dc4d50

SHA512
b864f2b3cd1cc23ba1ee2151d4dc8cc96aebf55646cd01a79c54009ce456a436770eb5d790653786dd4f159cfe38f3ee8e53a43a0d811d0f6fd7655a6741fb0f

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
318KB

MD5
425a132bb7b4c79b348f507095f1c5c3

SHA1
2b51a62e7583eac16036658be9e2da86d53e2f03

SHA256
044d7d8e5bca721f96ad07367a1fdd984dcd7e6aaac63a58732254593ac0d6df

SHA512
690ae20baee3520e1918d3c42f1e040d4a12f284f3e59f4a9974f4a96710d31b5113fd7b92f1ac89d05d35a9da429ad235c9bc55ee36f1ee55cc83ebd2dac12e

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
318KB

MD5
f823b15fea4baf83dad56f6f66944aef

SHA1
2165436451cde32247398713b549af5020c45745

SHA256
80b380a12d16e8f7e72247d6a8adaec4fcc6b77e2ac37bdd18608f90a8bd7990

SHA512
0d64e10b54e3993eae9756d6c15141332761d5274b2339f5df1abba5adf774dc8547eef4445e8f05263004e2404fdac369d6b01796268cc6b22a1e65d6d38788

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
318KB

MD5
77704e75dda22c32aff0b195e2e73e16

SHA1
ac20d3194f624f570a3d44263f2ff00e344b4083

SHA256
f9840c829a81c7fadba8510cdf862f9e31c71552a37e8a4ea6864132d013003f

SHA512
a4ab138451cb95df221be0845aa77260b9b5907fd44095716e91d358290d6f507982755117ff94f403e237b46ce17e7fb33a2a8c7903e6f10749d61f745c1272

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
318KB

MD5
78b04f667819ada6f9134b7e9a5d8dd1

SHA1
732e0e64e7af5ab5f2fdb183a718f72ac215fa77

SHA256
7912f1b18553ec0aaf6c8bd3dfe539e7dcce45c600d74f9e778180466c904206

SHA512
f6d820c0519075d0d86fa05d5ad44f0cf7f331dcbeec8e21c4b531b52aefce9c66121a13f0c8438494f02f476ae9d8e9656560a78d4a69827984b7c8e3cb12b0

Download Submit
memory/60-548-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/224-191-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/412-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/412-544-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/536-461-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/536-1079-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/624-522-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/732-376-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/820-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1000-88-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1036-358-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1108-233-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1112-47-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1112-604-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1232-1192-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1232-152-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1312-1173-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1312-217-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1348-143-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1484-293-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1528-311-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1624-412-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1780-299-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1816-281-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1856-468-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1864-269-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1948-317-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1952-96-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1956-418-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2064-1084-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2064-446-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2076-364-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2108-323-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2124-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2124-1094-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2188-241-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2204-959-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2224-455-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2248-400-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2272-382-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2368-487-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2380-370-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2576-199-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2676-506-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2732-352-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2848-1058-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2848-531-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2860-436-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2984-394-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3004-448-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3108-406-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3172-329-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3188-485-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3304-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3304-589-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3352-175-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3356-582-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3356-23-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3372-507-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3476-275-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3512-167-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3552-388-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3556-136-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3564-542-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3596-103-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3844-112-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3852-596-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3852-40-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3912-552-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3964-529-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4028-474-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4064-257-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4064-1165-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4084-120-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4176-287-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4308-346-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4340-8-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4340-566-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4364-305-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4384-209-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4428-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4428-574-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4460-80-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4596-424-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4612-184-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4636-335-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4696-619-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4696-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4708-616-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4708-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4720-225-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4760-1162-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4760-263-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4768-1166-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4768-249-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4772-559-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-430-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-1089-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4896-160-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4896-1185-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5032-494-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5140-571-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5192-581-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5192-1047-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5204-973-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5288-590-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5332-603-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5376-1039-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5376-605-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5384-1004-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5424-618-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5424-1037-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5476-620-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5636-1030-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5812-1023-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/6120-989-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/6260-949-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads