4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe
Size

1.2MB
MD5

a29b90631c1a83150c3cf0c78369ad50
SHA1

dd344dcab813ba7079a49f648443c67173be5e54
SHA256

4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b
SHA512

07e5ede948343ef755c018d2887517703c2b702fddbd04aa6523098eb79f55b981a06fcee443f48f9f7762b82a5a2545a13672775e462c6ba151819504f3e7c6
SSDEEP

12288:2xxmgTYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:2HmgTYlFiWZpsKv2EvZHp3oWiQ4ca

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onocomdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbnkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfkkqmiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acccdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkhgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfjjpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdlmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoepebho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjbhmad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbnkfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmfnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmohno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpnoncim.exe

Executes dropped EXE 64 IoCs

pid	Process
3100	Ckjbhmad.exe
1672	Cfbcke32.exe
3380	Dmohno32.exe
2440	Dijbno32.exe
4724	Ekodjiol.exe
1268	Epmmqheb.exe
1476	Fbbpmb32.exe
2276	Fechomko.exe
3492	Gmafajfi.exe
2380	Gfodeohd.exe
4560	Hbhboolf.exe
4844	Hpnoncim.exe
4592	Hmdlmg32.exe
3676	Illfdc32.exe
3244	Iefgbh32.exe
1076	Ilcldb32.exe
2996	Jgbchj32.exe
3776	Kcmmhj32.exe
3996	Lnldla32.exe
1588	Lqmmmmph.exe
4836	Modgdicm.exe
3056	Nggnadib.exe
4452	Ncchae32.exe
3864	Nagiji32.exe
232	Onocomdo.exe
2680	Pagbaglh.exe
4980	Pjdpelnc.exe
1356	Qhjmdp32.exe
1428	Aknbkjfh.exe
4868	Apmhiq32.exe
2340	Bacjdbch.exe
4292	Bnoddcef.exe
2624	Cocjiehd.exe
2552	Cgnomg32.exe
2936	Cklhcfle.exe
4564	Dgcihgaj.exe
1556	Dhbebj32.exe
4996	Damfao32.exe
2748	Dndgfpbo.exe
3860	Dkhgod32.exe
4932	Eoepebho.exe
1048	Eqiibjlj.exe
4340	Enmjlojd.exe
3148	Eqncnj32.exe
4300	Ekcgkb32.exe
4520	Fbplml32.exe
3816	Fqeioiam.exe
2208	Fbdehlip.exe
3772	Fbgbnkfm.exe
2444	Gkaclqkk.exe
4264	Gnblnlhl.exe
4624	Gbpedjnb.exe
2484	Gngeik32.exe
864	Ghojbq32.exe
2188	Hbenoi32.exe
1616	Hhaggp32.exe
3444	Hajkqfoe.exe
980	Hpkknmgd.exe
4088	Hicpgc32.exe
2316	Hppeim32.exe
372	Ilfennic.exe
1752	Iacngdgj.exe
4736	Iogopi32.exe
4796	Iojkeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aknbkjfh.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Eoepebho.exe	Dkhgod32.exe
File created	C:\Windows\SysWOW64\Lomjicei.exe	Lindkm32.exe
File opened for modification	C:\Windows\SysWOW64\Acccdj32.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Bnoddcef.exe
File opened for modification	C:\Windows\SysWOW64\Jbojlfdp.exe	Jlbejloe.exe
File created	C:\Windows\SysWOW64\Ahfmjddg.dll	Kemooo32.exe
File opened for modification	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Qhjgbbnj.dll	Acccdj32.exe
File opened for modification	C:\Windows\SysWOW64\Bphqji32.exe	Bkkhbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Glofjfnn.dll	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Ekodjiol.exe	Dijbno32.exe
File opened for modification	C:\Windows\SysWOW64\Ilcldb32.exe	Iefgbh32.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Onocomdo.exe
File created	C:\Windows\SysWOW64\Hpahkbdh.dll	Eoepebho.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Khbiello.exe
File created	C:\Windows\SysWOW64\Modpib32.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Nnoefe32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Hpkknmgd.exe	Hajkqfoe.exe
File opened for modification	C:\Windows\SysWOW64\Joekag32.exe	Jbojlfdp.exe
File created	C:\Windows\SysWOW64\Kpqggh32.exe	Kcmfnd32.exe
File created	C:\Windows\SysWOW64\Ephbhd32.exe	Epffbd32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjocbhbo.exe
File created	C:\Windows\SysWOW64\Pjpbba32.dll	Ekodjiol.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Hhaggp32.exe	Hbenoi32.exe
File created	C:\Windows\SysWOW64\Lhaiafem.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Hiplgm32.dll	Hhaggp32.exe
File created	C:\Windows\SysWOW64\Nmdkcj32.dll	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Fpenlneh.dll	Nbnlaldg.exe
File opened for modification	C:\Windows\SysWOW64\Hppeim32.exe	Hicpgc32.exe
File opened for modification	C:\Windows\SysWOW64\Iogopi32.exe	Iacngdgj.exe
File created	C:\Windows\SysWOW64\Fimgpahk.dll	Cfbcke32.exe
File created	C:\Windows\SysWOW64\Lobpkihi.dll	Gfodeohd.exe
File opened for modification	C:\Windows\SysWOW64\Onocomdo.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Begfqa32.dll	Eqncnj32.exe
File opened for modification	C:\Windows\SysWOW64\Gngeik32.exe	Gbpedjnb.exe
File created	C:\Windows\SysWOW64\Himfiblh.dll	Iacngdgj.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Aalmimfd.exe	Affikdfn.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Fohoiloe.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Anoipp32.dll	Lnldla32.exe
File created	C:\Windows\SysWOW64\Bpfljc32.dll	Fbdehlip.exe
File created	C:\Windows\SysWOW64\Lindkm32.exe	Kadpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Nqfbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bkkhbb32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Cmbgdl32.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Dgpamjnb.dll	Gbpedjnb.exe
File opened for modification	C:\Windows\SysWOW64\Hhaggp32.exe	Hbenoi32.exe
File created	C:\Windows\SysWOW64\Iacngdgj.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Bkkhbb32.exe	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Epmmqheb.exe	Ekodjiol.exe
File created	C:\Windows\SysWOW64\Hicpgc32.exe	Hpkknmgd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6576	6464	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hppeim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbaa32.dll"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpoggcb.dll"	Qfjjpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fboecfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Illfdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hicpgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fboecfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfmcmai.dll"	Ckjbhmad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll"	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll"	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll"	Epmmqheb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hppeim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iogopi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gngeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekodjiol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhaggp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfljc32.dll"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpkihi.dll"	Gfodeohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll"	Ihdldn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiplgm32.dll"	Hhaggp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbenoa32.dll"	4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll"	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkknmgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fallih32.dll"	Hajkqfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmmqheb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 3100	1516	4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe	91
PID 1516 wrote to memory of 3100	1516	4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe	91
PID 1516 wrote to memory of 3100	1516	4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe	91
PID 3100 wrote to memory of 1672	3100	Ckjbhmad.exe	92
PID 3100 wrote to memory of 1672	3100	Ckjbhmad.exe	92
PID 3100 wrote to memory of 1672	3100	Ckjbhmad.exe	92
PID 1672 wrote to memory of 3380	1672	Cfbcke32.exe	93
PID 1672 wrote to memory of 3380	1672	Cfbcke32.exe	93
PID 1672 wrote to memory of 3380	1672	Cfbcke32.exe	93
PID 3380 wrote to memory of 2440	3380	Dmohno32.exe	94
PID 3380 wrote to memory of 2440	3380	Dmohno32.exe	94
PID 3380 wrote to memory of 2440	3380	Dmohno32.exe	94
PID 2440 wrote to memory of 4724	2440	Dijbno32.exe	95
PID 2440 wrote to memory of 4724	2440	Dijbno32.exe	95
PID 2440 wrote to memory of 4724	2440	Dijbno32.exe	95
PID 4724 wrote to memory of 1268	4724	Ekodjiol.exe	96
PID 4724 wrote to memory of 1268	4724	Ekodjiol.exe	96
PID 4724 wrote to memory of 1268	4724	Ekodjiol.exe	96
PID 1268 wrote to memory of 1476	1268	Epmmqheb.exe	97
PID 1268 wrote to memory of 1476	1268	Epmmqheb.exe	97
PID 1268 wrote to memory of 1476	1268	Epmmqheb.exe	97
PID 1476 wrote to memory of 2276	1476	Fbbpmb32.exe	98
PID 1476 wrote to memory of 2276	1476	Fbbpmb32.exe	98
PID 1476 wrote to memory of 2276	1476	Fbbpmb32.exe	98
PID 2276 wrote to memory of 3492	2276	Fechomko.exe	99
PID 2276 wrote to memory of 3492	2276	Fechomko.exe	99
PID 2276 wrote to memory of 3492	2276	Fechomko.exe	99
PID 3492 wrote to memory of 2380	3492	Gmafajfi.exe	100
PID 3492 wrote to memory of 2380	3492	Gmafajfi.exe	100
PID 3492 wrote to memory of 2380	3492	Gmafajfi.exe	100
PID 2380 wrote to memory of 4560	2380	Gfodeohd.exe	101
PID 2380 wrote to memory of 4560	2380	Gfodeohd.exe	101
PID 2380 wrote to memory of 4560	2380	Gfodeohd.exe	101
PID 4560 wrote to memory of 4844	4560	Hbhboolf.exe	102
PID 4560 wrote to memory of 4844	4560	Hbhboolf.exe	102
PID 4560 wrote to memory of 4844	4560	Hbhboolf.exe	102
PID 4844 wrote to memory of 4592	4844	Hpnoncim.exe	103
PID 4844 wrote to memory of 4592	4844	Hpnoncim.exe	103
PID 4844 wrote to memory of 4592	4844	Hpnoncim.exe	103
PID 4592 wrote to memory of 3676	4592	Hmdlmg32.exe	104
PID 4592 wrote to memory of 3676	4592	Hmdlmg32.exe	104
PID 4592 wrote to memory of 3676	4592	Hmdlmg32.exe	104
PID 3676 wrote to memory of 3244	3676	Illfdc32.exe	105
PID 3676 wrote to memory of 3244	3676	Illfdc32.exe	105
PID 3676 wrote to memory of 3244	3676	Illfdc32.exe	105
PID 3244 wrote to memory of 1076	3244	Iefgbh32.exe	106
PID 3244 wrote to memory of 1076	3244	Iefgbh32.exe	106
PID 3244 wrote to memory of 1076	3244	Iefgbh32.exe	106
PID 1076 wrote to memory of 2996	1076	Ilcldb32.exe	107
PID 1076 wrote to memory of 2996	1076	Ilcldb32.exe	107
PID 1076 wrote to memory of 2996	1076	Ilcldb32.exe	107
PID 2996 wrote to memory of 3776	2996	Jgbchj32.exe	108
PID 2996 wrote to memory of 3776	2996	Jgbchj32.exe	108
PID 2996 wrote to memory of 3776	2996	Jgbchj32.exe	108
PID 3776 wrote to memory of 3996	3776	Kcmmhj32.exe	109
PID 3776 wrote to memory of 3996	3776	Kcmmhj32.exe	109
PID 3776 wrote to memory of 3996	3776	Kcmmhj32.exe	109
PID 3996 wrote to memory of 1588	3996	Lnldla32.exe	110
PID 3996 wrote to memory of 1588	3996	Lnldla32.exe	110
PID 3996 wrote to memory of 1588	3996	Lnldla32.exe	110
PID 1588 wrote to memory of 4836	1588	Lqmmmmph.exe	111
PID 1588 wrote to memory of 4836	1588	Lqmmmmph.exe	111
PID 1588 wrote to memory of 4836	1588	Lqmmmmph.exe	111
PID 4836 wrote to memory of 3056	4836	Modgdicm.exe	112

C:\Users\Admin\AppData\Local\Temp\4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c203d1733781932cc77474c5171bc334b143f76b6e0d7dfe85507488bd89e4b_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\Ckjbhmad.exe
  C:\Windows\system32\Ckjbhmad.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\Cfbcke32.exe
    C:\Windows\system32\Cfbcke32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\Dmohno32.exe
      C:\Windows\system32\Dmohno32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        28⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        35⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        38⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Damfao32.exe
        
        C:\Windows\system32\Damfao32.exe
        39⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        40⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        43⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        44⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        46⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        47⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Fqeioiam.exe
        
        C:\Windows\system32\Fqeioiam.exe
        48⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        51⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        52⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        55⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Hajkqfoe.exe
        
        C:\Windows\system32\Hajkqfoe.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Hicpgc32.exe
        
        C:\Windows\system32\Hicpgc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Hppeim32.exe
        
        C:\Windows\system32\Hppeim32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        65⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        66⤵
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        67⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        69⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        70⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        71⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        72⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        75⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        79⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        83⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        85⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        86⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        87⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        89⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        94⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        97⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        98⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        100⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        101⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        105⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        110⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        111⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        112⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        113⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        114⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        116⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        121⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        122⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        124⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        129⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 400
        130⤵
        Program crash
        
        PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6464 -ip 6464
1⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:7156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
1.2MB

MD5
9b29616e0fe1692da698101e20b12226

SHA1
1f66b0874cb659dfd6b984bb9e780620628e29b2

SHA256
b27c96eaa7fee50496ca369f1f46650ea4d17123544821a889a6a21da06731b9

SHA512
3d9352b3bc38f33df2ff6d1cfb15b0d28b4e69f8d7a21c4467d213273bfc25e974ae9310f852443b01769f96e29f18c76234f9621868c0de7af18aca34882e0e

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
1.2MB

MD5
d36488a48d121033665a62eb706ffa6a

SHA1
a1fe320ced8bc164bf0b7380f0cff553e3d03a94

SHA256
81b8faba474324298ba906f244904ce9e73994d8984bfa3af410d878bf936900

SHA512
5c0aa944b3f4b6892b2f6c7750af2df5af1286904a5d14c436c5f0e02f8417cd2430e7f41ce57adde1801b733ef329125c4f18ef48bb1d7766fa54c808e3edf2

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
1.2MB

MD5
e3e19f724ff020e6feaa61b2df3da030

SHA1
061cbe91c0ffb24925e0a1e1e51be54e98dd05f7

SHA256
481117c03d7d4394669fdd5bc749b9b5d8afc7a3cb4e0e7c22cc0a29d6e3663f

SHA512
0c76e40d1d2cda3ea78e37f8cebf6a91422e9d7dbd91cf111583473a307250500055457ba3cca18e18eb1b565b7e3fe2b2b68c76ac9ee5d353cc9a493d2c983a

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
1.2MB

MD5
6240dd2b49cbf6a2d4d0a58e02ba79bb

SHA1
092db43ea86a1ad9a0b330ac1bf801267656b12d

SHA256
fab279638aa89be53a6a7df8c8ad8fbcf576227dc9380505b7f2a159ef92ec0f

SHA512
3e091419672d5c2b7655d766abb1840f98117bb88e6f5923d14afb039a92bc00a5aa9bf4e36e13df9a50859ae58fa8e52f1920da25f2e40769989d715ef09bef

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
1.2MB

MD5
063a3430c7c92f4b3362a2f5e1db5d83

SHA1
b07162de9008905bdba0f3c53e22779dae282c04

SHA256
3ce19f58159c8b283edb9060abc4827f79be2296da6c692aee2114afccd4929b

SHA512
a69ae424f2c636ea77af3510373cc47b0229ce7b133cb73aa4864d962d56a9fd88095b7d3ed225f13490122056f972d81b2313b6d4b8e674fc4a38242fa7b044

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
1.2MB

MD5
1f59b23cc6b3222fbd1d308405b69efc

SHA1
c83b92e381c58c182484a73c7ed310395cc0003e

SHA256
b60c8ad5f6124f0ff013fa64444c0641582ede4414c995749258f241d50f7d03

SHA512
9e3d47e9ea8e6c0b4b6cc83750a6982901fe4e6e866c915b4b3920c4b204892c2d1f6fec218f36be9a24408d7b7f668007f6e13ae706f8c260718d1f7b0932db

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
1.2MB

MD5
95afce4aea84585249a98469061a2d70

SHA1
d30d239b671f56013c9cb32dee66bacad763fa29

SHA256
0abd5457f0d48afa75940f719229e05f7252166a7ab62979caab516626103844

SHA512
a40c4f02445ecdf07f8c96394dd46b80ca93beda0c1435deed303dfe64eab273927354d4b55f0d20a7f4d99477d33e2afd4a79a4946aea05b1f69505ce3e252c

Download Submit
C:\Windows\SysWOW64\Ckjbhmad.exe

Filesize
1.2MB

MD5
2245b3142aaabe9fee5e0372c1faea86

SHA1
7d0f88eba032dca8208d53e6892958773073fba9

SHA256
6f9a9a4fb30dbe70a2d93c58232ca9ac6b829c250bbac3784fca0be98de6c010

SHA512
f1c770c1355b745d17cf97db62af15e443920e008c4426ba8239d1e7661eece258578bd0e6cff0f6dba834fec4655def732b1c1d063d746750d3762f7d1cab32

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
1.2MB

MD5
3e50d56c0d86e7929f90e4abc1d610fd

SHA1
895b70b5ad61fade2e3334781976e19a90ba3c50

SHA256
43cf202539187668fd822663f1205ce9dff4ff27289c5e7753e35204bafbb26d

SHA512
2e83b3a74bc05e39359b8dd7d14bf5703ef8e21aad3daccedda44e98d332b0664b56b8433a32a0a27aced79f73b4de1b0bd79be04c3bca125255ba1f5a4b2929

Download Submit
C:\Windows\SysWOW64\Dhbebj32.exe

Filesize
1.2MB

MD5
5579b78af550a76b8709472b8ed70a22

SHA1
e7dc720ddf74e1af8646fa64e57d481946d07d0d

SHA256
4fa63b941ef4e6e3e3f3e90a85e0c4ef8555694c3094cb05fea5e9af0ee72a80

SHA512
840b828e522f3884f58f69bda7ae1ed5926a725da25f128b9d92fe81b27da8fb5bc896053206316d22f9a44f42336e8b7c174e3989c998a88505a0459d2fbe9e

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
1.2MB

MD5
7bdfb1aad92ffc4f94dcf76c06531b63

SHA1
bf8c373aa704819f5435302c6bdb9c545cb1abeb

SHA256
3c60831db19880c9f6de2370a2e363c6b82f8dff84cecc5c5e275f9e91b0d187

SHA512
f9687e73b2df0c112d573534fcb68870bec35dc7d0d50c24fb1033d1a5be70ed79ec195985dbbcf08a7c848125c032b0992a5c2ee286ed4fdffc2681c1b7c450

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
1.2MB

MD5
8ab7f4e0e52af99b693a9b1a248610ac

SHA1
db1d2bc4723d8e000d72b81b3cdfb600132b6d1d

SHA256
8d73118adf178fe6a28e39fc1da8ac21d0bfe3a5c43c06399df67a8d769006f3

SHA512
0193fc64d16b2e84b45888efd35fadb2d69b844951d352873a452fa7727b69c77277a2efab850e71c45ae8aa02dcfdf28d42c3c774e6730289e23e7dc2351060

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
576KB

MD5
49ef46601a419758461d07d7ddb95dfd

SHA1
afbb373ca0e43d2ed993f841351d0843db4fe53a

SHA256
7943cce6ff7d7135a13b705d0ac9906df3c31a272e78450ba759b48f42e39713

SHA512
f29dccd5fd353e23955c956de67d034ec71a54de6eef0a6aa99e32a3a387b2d3758dd6b793b118736cacb169a635debc985d532d166bc343639e3e984c574724

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
1.2MB

MD5
a306c4a94e136091d1dc0ca26979b2d1

SHA1
dffe9141d2588a610e5bc7b8a6cb82a76ddf251f

SHA256
dbf6e8f10a0e1d647685f284a145a510300ea978083958b5ae119530f4d5a1fe

SHA512
670902e29466e9ef50de8c475b91d7166df3fe359a8ff6aaaaed3dac1ad25f0eedf1381a04ee7b866bf3886a2fec0f7ffb66ca8c6002bfdfb0bf81e8794ef6f2

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
1.2MB

MD5
753c0c3053e708ebddb099c72d48782a

SHA1
b17cc51af1c7e9a664dd17bfa76c97f4a0d86372

SHA256
1852716415b4dc9c5a953b6a965eda049a33a013089020353e497e21c1734239

SHA512
0ff1a732fde0d283e9364dc6142064873b2399b24fe5a9953970d48de188c1c1db741b50fc3952422236aedb4c867390b29f9214c55a7f4c5370caeecaaa85c1

Download Submit
C:\Windows\SysWOW64\Ekodjiol.exe

Filesize
1.2MB

MD5
0852ca10fcac1de0b9c591b374cbd826

SHA1
c0c53241094770a015160441848e982df1c1fede

SHA256
d2621822a201bf3161cc45b96258b394e6a81b676ee8ac60543e59df8bbc620b

SHA512
02747e075bd689a69e027a266b7384e6f2deff4375bd7e25e10be07f19b10f0eec667d2462bee7fd8a78bd5998da493f078bc501959bbdb8e5c78b47c7b948e8

Download Submit
C:\Windows\SysWOW64\Eoepebho.exe

Filesize
1.2MB

MD5
23c501708a895a06a7bb9d003fda4357

SHA1
a1e3282412b78a8e178f7ecbf8d49aada4d1f63d

SHA256
3b13242e1ed28e425eeb1f23a88e632f333660e500ff196a516b2b54a7a5fb84

SHA512
48255b2f5b5b9fce2965bd909f233b4e9a98227a07cf835f79b83d0d04325a516887bcc2939d12e7eb6485eb5beb782c708ebe48737b2f0868eb5dd31dcc97ab

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
1.2MB

MD5
72470ca4b50690cb4eecab6ee3f1fb98

SHA1
55e24299165de3fe88b5ca806d3eae3d26df42a9

SHA256
dca66c743312a361248550ed2fff891a9ba268ad947f506c3e1814c87183c465

SHA512
5174239d8e8183b258d7c2e18bdc2c789fdbe773774ac98f67344e7c69a7bdf19eb60e97fd6545e69521bcef916c51b43c8a0cc0810dbc631a0e5983df25284c

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
1.2MB

MD5
eb5aacdd87b31c53d0cd3342ec52bddc

SHA1
6c5287b3a37be7f69da9f0890542c7ce7ae5a2d5

SHA256
22da8126b2ee6e853d073971fbf3dce48326419febfa22f7e4127dbb1f1f181f

SHA512
af6705aa00db91b58bcc28ec428f920b2d1431fd12e213e4beacb5eb935edaf3d4f2cd190858004e000ac1e0f18d0632ede435ad13966806f4a629d6ac677d48

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
1.2MB

MD5
535ea3cdb9140015767a7ff3b4379383

SHA1
64c6b1a9658f43b31f49298b052f00c4bdeb32de

SHA256
4067df69eef87543224e35ba892b0b14f2609efefe1409a83576fb5df737caa4

SHA512
0ff4296bc8f7f1bdcb7a5afe122be4eeb58f3d95d6be86d53e620d0dab4f0b713a9e6f144628bc3eed7f15345c66db0fcdf712cdc33c81965f6f150c77dee22a

Download Submit
C:\Windows\SysWOW64\Fbgbnkfm.exe

Filesize
1.2MB

MD5
fa84952ad1ec6a8d03108823f794fb0b

SHA1
45693297ccd1b1e8b86cb2e7eb12859789d04f2d

SHA256
397f1e3a63e621b3a54c0619579f6f232f0b0967ab521f4600eaf8aad924e425

SHA512
912c8f0bfd8e81528870dc5b28609f41c323a18459c5ac358fbbcdcbe2cc4d7b48d32981f82dd3dba79e1f06fdd411efb34c6f8970bfc1005d50bca34bfb7ccf

Download Submit
C:\Windows\SysWOW64\Fbplml32.exe

Filesize
1.2MB

MD5
f3464b4a1029581302de11767bc2dcfa

SHA1
57bfd0f7b65e500b17555ad2a93e68da06f377ac

SHA256
eabc626cfa6897067ba9c120f35230fb84436ecfe5f5d95c014c40ecee027fa3

SHA512
4140dee4cfe1477db8398f232a479f044bf17acb421125d022a81402f16da3174353e59c7bfb58e09c10bfb4c718f12f17a70fed222b29879b1769435b743468

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
1.2MB

MD5
af3a2b9c7d552fc28694e4d9c0df7de3

SHA1
8006329cd844145a291505eaea08ca2dbce07076

SHA256
f049463f3843f83c7cb7e3753adf771157737f1d456aaacc386266764690ccdb

SHA512
14d5553086f4448185b59ef4553f8cca47fba0d385e91a65c5addac71e43b6e307061a24e3e69e654ac97b993822f15c08da1b25177e069ec198b4352c5082ad

Download Submit
C:\Windows\SysWOW64\Fechomko.exe

Filesize
1.2MB

MD5
68df6f88faaf17430d2488f5323ea62d

SHA1
2761af427fb64b46d91bec44fd0a700fbe4f8a34

SHA256
2a140200b8f144f4f221ddaad685712ee1cf568a664d1135764c885719f5bb0c

SHA512
d60a03bcd833d5760d6fb702b0cd2aa9223aea97dcbde29faebf0bfe15b39d8dcab1c717dca6bc8c988bbc97e47296c667f59d6bc227498dce7f7c782915acec

Download Submit
C:\Windows\SysWOW64\Gfodeohd.exe

Filesize
1.2MB

MD5
a3e2d120b0281d1b99f0daee040b36dc

SHA1
c0e9e8dcb6f31ae6d9728aef47c389948f173dce

SHA256
e7012bbdb48ebbd9ed81455aa4816c61da54b5a02d5098843c79b396f7528a99

SHA512
0158bcc1717775a2798fd13f97cf0ff5f37099c38541b246972fe298dccd38695be0fd552cdcae878bb1e650cd8b8c6f7be75c7344f32ffd488a751ca8d92ed8

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
1.2MB

MD5
c00ddec12931fa8e4fd6071b73a8ee1b

SHA1
1ab51e1aefbcb61ff9c78a411620e64352f9338c

SHA256
b12a899e8f3cbd3967d03084d3b9c69d9b77a6e52a86eab5ab7cc958c45ce98a

SHA512
3988f9354e9ec4cd8e23c3ca5cba4d50edfdc3317f67001cc211b172d24746095ebdfc399811bb7819606ae4f7af3b416c780018bd9e61fa4f42cc9b6de1f2eb

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe

Filesize
1.2MB

MD5
ff63c7b0f7f115b6033168449a0e0546

SHA1
6cbe25143b384d271ee498164bd5de960cb31768

SHA256
e383bdd83daf78fffc9b8b3b2e7c8b50ba12aad296fb93c15e43464525893da9

SHA512
f9073268c5fc43329a453933d89258847bbc7ad4d23234139ea24f5e65350e5b10ec7fd8cdd5b6228f2957039a1a14b4663fbe3fbc0e8e19f9fc35a6d999b151

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
1.2MB

MD5
163463d26034b344a85e07c08ee789c7

SHA1
e31eb4a549c81a618d62cac4bb447d2c59468d33

SHA256
c190c8ef6e145a599cc129229cd8ff8c0381116f116a66ea48d159b19736df90

SHA512
b32ade08f8db6d8be3b5da62db46587c6d13032310d9c4812d48a31ad60516f8951a0d2afdac70ed31cc3a74aa8c76dee0d0b39a3edf7c57a781ffb75def0a42

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe

Filesize
1.2MB

MD5
f238184759fcee5b5e58d3e6fa8c7199

SHA1
175e9f8e4030579b0568d7a937963f697aea9899

SHA256
31db745aa1135ede546ade93a4d8eab7515103334ee2ef0d0f0f5414f281a36b

SHA512
314d8a006dc647d1ceb54a02797cfc7aaaa2aeeb23a998990ea66f571c7509abe653f7a3602ae54e181906d2f27131f905519600ad9ca488fdf2b953a5234e9a

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
1.2MB

MD5
a24f8c16c9227dfa71cee9d6dfad434a

SHA1
8e9e2cca1a5d67e5625b2c80279b24adc9ab7420

SHA256
68a807f6d9f3d8ab191524227a4e450591e3fe4ecc4273cec228f016440d88af

SHA512
9fa09150642157bc443b3c223106fc32516c4fc94533e418d8abc07d03522cfaab9440dc90449018bbc953a1d9078522af8bb2fd0b5c9334ddaa9c10fd06d7d5

Download Submit
C:\Windows\SysWOW64\Hpnoncim.exe

Filesize
1.2MB

MD5
ccabce7e01150d74376f3540f8968203

SHA1
e089e60628f177da0c74f66f40383e2c677b5ab4

SHA256
5a8cec27a93e175d773d025bb4f6a1c18e7201c764c98a317deea13d944dc87e

SHA512
cc791ba9d44cb47b61aa9ee01cb6cc99b3f1d3fcbb55b9d04f37d93608ecd08bda098cc669e4ceb28e57923c57b21806b533a1b19cde71713debe012c178788e

Download Submit
C:\Windows\SysWOW64\Iefgbh32.exe

Filesize
1.2MB

MD5
e13b96540be98fb94c482057b3d2a707

SHA1
c41efb20700f75e3283d025ba90a4dc048b44bd4

SHA256
ac3427eb810ae8861f91c328e19e43eadc1ce78af7712687df165bdd98ceb662

SHA512
4f241edd5db67388503094a85f295f07aa6ac2b987604998932582f62428228643d302d4b28c3a48357a4872c784b9c73948c0e30b21a71a5463fb4d073506d9

Download Submit
C:\Windows\SysWOW64\Ilcldb32.exe

Filesize
1.2MB

MD5
ce547299125cb407246c135a220839e8

SHA1
0bcf392318c2c174336be7a8e7f9a35fe987999c

SHA256
9428ce7b4248e8b80dc1c3ac64fb728b0d8b3ec93155cbe682a0ccebdc2368c9

SHA512
25e0deae198ce63cff8b20e071efd7857f509787455a1b5e175787f11708cd31c88d815fe8809921d671df3204c36ddec06905804e8c7dce74e101e21237311b

Download Submit
C:\Windows\SysWOW64\Illfdc32.exe

Filesize
1.2MB

MD5
eeb1eb6a3a9e6df1b427e0716be7fa1e

SHA1
dca2b00b7f054e5f1520dfc275025de5e047f184

SHA256
ac6a86877d023c04eb4745895a9dae1b66d1b0fc669d64eae87b6d68ca4f9795

SHA512
2e9bca40155a7aa4d0a3ed85713e8e1c999812773b573da9ce59a976d5fd202a7dd76fff1187644b6e1a0a5a340920045fc33c491acaf144496b360a87a543da

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
1.2MB

MD5
8a0682b6185ee49596981c2eaf4fe781

SHA1
f4e1f90e413d6e5f61540176ea07dcdde2a8dca5

SHA256
9c8cf96e235c3d0b061e299dd923c2f27cb129be5dca2bab85cf97178aad1869

SHA512
98d0c6f71dbbddc485203ff0107fef78f5516f2924dfe47bbb0d0a41d6a4fc60c06df8c956a46d9e4fb4380421f2a1d19c82fd3a214a246a11c268a9f4c80aba

Download Submit
C:\Windows\SysWOW64\Jgbchj32.exe

Filesize
1.2MB

MD5
7d11987a2b003f72a98985fe3cd02d63

SHA1
aad552909906f65a2da60278bc6be80c9b7f230b

SHA256
af1f00eade3812da1ca0f388acb0b6a0c4f52adafcd2620c0f62d0944e71a18d

SHA512
0fbfb5cc048b6c648a13041573399c88c4ea03411c25b0aa71a57efdf995a6a7116344d12580dc87e479eeaf9125b15006d298f9f046917590c6c79cba99c8d0

Download Submit
C:\Windows\SysWOW64\Jlbejloe.exe

Filesize
1.2MB

MD5
c03f05526b88a4be3f8f485e40874891

SHA1
79ddd1188d3e9759c64c2d1a7d7ba770b1280411

SHA256
201893e113650e70388fb4b484bd4556e591b2c7a49c1afcd96fc687a2a9cfe4

SHA512
c7353003a7d0c19aa69214ab064c3eb09994c0f522c79f2cc5f9ec3173fc3abd3f0f2e072b4260ac535f8f3e4f530e3953fffa71bd402d8f07acb5f2c2fe162c

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
1.2MB

MD5
23162c66fd7f8a82316aa931732e50fa

SHA1
0b5df23a955cca76d89fd1722d2586b265e12e5b

SHA256
6818480715dd6a54ade4240ef88751e8e74106609a6fd80ded33af7fcf691e5e

SHA512
7ab070f9594e598ecefc952fb84c4560524f7f91b9966bb02b640b11c6c8c1b31a79a9bb9652153b31a6ef07d9b716e653c601aa355fac6dbc3a9e96398323fd

Download Submit
C:\Windows\SysWOW64\Lnldla32.exe

Filesize
1.2MB

MD5
475db2d3d39c18a89ea457b53bb65a40

SHA1
7a4b041a65c55013a507cdc74499dc87fdc53125

SHA256
6632e73348f81f26e7df82fe51716a93a67fcb75aabfd2087a4c7bcdfe827fa5

SHA512
ac5d97251d3566d2ca14ffecd25eebf88f27af51eae9577ee5df64277f181896b0248e79e467d14f95b719a4c3b0d82ff2e9ea24e98f688ba5852aaa171f2967

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
1.2MB

MD5
daa3c7ec43b47d706937002dd2ba7bd2

SHA1
88b0bc0c4796ecf6558cefe111cea73aca60a5d1

SHA256
9d59d5d52597e60401c88c8da397847284b4d5909271c15530be166b1648176d

SHA512
eaf400f5c4794d6cb794b0bb7b336b6fb314bb98131a9ce4f4623a410fd651f5a51705375cb40d87ef2a7f1cd6beb129a49ed2f8ba923b73ff68b7283d416f92

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
1.2MB

MD5
33680b15d27a6a63c3eda3492c7243a1

SHA1
83885df0e695335347b54ab27be0baf69e22cbd8

SHA256
cd40b678477890e857ab83187d72330d3326dde8bc2d4e15558c766fad5b814b

SHA512
430fdd160bbbf9303a2b20ae0aaea242bd55d0856b2a76888b9ab6162bdbbf40d2ecda18ac2250fd5e0792e0232de04bc7c6e043455f7de5f76d459295bfcbe8

Download Submit
C:\Windows\SysWOW64\Mqhfoebo.exe

Filesize
1.2MB

MD5
c0c273d0751255e0b661336b5c37f611

SHA1
11e273c047c0e07aeb95a781b6e14913aee8985d

SHA256
a5e85e8be495df3c9f499aba1efb32e1fa9789da375280a0f0052eebca9af924

SHA512
50c81426082fc8b57b5de9e806823a6090847564d15bec6cccbb909ab8977731e55b635f68cb7f711ec610c1d00be714ac069048a7c084d05ed254c22ffc9c82

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
1.2MB

MD5
82b608e281bd379b6a4280784e1233e2

SHA1
5d83bc8a1fd71f7a325947360596012abb1e4630

SHA256
f456a32d2e583874252eaaad1a7f29ef3a28244571d47e1c1c0f1c5dc5527ace

SHA512
76ec634ba0d8c17fc6c6e9371633599a57dff5fb142f4ec441bf7e3ff213e51d54e2cbb05c8dc735da7a3ecfab78e27172f674fbea417e61832b4d0cb0d7f601

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
1.2MB

MD5
c1705239492f33e4382408614f537673

SHA1
186d5ebf68cfdadb39aaf844207561f86a09b7da

SHA256
e26f72046d4cce5da83a15d5eeaae26ef0a209e747cfaac138a6c94e306c48dd

SHA512
75841d453961990bfb7360fdd3ebcdf2f3e07f10e4cb5a90343625e590bcb3993a707685f5549cbdcc1614dca32e8147df7c68d041d5a8f96d7f30bcd61aed2c

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
1.2MB

MD5
8fe323c73ade710425aa2fdc17e1d58e

SHA1
46d695c9aec8410b13b52e545e9b12fb2b17e3f1

SHA256
8701a41deb43dfaaf0e135c8a008f8790b99d3fa67b42ee500dc786f5b784f90

SHA512
75baab85c2183c26d3e613ea35dd2677afb7febbc47b9f06639b85e5cb2399dffe114eba834d1bae16f977a17f3dce6ef2db8a7e86f748dead07037dac3da2c1

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
1.2MB

MD5
a1c8ada1ffe30083af31c05916220342

SHA1
2ab6d7545496d3903c41f9a8c775c2ee1a3d74ce

SHA256
29e499ea29abe4778c182f8b61484e6133ead294c54d066989bc1e3793a75919

SHA512
81c1da37084b6e76b5da100ead300e47727fe1233b63ae166e13d05ad184a56b53335de306c8ce60ebfbd518f8a5ceffe84856cf4bc25d692c11930682180997

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
1.2MB

MD5
84bca4b4c52dea18c2c484350f0fea89

SHA1
322835308e0254d6cb7d984d1b4417e761d2bc02

SHA256
f8d119afd6f1fb9441ed5d6b5bd0a6ff63cbeb241221ed61b5db83c61470f33b

SHA512
5d3a8f7f1c49a02fe1a7884b23f76a6b0017c531ab83507a0a9ee250c0ffcba110692962976976745638b919fd73d7b28fa07721fa433a0886f6cdc69d690138

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
1.2MB

MD5
7d519ff41c0e2dd358ee387c64bcb8e1

SHA1
4bbe448f16bb862725e8bd8eeac6345648cbcb33

SHA256
5897b898e2ecfffa065826c19461609c111a34a84cd23d0dac62cb4d308162ac

SHA512
b8f8e3bd41844c4c0317289389463d86f31f85ac099fd31f3231b00d12c858abbf7ae25f1503d766d6fdc0598f12ee5484d627134d35b47c5db9dd7763ec42e1

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
1.2MB

MD5
77f4a4bf895d38116bcd3f1232e6de94

SHA1
b956544229febdfa178e53281065f3cd0f869ef1

SHA256
0d0577490915750b94dff866989a4c50997a59ee4e6fc96e39030380d204eb14

SHA512
931a689237e54d715ef622b013acf93ed990c9b377db05a129e754f561a3bb6de88b1397538374c6090956edabe7c746d7a3297ad908bb7abb354e32deac3279

Download Submit
C:\Windows\SysWOW64\Pjoppf32.exe

Filesize
1.2MB

MD5
b5f0d9396c522f934bdf29b0335174c8

SHA1
569571a565871570d0d1efd6a821ea55649566a6

SHA256
954bd0c1f0891179e96aed0f5c1ea8519a41e022cf78c38818720cde8589e57d

SHA512
d2610221b6c491b3ff7d8934c44d58009a07eeb850ae9acfd8e8156023e153056171951d89e4c6c74617217768cc1ac9df3563498f66a26d2bf2792507b58f1b

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
1.2MB

MD5
267ed2b6a2410da6e5f1bd53bd56d945

SHA1
24f9eac038edded51777c7e1149679c61a42c373

SHA256
999c32fc9cf216fde7e9fcde57b774515b242abe4f1e7a9b6a70add04e0ca588

SHA512
6496df11a65f29542f4444d7dc1cde5962d37b5d1ec6d0fd24dfeb6a5430cbffeee388718973c1d6d5703f44f6a83e323dbfc86554d846a741ac7c1d2c971676

Download Submit
memory/232-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/372-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-503-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1076-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1476-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-533-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1556-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-559-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2208-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-495-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2276-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2340-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2552-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2820-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2936-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3080-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3100-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3100-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3148-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3380-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3380-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3444-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3492-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3676-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3772-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3776-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3816-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3860-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4264-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4300-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4404-479-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4452-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4560-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4592-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4724-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4724-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4736-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4836-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4932-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5140-509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5180-515-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5224-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5264-527-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5336-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5380-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5432-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5472-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5540-560-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5632-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5680-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5724-581-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5780-588-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads