3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe
Size

259KB
MD5

b2b508a057e2b7b0126054b1dd66cc60
SHA1

ce813285bee19b746270a21d7226beee8e1679d9
SHA256

3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262
SHA512

4f4d9210476bc3b7163cc51e6f860423c238981abc3c3c52476e201d277681e5b1815b5f5ced4de64e1a2d58e42753ce17ac1b8859f55ae50bf716ab54d9bf81
SSDEEP

3072:dWYwAxKX9+HWWKWXOD6v4nJ9IDlRxyhTbhgu+tAcrzkAqSxYIhOmTsF93UYfwC6U:d5T34nsDshsrYIcm4FmowdHoSa

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhikci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgmdec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojdlfeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgmmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgmdec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haodle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fajbjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdbhifj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iimcma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajjokd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhcali32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiobo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gngeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbihjifh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhcali32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe

Executes dropped EXE 64 IoCs

pid	Process
3348	Mgeakekd.exe
3996	Nmdgikhi.exe
3328	Nmfcok32.exe
2960	Nmipdk32.exe
3732	Njmqnobn.exe
412	Nceefd32.exe
1720	Opnbae32.exe
4644	Ofkgcobj.exe
3068	Ohlqcagj.exe
2528	Qdoacabq.exe
1724	Adcjop32.exe
2044	Ahdpjn32.exe
4176	Agimkk32.exe
972	Bgnffj32.exe
3088	Bogkmgba.exe
3988	Bahdob32.exe
3400	Cdkifmjq.exe
3828	Cocjiehd.exe
3792	Ckjknfnh.exe
1788	Cogddd32.exe
2288	Dahmfpap.exe
3044	Dhdbhifj.exe
928	Dhgonidg.exe
4552	Dhikci32.exe
3840	Eqgmmk32.exe
4044	Ehpadhll.exe
3564	Egened32.exe
648	Ekcgkb32.exe
3408	Fqppci32.exe
404	Fgmdec32.exe
2916	Fbdehlip.exe
4820	Fajbjh32.exe
2872	Ganldgib.exe
4092	Gkdpbpih.exe
2168	Gacepg32.exe
3156	Gngeik32.exe
4216	Hnibokbd.exe
4180	Hpioin32.exe
4780	Heegad32.exe
916	Hbihjifh.exe
4464	Haodle32.exe
3972	Hbnaeh32.exe
4380	Ipbaol32.exe
3944	Iogopi32.exe
4892	Iimcma32.exe
1136	Ihbponja.exe
4040	Ihdldn32.exe
1216	Jafdcbge.exe
2376	Jojdlfeo.exe
2592	Kakmna32.exe
2196	Kplmliko.exe
1576	Klbnajqc.exe
5000	Kpqggh32.exe
4536	Kcapicdj.exe
1488	Lebijnak.exe
4436	Lhcali32.exe
2932	Ljbnfleo.exe
4420	Lckboblp.exe
3052	Loacdc32.exe
676	Mpapnfhg.exe
2548	Mpclce32.exe
4616	Mhoahh32.exe
3832	Mjnnbk32.exe
1244	Mokfja32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Egened32.exe	Ehpadhll.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Fopjdidn.dll	3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Bigbmpco.exe	Aalmimfd.exe
File opened for modification	C:\Windows\SysWOW64\Ehpadhll.exe	Eqgmmk32.exe
File opened for modification	C:\Windows\SysWOW64\Dhgonidg.exe	Dhdbhifj.exe
File created	C:\Windows\SysWOW64\Hknfelnj.dll	Dhdbhifj.exe
File created	C:\Windows\SysWOW64\Mdhbbnba.dll	Ganldgib.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Fajbjh32.exe	Fbdehlip.exe
File opened for modification	C:\Windows\SysWOW64\Haodle32.exe	Hbihjifh.exe
File created	C:\Windows\SysWOW64\Mldjbclh.dll	Hbihjifh.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lckboblp.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Gillppii.dll	Hnibokbd.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Biklho32.exe
File opened for modification	C:\Windows\SysWOW64\Bphqji32.exe	Bpedeiff.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Qdoacabq.exe	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Kpqggh32.exe	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mhoahh32.exe
File opened for modification	C:\Windows\SysWOW64\Nbphglbe.exe	Nqoloc32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Opnbae32.exe	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Adcjop32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Hnjfof32.dll	Hbnaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Nmaciefp.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Ildolk32.dll	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Bboffejp.exe
File created	C:\Windows\SysWOW64\Qimkic32.dll	Mgeakekd.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Eibmbgdm.dll	Gkdpbpih.exe
File opened for modification	C:\Windows\SysWOW64\Nfgklkoc.exe	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhbqbae.exe	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bigbmpco.exe	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Gacepg32.exe	Gkdpbpih.exe
File created	C:\Windows\SysWOW64\Biklho32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Oglbla32.dll	Nceefd32.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Ckjknfnh.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Hlhbih32.dll	Fbdehlip.exe
File created	C:\Windows\SysWOW64\Kplmliko.exe	Kakmna32.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Lnmodnoo.dll	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Gngeik32.exe	Gacepg32.exe
File opened for modification	C:\Windows\SysWOW64\Ipbaol32.exe	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Apjfbb32.dll	Lhcali32.exe
File created	C:\Windows\SysWOW64\Gkbilm32.dll	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Kmfpdfnd.dll	Fqppci32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5124	6008	WerFault.exe	200

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihbponja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kakmna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkdpbpih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbnaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gillppii.dll"	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjqmbc.dll"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jojdlfeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplmliko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leldmdbk.dll"	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcodk32.dll"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihbponja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgmdec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll"	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll"	Kpqggh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfe32.dll"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll"	Nfgklkoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdbhifj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjaaljm.dll"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfkp32.dll"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldjcoje.dll"	Ekcgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll"	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll"	Hpioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll"	Cpogkhnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3348	2104	3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe	90
PID 2104 wrote to memory of 3348	2104	3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe	90
PID 2104 wrote to memory of 3348	2104	3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe	90
PID 3348 wrote to memory of 3996	3348	Mgeakekd.exe	91
PID 3348 wrote to memory of 3996	3348	Mgeakekd.exe	91
PID 3348 wrote to memory of 3996	3348	Mgeakekd.exe	91
PID 3996 wrote to memory of 3328	3996	Nmdgikhi.exe	92
PID 3996 wrote to memory of 3328	3996	Nmdgikhi.exe	92
PID 3996 wrote to memory of 3328	3996	Nmdgikhi.exe	92
PID 3328 wrote to memory of 2960	3328	Nmfcok32.exe	93
PID 3328 wrote to memory of 2960	3328	Nmfcok32.exe	93
PID 3328 wrote to memory of 2960	3328	Nmfcok32.exe	93
PID 2960 wrote to memory of 3732	2960	Nmipdk32.exe	94
PID 2960 wrote to memory of 3732	2960	Nmipdk32.exe	94
PID 2960 wrote to memory of 3732	2960	Nmipdk32.exe	94
PID 3732 wrote to memory of 412	3732	Njmqnobn.exe	95
PID 3732 wrote to memory of 412	3732	Njmqnobn.exe	95
PID 3732 wrote to memory of 412	3732	Njmqnobn.exe	95
PID 412 wrote to memory of 1720	412	Nceefd32.exe	96
PID 412 wrote to memory of 1720	412	Nceefd32.exe	96
PID 412 wrote to memory of 1720	412	Nceefd32.exe	96
PID 1720 wrote to memory of 4644	1720	Opnbae32.exe	97
PID 1720 wrote to memory of 4644	1720	Opnbae32.exe	97
PID 1720 wrote to memory of 4644	1720	Opnbae32.exe	97
PID 4644 wrote to memory of 3068	4644	Ofkgcobj.exe	98
PID 4644 wrote to memory of 3068	4644	Ofkgcobj.exe	98
PID 4644 wrote to memory of 3068	4644	Ofkgcobj.exe	98
PID 3068 wrote to memory of 2528	3068	Ohlqcagj.exe	99
PID 3068 wrote to memory of 2528	3068	Ohlqcagj.exe	99
PID 3068 wrote to memory of 2528	3068	Ohlqcagj.exe	99
PID 2528 wrote to memory of 1724	2528	Qdoacabq.exe	100
PID 2528 wrote to memory of 1724	2528	Qdoacabq.exe	100
PID 2528 wrote to memory of 1724	2528	Qdoacabq.exe	100
PID 1724 wrote to memory of 2044	1724	Adcjop32.exe	101
PID 1724 wrote to memory of 2044	1724	Adcjop32.exe	101
PID 1724 wrote to memory of 2044	1724	Adcjop32.exe	101
PID 2044 wrote to memory of 4176	2044	Ahdpjn32.exe	102
PID 2044 wrote to memory of 4176	2044	Ahdpjn32.exe	102
PID 2044 wrote to memory of 4176	2044	Ahdpjn32.exe	102
PID 4176 wrote to memory of 972	4176	Agimkk32.exe	103
PID 4176 wrote to memory of 972	4176	Agimkk32.exe	103
PID 4176 wrote to memory of 972	4176	Agimkk32.exe	103
PID 972 wrote to memory of 3088	972	Bgnffj32.exe	104
PID 972 wrote to memory of 3088	972	Bgnffj32.exe	104
PID 972 wrote to memory of 3088	972	Bgnffj32.exe	104
PID 3088 wrote to memory of 3988	3088	Bogkmgba.exe	105
PID 3088 wrote to memory of 3988	3088	Bogkmgba.exe	105
PID 3088 wrote to memory of 3988	3088	Bogkmgba.exe	105
PID 3988 wrote to memory of 3400	3988	Bahdob32.exe	106
PID 3988 wrote to memory of 3400	3988	Bahdob32.exe	106
PID 3988 wrote to memory of 3400	3988	Bahdob32.exe	106
PID 3400 wrote to memory of 3828	3400	Cdkifmjq.exe	107
PID 3400 wrote to memory of 3828	3400	Cdkifmjq.exe	107
PID 3400 wrote to memory of 3828	3400	Cdkifmjq.exe	107
PID 3828 wrote to memory of 3792	3828	Cocjiehd.exe	108
PID 3828 wrote to memory of 3792	3828	Cocjiehd.exe	108
PID 3828 wrote to memory of 3792	3828	Cocjiehd.exe	108
PID 3792 wrote to memory of 1788	3792	Ckjknfnh.exe	109
PID 3792 wrote to memory of 1788	3792	Ckjknfnh.exe	109
PID 3792 wrote to memory of 1788	3792	Ckjknfnh.exe	109
PID 1788 wrote to memory of 2288	1788	Cogddd32.exe	110
PID 1788 wrote to memory of 2288	1788	Cogddd32.exe	110
PID 1788 wrote to memory of 2288	1788	Cogddd32.exe	110
PID 2288 wrote to memory of 3044	2288	Dahmfpap.exe	111

C:\Users\Admin\AppData\Local\Temp\3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3abfb5560b7410c9c94e1a5b9d89d3eba5d126db73c8fa07ec755b7074297262_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Mgeakekd.exe
  C:\Windows\system32\Mgeakekd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\Nmdgikhi.exe
    C:\Windows\system32\Nmdgikhi.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\Nmfcok32.exe
      C:\Windows\system32\Nmfcok32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Dhgonidg.exe
        
        C:\Windows\system32\Dhgonidg.exe
        24⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        28⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Fqppci32.exe
        
        C:\Windows\system32\Fqppci32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        48⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        55⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        60⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        62⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        70⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        71⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        72⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        73⤵
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        75⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        76⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        77⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        79⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        83⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        85⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        86⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        88⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        89⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        96⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        99⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        103⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        104⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        107⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 400
        108⤵
        Program crash
        
        PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6008 -ip 6008
1⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
259KB

MD5
d8482b163040606a8be848bbff8ed6fc

SHA1
366767a6006a5e6c7675d9b0d186472ac23b23de

SHA256
ccec630377b9a246a74fd118f3cf890d16e0471672980d0d00dd7d5a4d57b77f

SHA512
c7779df1f7167617a49b96d2263247083ccab80178427b0ab3795463278718ca7cf1995866cb72007a116f17d1e4977d314679162143801cdebf00ebd390ff85

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
259KB

MD5
8a7057e8d1544cf4de12a639da3e0c68

SHA1
51a825d0151e04fd19917c8296a65c9817077e69

SHA256
6f53adb1afff6a497cf817126d1e01d94abde81475107dd196e1fa38773458ba

SHA512
b19360ca60e1b929f9f35c1abeda7b7d8fc30e0584330a46845bcc1c010fd71dd96a43ec67c64c6568f5998a19b2fad0b704dd3a2134cc15c6dca3459ea25ba1

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
259KB

MD5
a0743b2107bbce7b92eb69370652546f

SHA1
9c408f392a5487ecaf8c32f446465541febd1366

SHA256
c33b4d7d9586dfc38e246936710f0140c091abd00aac468c17344193ab4f208c

SHA512
ba51de93066182de1394864973d146522c48276b1b2b0c25bf6218b3c55d645ceb79f128e9498abf8725d525ae3c7d7d516550da54decefffa4b89d663af14d0

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
259KB

MD5
f11122f870337704c6f6437a7636293c

SHA1
76e722266817592cc13784f79d1ad85364cc58fc

SHA256
20a72ac490025746d1645133b6e8e7b8730090dd1cbbf1bfd46003e15429ba1e

SHA512
436ad98511b4d373c540b5f0d47afacd2d9e9347ae37d80736ea687ca398bbab716d181c0ff746a423d9127e3dae075b6a5825182a178f565a566f1ec9e25b11

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
259KB

MD5
7dffeafc74517f35598ffb74fc5f4610

SHA1
702c044a11820b1a95342b5b58f9370c248ef4d7

SHA256
81622133b5fe90a589a7a902a88b030ae8059c9e557a039fb9f80e1fb9782585

SHA512
b052aecea3baaf36d83df908221e0a1ff01a18b6970becd9d56e8c65c8f342cba9a11bc7fec4855252bbd25d0dcdf072e95ff038f56c7ba726abd3432aa544ba

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
259KB

MD5
fa0c3180fe173a067258759e88cb6c51

SHA1
b37f5fcc0d60d349a050646b8e2c5f87890e8eef

SHA256
16b8742fbeeccf13c2412776c4c76b491d69f89eb8ba740c7dcdf3eafd730850

SHA512
a6318c32eb88d5462657a0a477c8a331b15f45b869ba82d4fe16015e17bdfc9b157838898036eafc751329282e3839c862a21d029686d57e4483cfadb92e6aab

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
259KB

MD5
fa87ef47494481391ed0defdc204001c

SHA1
939f89cfacf5571d64aff3e0a89eaa4ff7f3ddd0

SHA256
549dd291b6ff7e26731c19834ba153f51f5fc53adad36a83efe1337b08db9ee1

SHA512
fd772658dd4f17fbca6d6cc9dc1862e1d04f5758e926d67272c23337620eb2eaf19f75f76a97455e26d23767bf3bab93ea97552c39048fdc81a3ce2bb34b8073

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
259KB

MD5
4248991f192e57710bab26b55f058d22

SHA1
47863c9d26568c785643c13fd12740c5c23b0455

SHA256
45afb0faa4e49b9c9a074517ba7579eed9057c4e331257c67d8b9f24f639e3f2

SHA512
d9dd0eb1eb8906111b34de97ecf1671c7646d926d6b14a4fa976234f2adfe9fcd5d3270e39f432e7faaaa00c1a721f8f318c099825bd8677b2c8f9d3c1b9df8e

Download Submit
C:\Windows\SysWOW64\Bphqji32.exe

Filesize
259KB

MD5
d6ffc63cfcc5f8055da615ad34883c93

SHA1
85df05b7855075430674e4eac72ee031cc37b557

SHA256
75399b6fff89da0239036ace3cf4e9cb20122304153477192ef55d0e9e3c4eb0

SHA512
1227355bf5272c615ce1e1e833ae49787c0fbde9ca7864fc62b16d56557129ad5fcbb38c81920c7fdf7fdb48ecc10de68a4184ff776b5a2e96c839f81b0cb120

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
259KB

MD5
be356519a6dc8c0208afa7aec4d09c70

SHA1
66af8924c295e261b4a1e377046cbd20ba54724f

SHA256
0affb4ae1317f7843226f7c908d1fd0ebda1db0e140a621dcff7da1bc9d9e022

SHA512
4a594cbb974399d63d82e5b5b0846605f842a4d4a33895b6ef370d3d36b57e6bb4eb3861f06c54e95f6d684ccb7a2803ac76dab6e62bb46fa4beb5075314242a

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
259KB

MD5
0054f2e8b8b6bc6eca00d699f89ea806

SHA1
756c32557ce94a8211700b116a5ffcf8f38764ce

SHA256
9ad21616a033fd5e2e3aa8d2189f81eedce965b8d77422906da96dd10b07d15b

SHA512
68af9341218868f5040670119499ae703798476c2a72d52dc5a98dfb223b9f60d63a33c3ee05dc1daa3d4ec3e05badb695d26dfd387931c9bf8c3c66d05f3e33

Download Submit
C:\Windows\SysWOW64\Ckjknfnh.exe

Filesize
259KB

MD5
3669b1695c57a5575538edd39514c198

SHA1
b8698dd4875fc7df263ec010bedaf85b7a81dd6b

SHA256
a35d7f0a69f7791c4d056233540cf14841b46d33744f9f54bc0ac6dac983d5f1

SHA512
c064d63f51831b522668381952a5ba34c9d8a4c9196bf9b0de05ec10afa00207dc4b4d57de05245f4d7e43b20e9528dd5a91f2d63c31cd75954c9a866289b278

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
259KB

MD5
0dc89069b839bd5d107200b4e4038c54

SHA1
f7a665134d6da00c043b1ecf8ab73ca844e684db

SHA256
93244bc1c005bf9ea45f72de89e1053b58eb5a765164ed60ab342ed4a1298067

SHA512
60e723e403736bd43360ea0fc9a5772f5fc10daf78781e656b2eb388fbf2c6a5a1794facff9c2723c1d99e8acff20fba9e9d08d28911c9062f6bedb878d13930

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
259KB

MD5
2f60362fe10bec7b634d4b53cdf8b160

SHA1
e41addf21cc21cd36b292faddf8746ab9f652567

SHA256
589d9976e58270d936208a9a1e057a578018203634198909d4ab1b1cd9e6ac40

SHA512
8cd1a4b2b0791f1ad8f55f7e56c95986031253bea2a7fd1124445316e0d775de3d33c136fcd0527c434f7a26db58064672b489d70cd29c434d43b8b69f60efb9

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
259KB

MD5
4ca58b89aa1da02d5baacb0476193206

SHA1
7d36a5d57e52159c69c63b5fbef5c39d84cf74b4

SHA256
9b91346a8cd760d6afcda2ebe8fafb0211859d9046b3214437e0a9d418b1bbbd

SHA512
b06978b7000d0c64962d7d9bf0bf1631392ad3122aab91a88b4a1368314ac618424ef493ad9a466d6463f40d9a9b2e7ffba2d6b376e3093a8e9641fd22c43851

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
259KB

MD5
35ccc276260a9dca40f07b5802532ebe

SHA1
60377a2eea2108590a6e1d9bdb51aa0df92d9a03

SHA256
eace73279134c0f8f8c290dacc630fbf5de4424bd72d973caa02ecf139bfc1c3

SHA512
a22897e7e4c5243d928738a10dadf396b4aaa929a923f98464232f492bddee1ba1f4e74f3b1ce1a2d3daddc968aa744c92aaa063f0bfa1f4932d1591fbae5dd5

Download Submit
C:\Windows\SysWOW64\Dhdbhifj.exe

Filesize
259KB

MD5
c2c1cba87cea4adc994a48fb62ee254a

SHA1
5c2b6eb9d58cb9c515ca13d30c59d1438754656a

SHA256
695e303b99e1a434fa1d826702ee3f8ed3cacbaddb5c399373c16f98bdcb4912

SHA512
700c075e4c835284f5211dea880c23cb8b6fc6ed08d15fca424314ccdbce8a53931a790473a577e798a5ab84ae93416b69a6ea5bb9b785a1a400ccdb78869457

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe

Filesize
259KB

MD5
8c45e5e863a20ab3bd5d568a4229f621

SHA1
f151e232ecf8d28ac76ea44af6f3cf745582ef14

SHA256
6f4406b36078c7de5969b3caefd244b07b376dfeb859fefeb1147a82b20897b7

SHA512
6bc3c567e2958facfe8da65ace34c64653ea87755a48734e664b72f85b1d07d1487c87672171f3eaf7295ceb9fbef6fd879c1d5bc80c6b9393b1ae8a1349be0d

Download Submit
C:\Windows\SysWOW64\Dhikci32.exe

Filesize
259KB

MD5
e581fd3383480b1f7c32c18fe8dbdc8a

SHA1
c01c6c7b7f019b42ddb27293f546c080b2788ec8

SHA256
5d33599db945d054a9ed7c8a35f3d8c50e922a0d1f66fab59100a2e19491c474

SHA512
35366f5360a491ce8935c838a9d361524cb5841a67b950e2176ef37ff463bb1a8dceb4000d399af8c40c64f74e0f933d42c8b1431c75e2a72a1a1fe8e4f91847

Download Submit
C:\Windows\SysWOW64\Egened32.exe

Filesize
259KB

MD5
18c5acaf57fec98f900fd7f0174779c7

SHA1
7e6c033ac33a1d59457a38f9bd85ae7a3aed86db

SHA256
436092f066bf0392104f5979fe1f3dbf22b0f837108d436713383675c04b7759

SHA512
57c43de6f7412c4e07bcfef0524b7789fda014efb199417b134d2a6accd828ea997bcfbad7dee6aaf0c2bb0d49133b8a3dbfe1f757358848fc992b8c616edcbe

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
259KB

MD5
391060beb6e5c8b13c5068da7239b7fb

SHA1
5361c8fed3f50eb620cf371fc723f74b4c13a98a

SHA256
d611cf47ac6042b8392fdc19811fa64e7589fa6c25a8f1434a72f370099501ce

SHA512
48a6e6d89be746e6f5713eea14a01dfe03870b672b6ffdae39db02bcc004d9c48a05b8992908d664b2398721eaabf487a9a1d0a6a760a0ecd0a1e5c0524b38b4

Download Submit
C:\Windows\SysWOW64\Ekcgkb32.exe

Filesize
259KB

MD5
6bee1a6d83d65e55e4248befedbcebce

SHA1
56afb4cb4453acca9d49bb13528fa984cf2d7cdc

SHA256
3aa795cee1f63bd4c231f3b2506e841628ce0635922963d6d16859f5caa06991

SHA512
b540e65c5b2b417220c777bf356eff0d539b6c6d6da61d2eb8f2ba7dfc2aedaf3f94fee98297e1fea4ab5b1f05729b3a384badf0625f65e1720f4bd67046adbf

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe

Filesize
259KB

MD5
8055692d94183c65c40627588657dcdd

SHA1
eae06ba12fd8bd570eddea618ff328def47255a5

SHA256
3aa50a65d01634917ff99a03afe774dc3b16ba6e403c24d5ac9ffe77830bb575

SHA512
e1793dde8a05b605bfd27af9a20d962fc883c8140eff3829fcf804418d5b9f95b4f5fb2f54aa43876b6708391c30b97c435418b303c0012a929822c16eab9a20

Download Submit
C:\Windows\SysWOW64\Fajbjh32.exe

Filesize
259KB

MD5
bac175595e0a2be6e5e1204a54a87b42

SHA1
8f71c8339f054e53afff0006dd86c772ae0a6019

SHA256
e15632ff3ff4a4ec09911940c6928a3f566ab92046d8d7565367545ab5a577a8

SHA512
e9ce38c302dabb77983d96f0324bf2c37ce96426fc68c4e0d476bc0cf70d95fffa221bd905e9f789bdacf67323c1b6d4560791cd94c0bd0c07fbfd388586a7bc

Download Submit
C:\Windows\SysWOW64\Fbdehlip.exe

Filesize
259KB

MD5
bbeae947ab92aa592eaca4529e26ce2c

SHA1
208f92692fffd8a82bd70dd81809b316d5d3fd0d

SHA256
27187ffcb59b06f07b1a0578a07b072fd92cf9ff6b022301e552598eba1d7f79

SHA512
6fe95d4da9a06c8005181d5628939548457efb9c8fa97b6901982125074b548aeeeda9c2bb0a3af216c34126c808fd4371b83849a10926c37850e302e9d4fd79

Download Submit
C:\Windows\SysWOW64\Fgmdec32.exe

Filesize
259KB

MD5
d7d42ddf225d5350f76ae7c76a2c8770

SHA1
fd11290eaed9a5d0654e06fd666200b4f30ba963

SHA256
2245f6b57059afb90d285bd25f3bf03e0afa99ebb6bc41f19ab0bf0652ad57ee

SHA512
2a7b923f1c164b426c4e6e3609f71ab26aad83060817e977a8a07baae3b402c7c7efa4622c7daafeeab55c19e69da3625e15cdd1c107f27c26480a2c42f8aaca

Download Submit
C:\Windows\SysWOW64\Fqppci32.exe

Filesize
259KB

MD5
b08e95776865d2f86b0a50ee217fa928

SHA1
a32a7bb1fe973f9208f0c08c93c8d7a733577e88

SHA256
56c014cdf476abfb07b360e70b9b0010a1649d4ab0c25e3f1aaa71a0362ea2b1

SHA512
7d61aed9384873571f0bfd4e7486cd66522be3d821378930b295b57391d3ef467ea8970d51a4ce1989a207ac79dee38307e96ea43b14a0908fc56a0a5604b758

Download Submit
C:\Windows\SysWOW64\Gacepg32.exe

Filesize
259KB

MD5
a1417ecda999e89f39240dbc707dcf8e

SHA1
f4744e48bf739e927e90843c83d8f93d1c94fa44

SHA256
cd43c82839a1249aec5025498e65386cd64dc1db9be60c6f497a0b3c2dde2046

SHA512
972ff728755592ae94b465b90f26b655ce27775af5304e036f98b451463a4794df019031c7b908c6a89e619eac7a4a150809e4eef4b4bd563d145c83d104783a

Download Submit
C:\Windows\SysWOW64\Hbihjifh.exe

Filesize
259KB

MD5
f7c537e67c7c965a96fe20fc54cae70a

SHA1
63bf6cfa41ac681e5c0278fedac5eddf7791ccef

SHA256
732ea567710f246b609f5c127824cd2241c5afb2748bfc45f101730633b3089c

SHA512
7983028115699c731a7384e844c86463cb0d63b68bdccf18f663e8af70bd369316ab151d835b2151d0c34bb622379fd2f0d01b620057dd7fb41bfa8edaa32916

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
259KB

MD5
33d270d40b72d2d60077bb2e1d89c166

SHA1
1941fab294368eb6700792562735a1f7cd129daa

SHA256
31cc465bd209b77b9e9d689b3aa25cec91c7ceaab794b7f54be95c7b8fe95853

SHA512
e8d0cdd57149524dc99d20acd646e49cb36d24b2230f69d7979eaebc62dc82ea1fb51225a97e5a8008c4d41187a0949c86b00c51f9e48349546b4c9aa309ab1d

Download Submit
C:\Windows\SysWOW64\Kpqggh32.exe

Filesize
259KB

MD5
d362db6d66935e06643bdb44216e9abb

SHA1
1a31100b4fea3f3f9a28ab4c725896a2e5b89188

SHA256
94ec17f875cc05da932ad3c28f765927e27ac2ad603d69f998758591b69bbcb2

SHA512
593b0f3a56e73abd8a0b12e3d5b591c6a83949fa20107f650e17e81085e2dcea1ae22d274e7eac71701e35c24ab0258976b8cd1e2ee0cb0af31940e31a99e9a7

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
259KB

MD5
b53636196322517a16173f58ea6bd48d

SHA1
c652e696b3af91a3956fabdcdc054cf270c5e6f7

SHA256
b0ee7e4e80face33a48051a8aaa4b642508c5bc044440dcc3f813a343a7fa759

SHA512
8c61107e15b2cbc46d618f02b817756f135d7876c7dfdc8a13f4b54aec5ea9dfe943dd1406aa6d12d8a7a05d0305a45e8c76db665b64913e6f6763b20761c299

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
259KB

MD5
97aedaf50a2805d0a2498c0c5c2bc6f0

SHA1
55815f593d9da563ab7705365c1b66970ef3388d

SHA256
ab0a986381eba35fc0e5ae5fb972e4a264ff91135349de586dfbc891b8d1f9a7

SHA512
e66d950826204af06ec6c6dbfc57a17c7f0b281fb20292ff86e3acf791f8479417b82e183dfeac8414c4eedf988d2d5693561757995b10e43ca6a578485ef0ec

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
259KB

MD5
afe9ace1f91947d4dafef1ef121cbf49

SHA1
b85fb30fe0f8291f7fed7f0465f3f5820dba6ee9

SHA256
d78ef0a2d87f3f0ca467ecb63c01aba91dd30818f89cc2bd865862d66f92661b

SHA512
012a541ffc6c5e6075ca62668da5c84e2931dab4bb36e334a1587236e936225b7cfef74e9532404c0cf1c5729927d94496dc659155e3db3b219819fadf016f57

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
259KB

MD5
1f188ada98b2ff7e78506bf8e4bdd422

SHA1
a1642fe628dbc80a353564cbf1517459260ac2ad

SHA256
873d773a99711ad374650c4ed2ce1ca43e5d18602bace27b08ec0c55c11890a4

SHA512
86931302005253a078063f06498fb6b98346db42d7e07ba6e87b31f65f3a09f689583f3ce65cbd89777c96946f87c18e321ddc2a067d3123c1d6c1c35870a85e

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
259KB

MD5
3b19d845ec1315587fb16497e0365db7

SHA1
77705976a632d2ccfa9ec3896bc19d2b3df04b70

SHA256
11781be1f2e44db530b30ee03f8ac3c160b5876f14ca32c3732dbfa59f9fc16b

SHA512
a8fd4ec0abab0eef951eddc39e1d07178e755ef2c81abe66647359793d3d8a8c419746df2870e72aa52057a8ffaacd496cbcd4e7348cf4aec38ab414d78dfaf2

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
259KB

MD5
5d97c71be061cf016498c9f3245ffe6f

SHA1
77ca601bc2415e21e29313e3d0008df842855e15

SHA256
a1a3c6782b31e9fbd627e62a5e2a176105bfcfe1afadde9c9cb67ed5ab0e3430

SHA512
14852bac8388e1f8ee039358bf5145c8f026e0bc317e732cad34877b5cecb0c4a89772bb3ae1bc3e18543cc9b9708302280838c18dc234c326f6e41a3cff5a05

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
259KB

MD5
6494c0a189dac0f730c1d76829a0962e

SHA1
c9d09a949a10ba62958ec577c66fdf7f2f908dcb

SHA256
27572e5b465b01810522dbf5e44ba63ef1efee58cd02e194fd98420353d7f985

SHA512
c920de916b029dea2df10787561583e9ef664be0db13e459ab903379acd9ebb6ff237dbb477d0a139e9088295a6b518559f08a5c987187f4ca9338ced9152131

Download Submit
C:\Windows\SysWOW64\Nodiqp32.exe

Filesize
259KB

MD5
1d736a3a8a0e6029e32cb384333b7456

SHA1
eecb374e2032cfdfc01329a306a0ac76bc42bb5f

SHA256
f2eda58887815d7790a6f85dd0db91893b07c20c4df382b110e1134addfd3955

SHA512
6c9c4641a633ca5d3d75e752009a31dd6b229009a03066a9150f2f922ed549415d9083379ff6daf8567accaf65a55c93a20cd42c6ed2ac1637be6946358cbf83

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
259KB

MD5
ef6767f20f90047e92c6fe53097ec7c1

SHA1
389d534e02ce00cf362a12179e55d179b7e07871

SHA256
12ceec23b8b177d3abffd8413d9ba532fb601a57caa8f2808e2ec75ffbad7498

SHA512
9ecf9ce3a0f56fa30e17893fad164ac5ac254277afc46113c6e17d975277fc2cfb32c4f5282c0d622847119253c178f90ada8a12cda055183c6afaedf6f969e3

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
259KB

MD5
1797764989bc29bbec851e3b8a7c2370

SHA1
936980ee649524b2f6770093148f444e1e9e81fd

SHA256
7abe7a1f223d9af40d265b953f9727c28f82f64deeca37060ac85dd1f235ca56

SHA512
f1860a8b4d2b5a80067097ae23771ace2736ad04768b1aa9122270b4c0be25e296c906d2220de0d627e71f7c7d5356c0f9028b10fba73d9d185d63c7415c20f4

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
259KB

MD5
acfa0f4633109d2fa05a81f1a2080f9a

SHA1
7900e9c33f102eb46e475b47478b786ae1cc79a5

SHA256
224af96738f1e3e8d29c8849967c9a2a18f4278d5460e55934f14088f9cb8a39

SHA512
6fd42e9dc5b52edf2dda92c505f7e0dd9ed962c7a7c9653aa01aaf2607471dba2ba8093c82ae73c50c5c78f64356d552ca5fa8a40c136133b89a625adf5cb938

Download Submit
C:\Windows\SysWOW64\Qcnjijoe.exe

Filesize
259KB

MD5
78bdc228129f179e9cbd89bcddfc2770

SHA1
0d04040638afd64c0c33603578a9cfcf333b5838

SHA256
c8a80f0458846d2c955c9fe4acb09a4fc5953c2a47846113785c605e39c58ac6

SHA512
732a3c16759434adc64e624dc3fe825f0a10171743cc68a61b6deab2fcd88b8905754302e3222cf00608b02aae392dd23116f0c3767046e5f0b86b4cfcbcf59e

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
259KB

MD5
83391553191de240b8526220dc74dab4

SHA1
9bc29d48efde4ada358d2bd24279a0f8a9966059

SHA256
46c6b901d1516a58e7b19dc6ce9f2362bc12e9da9c8e5deb116b2efc0d0ff395

SHA512
bb31aba629cd7288dfc576f7b4de1f055cfc13ad1e829c87a5d965f4601f9c2b74095c6105c3d7978732d94afd3676d683f0c25e0c4495ef962ac28b6cf06b57

Download Submit
memory/404-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/636-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/928-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1136-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2104-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2168-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2376-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3408-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3832-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3988-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3996-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5216-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5260-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-532-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5348-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5412-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5460-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5504-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5564-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5604-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5656-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5700-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5744-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads