7c65b58cab37ba46f080275a2dc48edb5643362b976c927ccab2e0533c817f39

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe
Size

80KB
MD5

c461d597b5a4b0bbbc11e67d9266dc10
SHA1

439f1543a0c0f2e6cce082f94e00e222ef7bba0e
SHA256

7c65b58cab37ba46f080275a2dc48edb5643362b976c927ccab2e0533c817f39
SHA512

c782e270615ad4f5ffd64e1f71fc662f9a5501a1100b0d6cab435e29cb758af711bc79f79ab37b48e22b26a2dc7da34e9675402f7d523de842bdb6bf02d7d4b4
SSDEEP

1536:pCrc2+lD6Hx6lylpn/6An3Zj8TF67meYvyYezDfWqdMVrlEFtyb7IYOOqw4Tv:UEDkx6QlpiAn3ZsF67mDylzTWqAhELy+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglnkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbnkfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqppci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqjbddpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkefmjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohqnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqbneq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabglnco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqbneq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe

Executes dropped EXE 64 IoCs

pid	Process
1708	Onkidm32.exe
3444	Omdppiif.exe
2172	Opeiadfg.exe
1996	Pccahbmn.exe
4048	Pdenmbkk.exe
4928	Pdhkcb32.exe
2152	Ppolhcnm.exe
1596	Pdmdnadc.exe
220	Qhjmdp32.exe
4628	Qdaniq32.exe
2096	Aknbkjfh.exe
4392	Agdcpkll.exe
2256	Aonhghjl.exe
4508	Amcehdod.exe
1676	Baannc32.exe
3888	Boenhgdd.exe
4388	Bddcenpi.exe
3684	Bhblllfo.exe
2444	Chdialdl.exe
2644	Ckebcg32.exe
4744	Cdmfllhn.exe
2824	Cpdgqmnb.exe
1624	Cpfcfmlp.exe
4196	Dpiplm32.exe
1288	Ddgibkpc.exe
3696	Doojec32.exe
1860	Dgjoif32.exe
2752	Dkhgod32.exe
4316	Ekjded32.exe
3524	Ehbnigjj.exe
536	Enpfan32.exe
3188	Fqppci32.exe
1976	Fqbliicp.exe
2004	Foclgq32.exe
3712	Fbdehlip.exe
5092	Fbgbnkfm.exe
3660	Gokbgpeg.exe
2124	Gnpphljo.exe
3860	Gejhef32.exe
3136	Gnblnlhl.exe
1684	Ggkqgaol.exe
1692	Gacepg32.exe
2428	Geanfelc.exe
3272	Hnibokbd.exe
3580	Hbgkei32.exe
1120	Halhfe32.exe
4764	Hejqldci.exe
3656	Haaaaeim.exe
2740	Joqafgni.exe
1336	Jhifomdj.exe
1416	Jbccge32.exe
1776	Kedlip32.exe
540	Kolabf32.exe
2604	Klpakj32.exe
2828	Keifdpif.exe
940	Kcmfnd32.exe
2384	Kemooo32.exe
3620	Kcapicdj.exe
1472	Lohqnd32.exe
3676	Lpgmhg32.exe
4944	Lpjjmg32.exe
1184	Lplfcf32.exe
3336	Lhgkgijg.exe
1372	Mhjhmhhd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Dkpqlc32.dll	Fqppci32.exe
File created	C:\Windows\SysWOW64\Mfenglqf.exe	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Afockelf.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Elfahb32.dll	Dncpkjoc.exe
File opened for modification	C:\Windows\SysWOW64\Hejqldci.exe	Halhfe32.exe
File created	C:\Windows\SysWOW64\Mhjhmhhd.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Inmalg32.dll	Qcnjijoe.exe
File created	C:\Windows\SysWOW64\Affikdfn.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Gokfdpdo.dll	Fboecfii.exe
File created	C:\Windows\SysWOW64\Fbdehlip.exe	Foclgq32.exe
File opened for modification	C:\Windows\SysWOW64\Hbgkei32.exe	Hnibokbd.exe
File opened for modification	C:\Windows\SysWOW64\Gjaphgpl.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Kjekja32.dll	Gqbneq32.exe
File opened for modification	C:\Windows\SysWOW64\Hqghqpnl.exe	Hgocgjgk.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Lojfin32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Bigbmpco.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Iaidib32.dll	Opbean32.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Lbcedmnl.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Onkidm32.exe	c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Ekqckmfb.exe	Egbken32.exe
File opened for modification	C:\Windows\SysWOW64\Hnibokbd.exe	Geanfelc.exe
File opened for modification	C:\Windows\SysWOW64\Kedlip32.exe	Jbccge32.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Kpqgeihg.dll	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Aabkbono.exe	Qcnjijoe.exe
File opened for modification	C:\Windows\SysWOW64\Affikdfn.exe	Ajohfcpj.exe
File opened for modification	C:\Windows\SysWOW64\Bigbmpco.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Hkfoel32.dll	Omdppiif.exe
File created	C:\Windows\SysWOW64\Ekjded32.exe	Dkhgod32.exe
File created	C:\Windows\SysWOW64\Hnggccfl.dll	Lklnconj.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Iabglnco.exe	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Mgfhfd32.dll	Kcmfnd32.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Daeifj32.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Jjnaaa32.exe	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Khfkfedn.exe	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Lohqnd32.exe	Kcapicdj.exe
File created	C:\Windows\SysWOW64\Ooibkpmi.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkmqed.exe	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Ckpamabg.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Haaaaeim.exe
File opened for modification	C:\Windows\SysWOW64\Aabkbono.exe	Qcnjijoe.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Bpqjjjjl.exe
File opened for modification	C:\Windows\SysWOW64\Aknbkjfh.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Qcnjijoe.exe	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Papambbb.dll	Dkhgod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6600	6708	WerFault.exe	258

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedlip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqjbddpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kedlip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfljc32.dll"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgeihiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfpkhpm.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnggccfl.dll"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneclb32.dll"	Gacepg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papambbb.dll"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmalg32.dll"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfahb32.dll"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkock32.dll"	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbnkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampaho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahhgi32.dll"	Gbkdod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kolabf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Lpjjmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Daeifj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 1708	4156	c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe	89
PID 4156 wrote to memory of 1708	4156	c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe	89
PID 4156 wrote to memory of 1708	4156	c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe	89
PID 1708 wrote to memory of 3444	1708	Onkidm32.exe	90
PID 1708 wrote to memory of 3444	1708	Onkidm32.exe	90
PID 1708 wrote to memory of 3444	1708	Onkidm32.exe	90
PID 3444 wrote to memory of 2172	3444	Omdppiif.exe	91
PID 3444 wrote to memory of 2172	3444	Omdppiif.exe	91
PID 3444 wrote to memory of 2172	3444	Omdppiif.exe	91
PID 2172 wrote to memory of 1996	2172	Opeiadfg.exe	92
PID 2172 wrote to memory of 1996	2172	Opeiadfg.exe	92
PID 2172 wrote to memory of 1996	2172	Opeiadfg.exe	92
PID 1996 wrote to memory of 4048	1996	Pccahbmn.exe	93
PID 1996 wrote to memory of 4048	1996	Pccahbmn.exe	93
PID 1996 wrote to memory of 4048	1996	Pccahbmn.exe	93
PID 4048 wrote to memory of 4928	4048	Pdenmbkk.exe	94
PID 4048 wrote to memory of 4928	4048	Pdenmbkk.exe	94
PID 4048 wrote to memory of 4928	4048	Pdenmbkk.exe	94
PID 4928 wrote to memory of 2152	4928	Pdhkcb32.exe	95
PID 4928 wrote to memory of 2152	4928	Pdhkcb32.exe	95
PID 4928 wrote to memory of 2152	4928	Pdhkcb32.exe	95
PID 2152 wrote to memory of 1596	2152	Ppolhcnm.exe	96
PID 2152 wrote to memory of 1596	2152	Ppolhcnm.exe	96
PID 2152 wrote to memory of 1596	2152	Ppolhcnm.exe	96
PID 1596 wrote to memory of 220	1596	Pdmdnadc.exe	97
PID 1596 wrote to memory of 220	1596	Pdmdnadc.exe	97
PID 1596 wrote to memory of 220	1596	Pdmdnadc.exe	97
PID 220 wrote to memory of 4628	220	Qhjmdp32.exe	98
PID 220 wrote to memory of 4628	220	Qhjmdp32.exe	98
PID 220 wrote to memory of 4628	220	Qhjmdp32.exe	98
PID 4628 wrote to memory of 2096	4628	Qdaniq32.exe	99
PID 4628 wrote to memory of 2096	4628	Qdaniq32.exe	99
PID 4628 wrote to memory of 2096	4628	Qdaniq32.exe	99
PID 2096 wrote to memory of 4392	2096	Aknbkjfh.exe	100
PID 2096 wrote to memory of 4392	2096	Aknbkjfh.exe	100
PID 2096 wrote to memory of 4392	2096	Aknbkjfh.exe	100
PID 4392 wrote to memory of 2256	4392	Agdcpkll.exe	101
PID 4392 wrote to memory of 2256	4392	Agdcpkll.exe	101
PID 4392 wrote to memory of 2256	4392	Agdcpkll.exe	101
PID 2256 wrote to memory of 4508	2256	Aonhghjl.exe	102
PID 2256 wrote to memory of 4508	2256	Aonhghjl.exe	102
PID 2256 wrote to memory of 4508	2256	Aonhghjl.exe	102
PID 4508 wrote to memory of 1676	4508	Amcehdod.exe	103
PID 4508 wrote to memory of 1676	4508	Amcehdod.exe	103
PID 4508 wrote to memory of 1676	4508	Amcehdod.exe	103
PID 1676 wrote to memory of 3888	1676	Baannc32.exe	104
PID 1676 wrote to memory of 3888	1676	Baannc32.exe	104
PID 1676 wrote to memory of 3888	1676	Baannc32.exe	104
PID 3888 wrote to memory of 4388	3888	Boenhgdd.exe	105
PID 3888 wrote to memory of 4388	3888	Boenhgdd.exe	105
PID 3888 wrote to memory of 4388	3888	Boenhgdd.exe	105
PID 4388 wrote to memory of 3684	4388	Bddcenpi.exe	106
PID 4388 wrote to memory of 3684	4388	Bddcenpi.exe	106
PID 4388 wrote to memory of 3684	4388	Bddcenpi.exe	106
PID 3684 wrote to memory of 2444	3684	Bhblllfo.exe	107
PID 3684 wrote to memory of 2444	3684	Bhblllfo.exe	107
PID 3684 wrote to memory of 2444	3684	Bhblllfo.exe	107
PID 2444 wrote to memory of 2644	2444	Chdialdl.exe	108
PID 2444 wrote to memory of 2644	2444	Chdialdl.exe	108
PID 2444 wrote to memory of 2644	2444	Chdialdl.exe	108
PID 2644 wrote to memory of 4744	2644	Ckebcg32.exe	109
PID 2644 wrote to memory of 4744	2644	Ckebcg32.exe	109
PID 2644 wrote to memory of 4744	2644	Ckebcg32.exe	109
PID 4744 wrote to memory of 2824	4744	Cdmfllhn.exe	110

C:\Users\Admin\AppData\Local\Temp\c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c461d597b5a4b0bbbc11e67d9266dc10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\Onkidm32.exe
  C:\Windows\system32\Onkidm32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\Omdppiif.exe
    C:\Windows\system32\Omdppiif.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\Opeiadfg.exe
      C:\Windows\system32\Opeiadfg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        23⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        25⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        27⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        28⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        30⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        31⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        32⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        34⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        38⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        40⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        41⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        42⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        46⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Hejqldci.exe
        
        C:\Windows\system32\Hejqldci.exe
        48⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        51⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        55⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        56⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        61⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        63⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3456
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        69⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        71⤵
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        72⤵
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        73⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        74⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        75⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        76⤵
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        78⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        79⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        81⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        85⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:936
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1796
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        89⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        92⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        94⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        95⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        97⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        100⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        102⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        103⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        104⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        105⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        107⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        110⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        112⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        115⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        116⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        117⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        119⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        120⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        121⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        124⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        125⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        128⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        129⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        132⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        133⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        138⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        139⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        140⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        141⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6484
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        144⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        145⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        147⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        148⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        150⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        151⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        154⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        155⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7068
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        157⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        159⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        161⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        163⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        164⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 400
        165⤵
        Program crash
        
        PID:6600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6708 -ip 6708
1⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:7100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
80KB

MD5
aedb184e8e619cc9d01bbd6b569cf9c5

SHA1
bc0235a6156b8a8df785d22ab3784cec9cf1b668

SHA256
7585b8bc3416a85f8decbdcc00b6c511f6fc31da1f086766b0989dc2112b3d2b

SHA512
4df629fc6a229544a221df5e2ce6c9c50b932fa3913c6299ebc33c9116194955ad1a9eba7bee359e5bb26c4980267f215abafa4d9c9fe509b04adb2baf376931

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
80KB

MD5
182e56af954812c45c514c3fcdfedf62

SHA1
d728df4bd0f044d8e34ba98b4e4f4394ef2678ce

SHA256
e4f6c0b438890974dae699b9a8869362f7d673c5e71c00db41d4c048112e3fb3

SHA512
e494d1624927e19b6c2e3d826c474620352ac0d4b5b092042e451ba20701abb7bde60c81db6bed17474b16d828c0c21981749d6e6fb9c19b5cf5c5257e61da28

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
80KB

MD5
f934491a85f347f643e8cdde04591a67

SHA1
63fe97e37fdeb7367cda8cc1c24c3d36430ce952

SHA256
7e6abe99834ce60ecd219a27b33f5ecc91fedebb16c60d3257e496039a06b5b9

SHA512
36f5de7e4ee50db063a115c057e392a39cb0505739765b6f93bddc9020f55631177b8c4bcb2e2af9c0f9f29c56df817c14076da982a829689c249e9e9a9f5310

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
80KB

MD5
d20964c8b77d90b0886a33847fca5df9

SHA1
ce2c7af665de46d2bfdb90418fbdac9acadd4687

SHA256
e9eede964bc74078a31c40150cfec894a1bcb10908987d3f6b2890352e129d69

SHA512
09c71ba2b5b4bdd269c839c6ad8baa82728950f01f3312fe1990f2ad4ac28d9d9647129fefa9d237196b839208bed26bbc5fb3cbb92d34ad1da9a14ff5ada923

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
80KB

MD5
bed1f57b917f6c1fe425131e89c15a67

SHA1
a91075520deb7c18d021769101dcfe0a500fe699

SHA256
bf39b6dda1df579cbf5cb4c8ddd1e7a09575aa008e1569b69afd253a926d4bbe

SHA512
171a73046a527eb865bf6838d7efcd84ced698949b96df568bc90492bc5bd492455b29e5504334013c28d2137673466a7daa40d63960e12775ad11a1e89dc039

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
80KB

MD5
6744f1e555ca5bffe62426493d8922aa

SHA1
8d74cfb3629464605d5c5be7d44b91e9a2fc8fd1

SHA256
c3434802aef64d689b2f75970f1ed254f86147b183f9dbb31257e322bc779de9

SHA512
2881ecb911632371c59da3cc793c23730e0f2851552d4d4873b72133e83f07cfb17f532c4bb91b08f59101bc8249de6735933728bb1772e5b980e1c22155bc75

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
80KB

MD5
a97280c59c4ecc7e5fc6928b13d2ab90

SHA1
1a5ac755690dcc4089eda4cde5ec1a7617e0532e

SHA256
1a33196225332d1694f9018ba23200267b761bab42af58b67f0f807a698ca46e

SHA512
45de9d456ec8a8b0d2e3a2071d7d2fe7c71d8480452a8fb1e1a307485a5776fdc98bb493def0afc93762a1f7e787804fdd7313e387698e5a3a6bca1a2dff49cb

Download Submit
C:\Windows\SysWOW64\Bjhkmbho.exe

Filesize
80KB

MD5
b27f30c51eaa9da833e3f8f0d227b364

SHA1
9dc5fa3c3a947c41ac0dba4e8f6a0c5fcd42598c

SHA256
6f54da8c52323df7a643e6bce56d55f684d4ff7f510cc04fd5b283083ca0f221

SHA512
70480d053179567a7f0c188423eb01042aa2bb4879baf9d363b4f580ef51ccd439ffa0a1a86232ccb4152ef2f2527a076682561fae0bd4443e30285be7c3db2b

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
80KB

MD5
12c2973e4b3ea26d80bc4344abb47d13

SHA1
10b9f06a57c767a38e45d7a9570c159289d735ec

SHA256
8d0e19a509132e7626f9a2b3526c4146e4c9f2d70450224e776638e6eafc75a6

SHA512
d506cffe219158661fda4b3b7aa0c8b346aa2530f61108575ee6494970b883349eb9341825ca8662cba2b5ef3fe6f16b6caa5bb82eb395e84aa585974a82f31b

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
80KB

MD5
6f300c9ab360c05cdd5ebdd5cb2fa035

SHA1
ec2b3db5b1ee2c8398d9def3d7f64a37c2c4a686

SHA256
d9f04d80c59bb59a53e1eee8365a49e5919a73d35d03db69b42666450a53ec09

SHA512
50910901e6db0f35b006bcca8b108a16eae224f0d98f78d438b503d2b00dbb13005bcbf8a5f05307b051b10bbaa5d91db260da16b93cdd1fab8779c20c906252

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
80KB

MD5
e96612840f35ce6296d0b5bb0a7112a1

SHA1
4737a114ad98772771fffe9c99986f42b83c74d0

SHA256
d2fd118370a3d12c651e9664772fb90d47ccf56651f329b99a2ba6a32f89ecfd

SHA512
360022ab3b4b57103fad055242ffa4e75619f64d09d7eac27fdf0a128109b7435b2bd735cea5709853cf57117476d818d221b0d1e1c0f694fb8b8d71fab5b579

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
80KB

MD5
b3f30f7f7f26a79cebf26768999edd74

SHA1
4af75b1150e847f0fc2445c0d31fbc1b6e58c017

SHA256
df17152dfeb6a210072522917c78032a1638b72e223838042f36e0ec0fd5bdfb

SHA512
134f867d448ff3ce00e59b9df205fa8ca0092fadf17c76d102fa60cdd3e9aa6ba8d98127ea2836977ee5c5ef06a3d8c518cd1021a7dbfafb67183c8a684154a9

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
80KB

MD5
a57d629a9712f2682b4a755537e571a8

SHA1
131d5b78e66b932a135bd3fef7347aac37a595e1

SHA256
8d0474cf700deaae13588b1c8ebbcee5ca2592b2d670450a908eae4ecdbd8136

SHA512
5c5ed748d514cc4176a60046cbe90b0d74f6fa5bcfee1218200fb38dc5d5483618c0f7252c52d96668acd2353e11d84c985e56e66e884f6d0047bf35a7c50856

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
80KB

MD5
2927bf9af5d7597f1ad02ab2763b7d96

SHA1
78028f9093d7bf18eaf5c2ac921e919d60386b0e

SHA256
23c0f80a6abf57411b65f5cf173145ad0fac4f6d7b27b89b24bd81c9c7409da9

SHA512
6bf3076bffb12dfd4ac0f1271421df3d4e29ec4cff529ae3651d08cb053ee44b84c81cde61127c29457ef2e1433d9acdeefccf3a9c5c4bda21da07ad851ecddb

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
80KB

MD5
7b5df40fab7d29d9f9913a087086ab6f

SHA1
b5f08faeb47c7cb7c44663c7554da9869525e8c3

SHA256
e66be37e3afb29ac353e46a4053287cffd88b9401d8780d2f92e1542756056b6

SHA512
4c10d1882f76c4ed5e9802754c2874d2adf364ca3cbd70eaf41d9695bb217937ee22b63d4f4c53218bc8f1704d82c1297bff6c6d3a028aec45ba735bf2ab3575

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
80KB

MD5
937dc9c9b4d0544090dc59acbf1f7f79

SHA1
03d349bc6a4865416123df0cba6bafa0ae806943

SHA256
926006874237ab0933839455e6fca2b2f5d47496ec030d8348f23439add20118

SHA512
c76e7064e70404c1b99a25f1d07fb48816e539c784b03f3ae26013df9b9ac6ea1b9f38a82476b25eb9f47912be35db1db1b78a59f53eed4927bafefb502d1192

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
80KB

MD5
54eb782e1205796bdf45cb19a9ef505b

SHA1
a33bcbf7d485783b3fdcc6bf18a884252daca595

SHA256
ef16f2141048aeca5e1a1afa74fc54bc0845ae1e6aaf93c1ee6b050c21e9a155

SHA512
ab5437d98bee8ccc3d48197fed385070155a81f8f0864b449b71d30994abfdd46989765d42a6c49e53560faf06eb26abeb44a1e4e9605c257992f25571197fba

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
80KB

MD5
9024cbfec5ae2d4e1ec6cedf50e556e8

SHA1
23c569269ce870d8624fece93ad65216f5250ec5

SHA256
63b63bda9da4bc81857a949b85fb3e325f476e256840ce0f99adc7d928e82409

SHA512
5cf4cda1015d7daa7d36aba040cb06b77658b30ca5320623a519380362adc2ab9ec1b77bb03e742256bb857c52afd4610824f21186fc69f64e1d4090d4f25eb6

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe

Filesize
80KB

MD5
c3312c3569c29aec67da239ee82b465c

SHA1
a4522c88b6ae73ed12839e49bc20618c6a758d4e

SHA256
c8c280a588b446e11109644d1e3f7d274bcee54563a175a7ddd4bb11f5bb48be

SHA512
61897964d2d826ba44a34c8f747c2e74dc8490a44b05180c6c164d30e3b80712b21fcb7bba44d2f0e51f31f87571460c834ad9eccd725bbe6827944aadbbe89c

Download Submit
C:\Windows\SysWOW64\Dkhgod32.exe

Filesize
80KB

MD5
ff96c829d7592cf32214603b5c2f2bcb

SHA1
51e059cce3f173423b12ba1324fdcd842e2c8b5c

SHA256
4cb57310452a423f71f820687e427c34516389c47316a3e0a5164f333ed63c50

SHA512
cc961b1869362c2f1dd8100d8d1d72119d5a4f7cacbceacbad037f2d982bb313ae2505643b5ce403b2da4eadfcf64fba24c801c187bbf8f53f66acfe89a032c6

Download Submit
C:\Windows\SysWOW64\Doojec32.exe

Filesize
80KB

MD5
95e0dd3900880ddb89b16623bc0f92b9

SHA1
3747df7f299fe112460afcae7c59f21fca0b23ad

SHA256
f950e3b0e4b25788772d1d0ceff22efbea049e04bfc04017b586b9481e218adf

SHA512
6452304436ea17684ed2dacc37c8dc1080fa3b05d79c541216d68d9614662d486a54fe5ccea5ee3184f9d2d0ca7895cf6db977ee24291894c089bbe05c0b8590

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
80KB

MD5
2f284b17d7d6332eb5b3d48ce795f17c

SHA1
c53ac0fdb929ac5d025b21b7a484178ab1c7cf6a

SHA256
618f13e972f25df0ae8f78a407b53ee436cb06ee3b37143ac293d0822db57284

SHA512
1a5dc23fbedc615fdba81c8e72a3204ff6011dbde88a4d159408f826a0b78e61aa855a8a34e27d5ec192ea9b66184df411c96fa5a695032dab6065d8785fcf54

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
80KB

MD5
a1a23be37435b7d3979220176c465b04

SHA1
34244b71d3bcc7380ba9469f0f75d496541db5f6

SHA256
d545369e90b9bbf2dd28a2401d9d68f745ab199778e786546887685583b8b2fc

SHA512
f5230ee8d216fa3c5549cc0fb30655b5b56dd9372054832a5030cb548d8a2a26e53b87598a5192a5ac0e177533609689bbf6c33dab45824dea6847f1ed1f0e95

Download Submit
C:\Windows\SysWOW64\Ehbnigjj.exe

Filesize
80KB

MD5
a4bd36c446f5dc1b7638f4decc8656c0

SHA1
34743e69610ceccd11d1f1f941c16ac971017131

SHA256
e6b9697fce998941f25236575e89b192bee539f85a62e0481734aead0b630565

SHA512
426f367daf7c94a1fe18e428cc77fc1bae818ad44336cdc58a1cf924162ad31b46de16e1571a1c6a39c5142c586b4141d823c5dcd4b1ba836384354432fedabd

Download Submit
C:\Windows\SysWOW64\Ekgqennl.exe

Filesize
80KB

MD5
b6da2243bfe28263d43fa8e60fd57b92

SHA1
5070583579cfa8a237eb711fe097ba336a37b9da

SHA256
8c7f30a6a8ca1d221433365623419a21ffa1da5a667e629b9467e619348f922b

SHA512
050b9ab8f3a6bd8beb0c003f40251d0b050b6e7673b9b62bf4e6f77cbc0272d87ca10cc014a5efa368bbebfdf636b108d19943f589a5ec26e548a2916b6571b8

Download Submit
C:\Windows\SysWOW64\Ekjded32.exe

Filesize
80KB

MD5
adf99f10ef44ceb06a0657ec20addf73

SHA1
76152ba962e7e0520d69857c5815a565829642aa

SHA256
c20160b75705d035dbf05f60ab943b3407ac49228a93d072a8d51a90c669f317

SHA512
345700e32fc7fdb693d7829a9d63f3962ef48c7a325206c75c59cae4bb460719c1c7b35b94f861334db0abb18f7c9e072c0047f8666014a64417f10f7ab6e862

Download Submit
C:\Windows\SysWOW64\Enpfan32.exe

Filesize
80KB

MD5
d1d1578cfa7b2c99c5207617306dc18f

SHA1
d2b417f069fe440fa06a041156815ff97e56db84

SHA256
11fc3d5d0d0ca59c105188b6a80000fda2b41d1f97f52eadbec26f748eaab2ad

SHA512
517f1b67b28e599064ce711a4b89df7696392b6346d974dbd4bd7a64c7fac0242a8113ca977cf0ac75f36f57fa21f91ab23eff503b4d943f1f3d3f63bf556b99

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
80KB

MD5
a0d3fcfc623cc5a4d79640520af4c135

SHA1
96aa31065ae1e981ca5dcaf4e129a801f0287ba8

SHA256
8b304805b2a6302a8ad7f093b00ae7542e087febad494592ff2df5c0b0650a61

SHA512
3e2fa17989a3b2cc343f6d8947fcaa0fd0922f393c458d6b8911aa30933d05523fab9cedbfbc5ddffdf5e52310641a6db748b714f11e11cd874203dff19ed49f

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
80KB

MD5
6f3a029717e42f625f2383d84dc247da

SHA1
96c4f72f9fa9b6c14335a6c6f8920e350d8d6e21

SHA256
744c817e0bc144ab134b17e450248a8207fa79e3583773a3b6119272232ea52f

SHA512
1f6668cb6c13ddfebdd572ec63fbdb4e43b4ae04b1a0624e5d891d5641d0f7bc3aa0026ca7ca9a23abf1cb12c9eb864baae05539aa35b224fcd54eae670511f3

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
80KB

MD5
047fcdafe9af64a8d5dcf61a5b1c8562

SHA1
a6c3b6ebf157d2a1910efc22f88187b3c7dc711c

SHA256
8a2733399ebc7cf95932cc0ec6834ec3db2864796767d9ab18250802a3d51427

SHA512
936e731dbcb7b5cc1df0f9e01b6b6fe7ad3698560f72efbe266f98f3e8450615813419a62e5ccf708656714821a72ca7f3d6e40667da34338b10d4de8df434dc

Download Submit
C:\Windows\SysWOW64\Hgeihiac.exe

Filesize
80KB

MD5
feb3ef1bda7b63cdeacae6d64d46c493

SHA1
900dd4c00a5cb23a8c668d2fac001d56823e4938

SHA256
ae1ecf49bbc3126cd91b12e9c07a155b9c72faf34661f3985e6318ebaa452687

SHA512
666405c8e28202d4a6e0be96063cbef2ab8fbda7910c883444b012bb8993a559e88bf56db13be16b5f9d96ba1b5d9a9be5600e6d42c419a935b9ac1138d027e1

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
80KB

MD5
f35638c3d135925006de6426b27ee624

SHA1
dc02a421b2cf68f049a6789a8f66099a5fd6ed6c

SHA256
54dd1a356e537eb89f844344d8a983c41df69e3b64efb073b1a647e678cda65c

SHA512
0ce0fc9603b69a2362ffc4684f68c416e14abdccb6b0a0d4664cf8737f3a967b234334b75ccb7a7c7af580e18af82367f96f9900cae444ccf862424d801ac8d2

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
80KB

MD5
494014ce8220be65ba965c4a20388f29

SHA1
4c8d7ac42236839de9bf374acc68c6f2e2d2f2c3

SHA256
cb5a26222add0cdd5cca58c89f42c119ce8975d32d2110749b8913a15343e0e1

SHA512
30c5e9f00c37e25b1b47d717f53f258e15a066c8572ababd927aa774def0eabe1054a769d880dcd0854fc3683b4d72eab8318041ebfb1a259ca3c03667e96d3a

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
80KB

MD5
1a3ee0b9a39c681312fa1a6fc0a3cd72

SHA1
afee7117cc9be45aa52be2beb9dab0fcfb99aca8

SHA256
e57030419e05d364d170550a7db4151bfada4707d7140d2ce5363e61f35ca4e1

SHA512
ad959d731d90a3ced29d99423ca9411673973d06f20568a305e30810dfa8a5b280a5990f6678102a1111f22b5b6aed00207a379cba05b44315405b72b8b9d17a

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
80KB

MD5
cc0c43603ea850fd6d34be269d2cbd29

SHA1
62f5122cc86935a9b8dee19b9f5e8e2e54de29fa

SHA256
f874c0e464a46ddd497863c12e295b6eaa802956d59899b535e5d04e2037e0a6

SHA512
61e002c487b4be104231f5651ccb815935755bc127239d948567500b9f492e86d3a15cdef2fa4f6f3a7a5e73d9e36133c436adc692d393e41109926be12fcf11

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
80KB

MD5
a3b175472d309abb7cc3f623944dedcf

SHA1
b9fdef1ea3c86f4d966b3639b1518fd4e7c0af98

SHA256
8e25300ea2809e6c4994cf6dbf797ee447ab34fc60a3e18516a0eb85371f50ae

SHA512
fb43d5efaff8784cdbacafc05017734b79aa8c762fedf474a8e275fc8a90df4f16df416181d19a8a0d27408459b614e2bcdb0041e67df033472d1479680a174a

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
80KB

MD5
2b84e99cc7a3aa2056a286d931454e07

SHA1
133869385b55eb15acb7625283619cd8895fd3d0

SHA256
241db8428ad35257c038507c2d45be1001e5d305114ec7951a9b08b36e0538af

SHA512
179e4a9bf27e915a872127e9edab67dd28edd5964b4dc8c5cf5698a238c50f0ac8a0f6ebbb13ac64fae5a78abce3b9b68c4374fc946e215ba04193510aa484e2

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
80KB

MD5
97f681e78c29c92b855af692be1c3483

SHA1
77911c1ee36a0a7a4a074480000272ae3444bab8

SHA256
fcfcc290b5014a60870ba4151824347f36a7993b07b427b58b56e5852620f4d4

SHA512
b898e01b4a457493888d82180e108766c6923d76723331be6050ad58daba59d0c812bfc6461856eb9c44d345cdb63f869d7386a7532eb6eb333aff66173a59a2

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
80KB

MD5
66d209aa9bc7680cb23f4e435685b6b0

SHA1
eccedeeb9f4e5922af0450a587d9c7abeb17825b

SHA256
24411e81beb2a678df89b048ad6bf4febba65c2ec3b6efd8848bc8271963fcc3

SHA512
4830bb0606282191f0af5c3101763f9ab9198683a664a3f46e4b6b42cc9fd5a753ca97ff2c6396b7fb7aba768d4fd10e6b737229047532228042e2a6e3a9b200

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
80KB

MD5
ad9bed4582a5c26ead8128dd696c2a90

SHA1
d47943173525a4d0470a67bea938e90110d6195c

SHA256
0f0b600d19f09cc73090b9be60e30ecb7a14b47b55f208e377ebfdb6a2ba1772

SHA512
984aa338692ea1e6ee6f6ca147b7d673c0f7b1ab31c7b41e1c80d4698859ad1b4bc8e755ad512db16b8e058c98db04666c6492438cb56f52b289e56b206050cd

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
80KB

MD5
46e1fa3fa796c9217587af1b968960de

SHA1
66aad9babd2ba37023e64a564817d6138f56c685

SHA256
fb96e32a3bc25b3f51a97b35b167f2e1d5b2f236d6200d7972e622f1cd9e870a

SHA512
0525d318142290e2658dac26705bef7e442795dbee949cc8b59b9196c80a8e46be56cef27b697245aa25f9269214c11ac36a7bea73fa13fdd3de15fc81db5296

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
80KB

MD5
72fe76114936dc23e8b99a7015db394f

SHA1
f338396af08429853aea7f09b0e6d0484bb66eb3

SHA256
216f576e49085b4c1c8fe378de5de3d677341a715a891a41c77957e92d1f1d6b

SHA512
4f2e4c3a898adbb659f547b2f8d048f843597e7f483921f982afd659bcc4040f6aef0546ebfa2ef0fc9c3dc75989dca9e6294c775145b152868f9492c68d4a66

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
80KB

MD5
5bc0e9dfb99f56ffa6dc943b5490752c

SHA1
4f531df6d228eb3a7e64342f816e1e24cadc9d7d

SHA256
fa82828b2c209f696629d9e0048def1ed20783ba87ec4452bae5389ae2714eaf

SHA512
d78ed9d91af1147db86cea3b87614a6707f4bc14824efd0ffb857c4aeb1b34066e3aa758b9806a589eeedad1323c8d3ea83cf4420909d9f5f45b2b90a383ba77

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
80KB

MD5
99330938a03b62be46bdddb6f8c9237d

SHA1
242a39fbb7f1ffdec86f08bd0ff36bd506ebca88

SHA256
24245b16486503f31b1a4316f6903593f8afa1604fcd66ddbedf2d2b1c6ed624

SHA512
98006f48754d0a8a88a1af080bb932651a8ebb3384cebb5889eb73fa6a5cf3c62feef6fff1161b2beb3114fabde7d294506081cf78a3340797039786f9ca7b2a

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
80KB

MD5
8f08832f2c7bb1ad828ac4008b2300a8

SHA1
03792b129b115d944992f071d7bc168c58619300

SHA256
0f869839e5edfbb12ec74e333bb523767024be4527a650ef4d04ab3974b8ddf1

SHA512
7361ff66d11ecb3c71da94b37436be45eaf9f4f70f64765434c487779c222350551c56d5ef605ce63fe5279300bb5c8c7b9e3b43e31e9747b1a9c2b85884aeb5

Download Submit
C:\Windows\SysWOW64\Pjlcjf32.exe

Filesize
80KB

MD5
c3d8f19c7187cc81d1569d7a30037a98

SHA1
4a9a7d1eb496c8ab011e57fdb1ee251a90381929

SHA256
875d86f7a400ddc73282c938c833b2871fbdc687236d8e1a044c49153c8d27ee

SHA512
ef83f3f20c9f856b45e8913b19ca1804d3d77147bc861007e03515d1cf1fb6a83e8100a486b5af46fee5c9e8d779ed619792444499b99e327e015d359a048c70

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
80KB

MD5
7ed1eb5ff82bf7b21512b475840a5f24

SHA1
5d352778187e950a83163aa45df428818a408697

SHA256
e932de8471450e556b52fd14f1c30c69605426e3932b8d172685c9f24f3c0d65

SHA512
f7a3a5bc825129d792c1b4e1ffb2ae46ae6af53ab14007259d64ba888686ae029d83f3b04c9b4e638fd2a0aff55f6de2f082b13fa6f5aa4878fe6e89015d92d1

Download Submit
C:\Windows\SysWOW64\Qcnjijoe.exe

Filesize
80KB

MD5
f9d01357c588bf89e19772f51a230b60

SHA1
a1380a101997f4e4f82284d9eec9a0151920f080

SHA256
39759011abc4046caa449b65b7adbee4ae307d8eb075036c3eb91fdb0afcd998

SHA512
bdb935f6082ccece5dff6a6222513bc21dd098302f28fb5893d11a8ff61f0495057674c0249d3ec5a86b24dce0b076a48d9f6e5900a64ad344376cd0755dfb0d

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
80KB

MD5
006c34ad70fa96ace2d862e2ce90d618

SHA1
7ad874a9284ab1038e1456b19f49c48f57b0f3f8

SHA256
dab2fcce52eb142d4fd3ab10393a2f02cfc5caac043f0aa38053ff992da6e10a

SHA512
d9e17b72054363c9f3549f274ec7becdd984062b83687b7f0e617b76b7a5ab611821b34f69fa961feead20c25e260bbec1aa63b68092fe1b8ccbc4d57c09a934

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
80KB

MD5
52897249f9587e2a387bc05d0de00476

SHA1
7317903727e82c04e3678cce5f91deb1182d37fc

SHA256
71b182c8390a0d1df581da40b72554b6bf45428869fe62152eea4d62ef4ac907

SHA512
c0658c1bd5c5dba624157f3a30ecbe9952bae9a67218e3ccf731877683143c5d6da2420dd49d0540890263f7df29184ee4ca68b99241a72997545bc45109c7e4

Download Submit
memory/220-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/936-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1120-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1472-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1676-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1988-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2140-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2644-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-528-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3136-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3188-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3272-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3456-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3580-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3628-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3656-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3684-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3888-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4156-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4196-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4628-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5092-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads