0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d_NeikiAnalytics.exe
Size

664KB
MD5

d2b59a47238ebcbca44b1c033232ad70
SHA1

ff97adf53f56df45604e0669c1fc92a27618c71c
SHA256

0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d
SHA512

f8095a490c3b765b8f44afab628b5da109a0a716ef2fcbc30bdd16b9752d7bff17ea3d6bb179ca63828aabfc69234cdfedc3a971b594b3f30ce3988024ac103a
SSDEEP

12288:f7RXpV6yYP4rbpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmRS:fFW4XWleKWNUir2MhNl6zX3w9As/xO2k

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbmohmoh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Indkpcdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkdpbpih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhimhobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hecjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqpapacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilhkigcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hecjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fofilp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe

Executes dropped EXE 64 IoCs

pid	Process
2892	Lnangaoa.exe
3564	Ngndaccj.exe
440	Ocjoadei.exe
2680	Pnmopk32.exe
1184	Pjdpelnc.exe
4444	Qpeahb32.exe
1252	Aggpfkjj.exe
1992	Bpdnjple.exe
2660	Bogkmgba.exe
5012	Bnlhncgi.exe
2176	Bgelgi32.exe
4104	Cponen32.exe
788	Chiblk32.exe
4568	Cogddd32.exe
4584	Ddgibkpc.exe
4636	Dgjoif32.exe
4408	Edbiniff.exe
4892	Ebifmm32.exe
3740	Fbmohmoh.exe
4196	Fofilp32.exe
4412	Gkdpbpih.exe
3208	Hecjke32.exe
1856	Heegad32.exe
1916	Hhimhobl.exe
4604	Ipbaol32.exe
4160	Ieccbbkn.exe
4360	Iialhaad.exe
2128	Jifecp32.exe
3164	Jpbjfjci.exe
4172	Jllhpkfk.exe
2848	Kcjjhdjb.exe
2732	Khlklj32.exe
748	Ledepn32.exe
2520	Ljbnfleo.exe
1172	Lckboblp.exe
5044	Mpapnfhg.exe
1900	Mfpell32.exe
2024	Momcpa32.exe
468	Nckkfp32.exe
924	Nfldgk32.exe
700	Nqcejcha.exe
1204	Ocdnln32.exe
4516	Ommceclc.exe
4116	Ofegni32.exe
3140	Oblhcj32.exe
4064	Oqoefand.exe
2428	Pqbala32.exe
4352	Pimfpc32.exe
4652	Pfagighf.exe
3264	Paihlpfi.exe
1104	Pidlqb32.exe
4964	Ppnenlka.exe
4696	Qbonoghb.exe
2336	Qjhbfd32.exe
1500	Abcgjg32.exe
4008	Aadghn32.exe
3780	Ajohfcpj.exe
656	Abjmkf32.exe
4856	Aalmimfd.exe
3420	Ajdbac32.exe
1624	Bfkbfd32.exe
4780	Bmdkcnie.exe
1528	Bbaclegm.exe
5032	Bpedeiff.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Mpagaf32.dll	Pfagighf.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbebilli.exe
File created	C:\Windows\SysWOW64\Ibbcfa32.exe	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jhmhpfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jllhpkfk.exe	Jpbjfjci.exe
File opened for modification	C:\Windows\SysWOW64\Nfldgk32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Igkilc32.dll	Nckkfp32.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Fbbnhl32.dll	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Jdinng32.dll	Gbkdod32.exe
File created	C:\Windows\SysWOW64\Ihaidhgf.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Lddble32.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Hjfbjdnd.exe	Hnpaec32.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Pnmopk32.exe
File opened for modification	C:\Windows\SysWOW64\Edbiniff.exe	Dgjoif32.exe
File created	C:\Windows\SysWOW64\Epgldbkn.dll	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Aadghn32.exe	Abcgjg32.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Mlcdqdie.dll	Pjdpelnc.exe
File opened for modification	C:\Windows\SysWOW64\Nckkfp32.exe	Momcpa32.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Lgahlk32.dll	Icogcjde.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Ledepn32.exe	Khlklj32.exe
File created	C:\Windows\SysWOW64\Ecgodpgb.exe	Ejojljqa.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Pnmopk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Ofegni32.exe	Ommceclc.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Ekimjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ibbcfa32.exe	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Edbiniff.exe	Dgjoif32.exe
File created	C:\Windows\SysWOW64\Fbmohmoh.exe	Ebifmm32.exe
File created	C:\Windows\SysWOW64\Dalofi32.exe	Dkpjdo32.exe
File created	C:\Windows\SysWOW64\Ncbigo32.dll	Dalofi32.exe
File created	C:\Windows\SysWOW64\Ekimjn32.exe	Egkddo32.exe
File opened for modification	C:\Windows\SysWOW64\Hnmeodjc.exe	Hbfdjc32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Cogddd32.exe
File opened for modification	C:\Windows\SysWOW64\Abjmkf32.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Hbfdjc32.exe	Hcedmkmp.exe
File created	C:\Windows\SysWOW64\Aannbg32.dll	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Oblhcj32.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Fljhbbae.dll	Oblhcj32.exe
File opened for modification	C:\Windows\SysWOW64\Bbaclegm.exe	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Iajmmm32.exe
File opened for modification	C:\Windows\SysWOW64\Kbeibo32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Dffdcecg.dll	Gqpapacd.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Jaemilci.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Kdffjgpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6240	5128	WerFault.exe	213

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhimhobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejioqkck.dll"	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffaen32.dll"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll"	Ilhkigcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaecci32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnpaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icogcjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll"	Momcpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaqmkhl.dll"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcedmkmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadpqeqg.dll"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpmdqpl.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglafhih.dll"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpchag32.dll"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nckkfp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2892	2240	0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d_NeikiAnalytics.exe	90
PID 2240 wrote to memory of 2892	2240	0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d_NeikiAnalytics.exe	90
PID 2240 wrote to memory of 2892	2240	0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d_NeikiAnalytics.exe	90
PID 2892 wrote to memory of 3564	2892	Lnangaoa.exe	91
PID 2892 wrote to memory of 3564	2892	Lnangaoa.exe	91
PID 2892 wrote to memory of 3564	2892	Lnangaoa.exe	91
PID 3564 wrote to memory of 440	3564	Ngndaccj.exe	92
PID 3564 wrote to memory of 440	3564	Ngndaccj.exe	92
PID 3564 wrote to memory of 440	3564	Ngndaccj.exe	92
PID 440 wrote to memory of 2680	440	Ocjoadei.exe	93
PID 440 wrote to memory of 2680	440	Ocjoadei.exe	93
PID 440 wrote to memory of 2680	440	Ocjoadei.exe	93
PID 2680 wrote to memory of 1184	2680	Pnmopk32.exe	94
PID 2680 wrote to memory of 1184	2680	Pnmopk32.exe	94
PID 2680 wrote to memory of 1184	2680	Pnmopk32.exe	94
PID 1184 wrote to memory of 4444	1184	Pjdpelnc.exe	95
PID 1184 wrote to memory of 4444	1184	Pjdpelnc.exe	95
PID 1184 wrote to memory of 4444	1184	Pjdpelnc.exe	95
PID 4444 wrote to memory of 1252	4444	Qpeahb32.exe	96
PID 4444 wrote to memory of 1252	4444	Qpeahb32.exe	96
PID 4444 wrote to memory of 1252	4444	Qpeahb32.exe	96
PID 1252 wrote to memory of 1992	1252	Aggpfkjj.exe	97
PID 1252 wrote to memory of 1992	1252	Aggpfkjj.exe	97
PID 1252 wrote to memory of 1992	1252	Aggpfkjj.exe	97
PID 1992 wrote to memory of 2660	1992	Bpdnjple.exe	98
PID 1992 wrote to memory of 2660	1992	Bpdnjple.exe	98
PID 1992 wrote to memory of 2660	1992	Bpdnjple.exe	98
PID 2660 wrote to memory of 5012	2660	Bogkmgba.exe	99
PID 2660 wrote to memory of 5012	2660	Bogkmgba.exe	99
PID 2660 wrote to memory of 5012	2660	Bogkmgba.exe	99
PID 5012 wrote to memory of 2176	5012	Bnlhncgi.exe	100
PID 5012 wrote to memory of 2176	5012	Bnlhncgi.exe	100
PID 5012 wrote to memory of 2176	5012	Bnlhncgi.exe	100
PID 2176 wrote to memory of 4104	2176	Bgelgi32.exe	101
PID 2176 wrote to memory of 4104	2176	Bgelgi32.exe	101
PID 2176 wrote to memory of 4104	2176	Bgelgi32.exe	101
PID 4104 wrote to memory of 788	4104	Cponen32.exe	102
PID 4104 wrote to memory of 788	4104	Cponen32.exe	102
PID 4104 wrote to memory of 788	4104	Cponen32.exe	102
PID 788 wrote to memory of 4568	788	Chiblk32.exe	103
PID 788 wrote to memory of 4568	788	Chiblk32.exe	103
PID 788 wrote to memory of 4568	788	Chiblk32.exe	103
PID 4568 wrote to memory of 4584	4568	Cogddd32.exe	104
PID 4568 wrote to memory of 4584	4568	Cogddd32.exe	104
PID 4568 wrote to memory of 4584	4568	Cogddd32.exe	104
PID 4584 wrote to memory of 4636	4584	Ddgibkpc.exe	105
PID 4584 wrote to memory of 4636	4584	Ddgibkpc.exe	105
PID 4584 wrote to memory of 4636	4584	Ddgibkpc.exe	105
PID 4636 wrote to memory of 4408	4636	Dgjoif32.exe	106
PID 4636 wrote to memory of 4408	4636	Dgjoif32.exe	106
PID 4636 wrote to memory of 4408	4636	Dgjoif32.exe	106
PID 4408 wrote to memory of 4892	4408	Edbiniff.exe	107
PID 4408 wrote to memory of 4892	4408	Edbiniff.exe	107
PID 4408 wrote to memory of 4892	4408	Edbiniff.exe	107
PID 4892 wrote to memory of 3740	4892	Ebifmm32.exe	108
PID 4892 wrote to memory of 3740	4892	Ebifmm32.exe	108
PID 4892 wrote to memory of 3740	4892	Ebifmm32.exe	108
PID 3740 wrote to memory of 4196	3740	Fbmohmoh.exe	109
PID 3740 wrote to memory of 4196	3740	Fbmohmoh.exe	109
PID 3740 wrote to memory of 4196	3740	Fbmohmoh.exe	109
PID 4196 wrote to memory of 4412	4196	Fofilp32.exe	110
PID 4196 wrote to memory of 4412	4196	Fofilp32.exe	110
PID 4196 wrote to memory of 4412	4196	Fofilp32.exe	110
PID 4412 wrote to memory of 3208	4412	Gkdpbpih.exe	111

C:\Users\Admin\AppData\Local\Temp\0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0d3fd207ceb3af5e396f8f0aeae7d008c693725f5ecd3b8671b08bc590b5913d_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Lnangaoa.exe
  C:\Windows\system32\Lnangaoa.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Ngndaccj.exe
    C:\Windows\system32\Ngndaccj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\Ocjoadei.exe
      C:\Windows\system32\Ocjoadei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        26⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        31⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        36⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        42⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        52⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        54⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        55⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        57⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        60⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        61⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        65⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3536
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        72⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        78⤵
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        79⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        80⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        86⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        87⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        90⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Hepgkohh.exe
        
        C:\Windows\system32\Hepgkohh.exe
        91⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        94⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        95⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        97⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        105⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        106⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        107⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        108⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        113⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        114⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        115⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        117⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        119⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        121⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 420
        122⤵
        Program crash
        
        PID:6240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5128 -ip 5128
1⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:6708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadghn32.exe

Filesize
664KB

MD5
71dfd53e067456a7b4afa36a53a4bab6

SHA1
c426e86df7bc77715bc9f13afbe8cfad80e4a8a1

SHA256
e82e343c7f927f835bd95aa7bfd9521dd77a553eb3f9132bf379c96315c7a175

SHA512
7a4b38bea0c4ccea8d6dad143accd7f137351abce5dc1bc65e2bdd6bab3698711d326aa67e2272b62d9d8623b98aa3bcff99304da4ed462915018a4ebdc6ed89

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
664KB

MD5
0edee7271885f0eb8db0f245bf09a6b5

SHA1
9b50fad3fe9c2d5bc27defba42d9dab1925ea81c

SHA256
9a7cab6ccb1bff35bfe7f463f2a15935f10e7216370fdc7ecb4b54e3383bc79c

SHA512
01deaa01f50548a822f2da4f9b413632725e75e7b5cbbd83523718d5bac9f3fa7fcf644494ee8d9e507fc9f1cd4156631133d9f8a755ec28c09a2fa946b2ae94

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
664KB

MD5
d1a313f49812c12d04b17fcb0a191489

SHA1
04075686704107333a9b9628be766d0e0b56affd

SHA256
c82733c566f01739fbb7677c4b56a1b8b36515f129c9b32e3f1a12a26a195843

SHA512
7f89540a755b377c13725a1f2d9f8d6b1aabc0fe0a6232a488d85833117acbd73395802f7189d05bf86baf7065816619ecb8c260c024deaa21162f044e1b953c

Download Submit
C:\Windows\SysWOW64\Bkkhbb32.exe

Filesize
664KB

MD5
8220e922187b2bae76825ffd69a9e965

SHA1
784451a733e1d2fb0a7003b806452689a0933a0d

SHA256
a7cdbdd7cd18017076182854fd4be7664e008bb35eb6d73ce5c7f671598d15bf

SHA512
4a0bfbee9f2a27d2faa8a8d83bea784ea8b02eee08874c82e28a38050c4de7e81d493a676cb90fbfd75060c8e9ba33416989e2c38631e0497a98b3345edb4ac2

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
664KB

MD5
a3657f025bd4b1c5d1699051fc186c0e

SHA1
32e04044005672ca5307161912f9a333165ab7d8

SHA256
aa8bb9e39c36451ab858b1a0a64c6b14ce6a905ae0325c970e918c0191363646

SHA512
dccb2257edc2a4f76c2c1eeee5cf8fd28df9135ebc0fb582127526acc9ae46263d0eeed0f819c91d7b2dd5fc3fdb63c217ce7a3fd1cb8a0864a149b61775234e

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
664KB

MD5
6a2592fc1194a4f4d61132218cead5f9

SHA1
bc348946772b4cb684719846dbb34ecc405f5391

SHA256
c7a46b518250990b15e934431800f95aad7ab3780bc0724758458fe757b1df41

SHA512
a73ac0acf5f473a086568053db59ffb88aa22046cf234a5063f9a26d76571bd3b65d55c56e16f5b13096a28fef165709c1d984b2605f6561919c36f6fbbeb61f

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
664KB

MD5
f15cc3165c63a8a7d0f367002995a9ca

SHA1
973b5695c9e63a28ea352acf044228399b39c9c8

SHA256
db19365a7544aba897461a14b1136cac1dc0d4c12023e1ca2f46f1752e68904f

SHA512
1eda099ae39f72b1cc907abac5a380f3eac31ecb18fa50a667287439fa7bb5f3aa53764bff57a723762e5d4318b1e8aaa2379151813e5c32a2dece0062fb0cb3

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
664KB

MD5
50628765bb1db521211852a947545bba

SHA1
ef6c0a7b4fd6d1ba4c1b890bcb23e08d2f23dc88

SHA256
d91f3754589b4f3379b84d5ddb9b5134d78d65fc3d0418c5096995479221e126

SHA512
477b3ad093da0be92741c40177266b2b932cc38e1b921bf9ca97bc2ca3ffa60072ea610904062fc285d0924dd4e139aea612a66f414bdec3e4a0d90fff59d5db

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
664KB

MD5
c142a5aa9cb7ab76ce011f6a5fcbce0a

SHA1
d840c7329e5c6ee5e9f0136acf094fbd746b79b8

SHA256
7029d0a8b561d7f69f584e2e8bd7007aa8c376e869d5124660befc4b0e9a5672

SHA512
81d9816158ba8cf804fc8ee2ef7be94f8421837432adef9c1f02df304e636d8019f4c0b4fe6e014e576fde9258058ad4b8660d913911f5389dbfeb9d377061e8

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
664KB

MD5
b0d38a394eed346566d36945be4f2730

SHA1
25697d9faf386affafcf39cc37b769a6a048313f

SHA256
79fefb08a10a94622bf8d3a820ea116f016602a64586dc4cd8e0a814625ca844

SHA512
20678e649ae045b7754cb24d587f0faf4650891073c6d1da6a280922881c01b4fdfaf256915efbb82ac7c9bd0474de208211d267c678ec317b60c48654461a61

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
664KB

MD5
7a6e7a4ef18562ba47876e883ff8d515

SHA1
f5635796a307e517d4cec6416718fb62cded695f

SHA256
118884c6a678f07bd8e0e49925d0e675949d84cba0c3a7f4bd81e14a3275e143

SHA512
64aa5357e915a97a9eb4d480c67925ce75607410859c8f876f2c04f54d8fdfe8ca3ca095a3483e1e56b9f39adecaff9a8e8e2e3f5cc48447330b6ed8dfb8ee89

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
664KB

MD5
7873e3994fb52bd2cd2bac30b14fcbc6

SHA1
91eae8b27d4808f9b4512ff218ffce29074fc855

SHA256
848ca5f39981c91996a76c9bf3558355d462ae20ef62d549a266c9a23bb4d935

SHA512
50d2adc400db51b9d775de7fa428a64a450093c739311c56f3e7c261db90536991f2b4ca37c8b532233875152fa99c53ad4121dfec4346fda8d90dfbd4179fec

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe

Filesize
320KB

MD5
7ea04de62707c80e9bab39dc9f9dff3a

SHA1
c15b544155ae8fa08f95f66ab7202c0fbd0e4066

SHA256
b9e9575fd1ad5b101922f6eda2956ec3d95afb9899eedbc4332c45e9b6f89f5a

SHA512
867cd1844c2aebdffc0795dc3d7752ed673e857cce48755a79020c7060e8b2f08c74b135a5d73ba74827caffa08bf024de598ecfa894a47f5d58309bb43324d5

Download Submit
C:\Windows\SysWOW64\Dgjoif32.exe

Filesize
664KB

MD5
083c3f435e0155009b2da6ceeacfcb84

SHA1
f8dad4d540804aaae25c7e31706d2a04f8af5cf8

SHA256
26d994496275b904388b8838209c80026285bb6aa92b1ab95e96dd1ca5dfe849

SHA512
520ad10063fed650493b31f4b2d7e13dea22c9c4819f125c8ed97496166863e533e958d2f818172a37e5975d1724341bfd053b27cd8172da6256f5bd3b44213c

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
664KB

MD5
087bcd47ba5a5accbab24f1a42fd2b33

SHA1
a79a2f14b5885994cf14a8d206de1e2216aca848

SHA256
a38d40791865e89eae37b6bd04e86570f18cbb127e1ce2f391c726fd603af7e6

SHA512
9ddc5bda9d3edcfdb67c0667a2e97a5f538ea42ef93f70de0f03637d9f0318213b45b8587da2f4332c22c7d3763deec7dcdd5afc9793f5bf789db87702685f0e

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
664KB

MD5
0946dca4023e61c66b3c4949fa7df27f

SHA1
6634440cc9b1dcb2d89f7cd96e86ef304d35802f

SHA256
c4c4a4148c53c294c90e32d1b26c2013f56edd8fa45c14a04131672e7702b426

SHA512
1008092caa0c4ff90f70982dbedd748c368d8346f6671535411e47cdead45b8774271912a65ee27a5de87f114958cb66be3cde8f5137099837736a3d4163e77f

Download Submit
C:\Windows\SysWOW64\Edbiniff.exe

Filesize
664KB

MD5
efdd3f620bbbf6a88769c1a1f90f6b17

SHA1
5a15127c329dd8dd4de0616bfac835137db190fb

SHA256
d60b4a14977428549e91ecc9f9c34dc635d3e5c31124d3cba217b3495091e9f0

SHA512
cc10c97f35fe2429fba46405013f92b1cbeaad75eaea8b16d330ea8dbd28abed180f8e6aa1eb056ec13f58c03d2a676bd0301a012d3a1f17d522db9d4e5e9401

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
664KB

MD5
be7f93f7d288726774dc055cc5543f5a

SHA1
7673cce6879e5065ab060a524eb9b33afa8cbc39

SHA256
f003958d37e6e8ab94c110847f28c3e439a3895a747ade8f2340c2d53eea0de5

SHA512
f8cdffefd9949b789da281a2a3b4b5904bf1d4b9af0090e77c1f56e1fd2c9bd4b7f6a5309673ebfda14a3d0c6639d7d183aff6e61869d0c3afff43a1ac69fbf8

Download Submit
C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
664KB

MD5
0a3f71aef98a5891c81f58247b8ae263

SHA1
13b2e2a2819e32e15a7b75ab9565594540a84c67

SHA256
88d87c19c1d98ac821230342101165e1f334c5e4c6a918ec39ab57b6c0ff1251

SHA512
464c2706edc24ea66a8f6ab860cb9c4048316546cf32b7f10320361431bac19e4b152160e0525649a4729e6d4d19294ffeee56ccae6a55edd15696dc4725ac8e

Download Submit
C:\Windows\SysWOW64\Fbmohmoh.exe

Filesize
664KB

MD5
611c3d4004f3bd6ddb2a74405de2253a

SHA1
ee508541eb2b4e4efcc48a0603e475b2cce7cae2

SHA256
e9cb7274509490d540cd4ad57a55741e05719f6321fe9c1672f3c49babcadfc4

SHA512
f1a4b078cbf27ba5c3bed5ef461dbd0bce61fdb85582a827f13f65f6b4789bc964f0005234f61b3888f2b3ef64f30f3be2071d6100cc4b596eb468f0abb3fdf4

Download Submit
C:\Windows\SysWOW64\Fofilp32.exe

Filesize
664KB

MD5
42e0dd23cd3e39e942d21226641b48a1

SHA1
f05306bf84817bbd8186f7ae5c4dfdd3e0a33d3b

SHA256
51e013b93551ea7c767d3900cd90b5d551dc9c9b3c583d2e1e15318ca18c214b

SHA512
10bcb69faf89cc1c6f1f246ed87fd4e785e76824863e18f37958cc332f9ce2e3fa12672e97aa1e46b1c3723854d3b8938fd31aa9bd4e28c849026211b8a4e145

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
664KB

MD5
57a171f934a0511cd40054aa3afb19e2

SHA1
5d17490fa2b628eb919bd3ce4f850e2aac63427b

SHA256
a541ecb37f6b45ccc027070e3f49603df0de85c11e8eceb53acbb08e6dffcee6

SHA512
f978c9327b56896dfd61f1d88063726cc2da4af643fd53533901501be708b0a8c3723db5f0970199911ac64c2234fa5b468813f4c543c1d0e9ba9749d6d6b0bc

Download Submit
C:\Windows\SysWOW64\Ggccllai.exe

Filesize
384KB

MD5
82f3badbd4ffe3a27f563413d1daaf3b

SHA1
e08140e7ca8435aa86169b5757664e3c0ad86e8f

SHA256
4145ffa66c490874e9351c57b072b1ffc3312653e83aaccfdae4abb4f23f8b04

SHA512
9a4a1a284eea590b5fa63f3fea3c072948840098c450800b1a89c075ec2f8f8c90d1ed6848d2ce197fdc10dc6207360a008fe5aa2496f8b48a8b9b773cec54d4

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
448KB

MD5
d2f7ea1f1e85ce75b469e0de9c27d163

SHA1
3492c22ecd9adf651cd68a595eda749cfbb01220

SHA256
26187800d9e5e00587145cc3dd30408f426be1ae1b6cc03bfb06451441715f04

SHA512
0f6f5dea82342e17c460129c37c0c8e7af9be41950bb58dbecdeb3208934b1c4e6695a55c4ff1e8f57b19110890bc77c2d72d15b69d1ea3be522a9ca142c8b95

Download Submit
C:\Windows\SysWOW64\Gkdpbpih.exe

Filesize
664KB

MD5
3d1a72ac7d4e0894e910f934345e8d6d

SHA1
6c34167ca209209cad092998cd28d512f5e6a158

SHA256
02110837b55ef3a463dc867d9e1389e2854c1cd96309cc07119f2f4574c51f70

SHA512
5fe9c900cdfdbfb599faa1a6ac335ef2adff1578be439d71e638d6a7dd5c9da45f4d220795b7c7e8afbf43440f5c17941628e369834a2651624bafe95320b460

Download Submit
C:\Windows\SysWOW64\Hbfdjc32.exe

Filesize
664KB

MD5
23f7c4e4f679f0dc6a60b4aca0617ad0

SHA1
b8580d8209f9d3acd9fb53884827459fc72542d6

SHA256
bad8750ac1c5b291d2866b8ecab9423ec4acd53ee9e954b721409ec85d399984

SHA512
e61269ddfe697298849df4ea00256de772caafeb828759f4a0727e01bc27540895cef0cf8d761ff7203896cad5c1ecda4b19bf1ac8083609ba3cebedd6c7c5da

Download Submit
C:\Windows\SysWOW64\Hecjke32.exe

Filesize
664KB

MD5
b3604b886f84bf8cdb8dd23082be4dd0

SHA1
0d4bd85e3faeae24b1c5039866094907b25344c5

SHA256
e29c1c273075aa1650d467eb8e16a2697748a61abe056969b13423203eb56768

SHA512
37f38a1215ec9a6d2f755637c7902a16b415dadac8a782ee767b9f4ad57ae89990c43fb1e637501cc3689ded417921d5fb8d4d6e0d6ff53afce6cfd019eff31a

Download Submit
C:\Windows\SysWOW64\Heegad32.exe

Filesize
664KB

MD5
5b7d98f385494cb39c14b9d33c2124fa

SHA1
f048475e7f955d5b7f385cdcc3f4bdfc1a2e4f5b

SHA256
713ff04b25940d28eca0b7263c565b1e41d38b1ea5c5001fe6a01a951ce1731e

SHA512
f8cf9e8c13f90f5357fb000da9911f75fb8443983dbdcdad343eb0305faed7bb8794c1da3e64803663bf7685068acf809bc9b94d60dd80d36152b2b3e9eb3af2

Download Submit
C:\Windows\SysWOW64\Hhimhobl.exe

Filesize
664KB

MD5
e26f6ad1d8be2d2629991f9eb6f92bef

SHA1
c82692cfc275921dcf50da77da709f1b0730d7ac

SHA256
95ec65d229dafb479c8306bb72ec206c449f84b5db6b08eb453bba7311514405

SHA512
c59c767e3db91d0f4cba992933ed04d691c1afa0dc3aa421fcb75e82dedeed532e1569d47888a1a930e5eadf25b6c1cc32770372bb1099fdb78fa21cf2a8bf45

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
664KB

MD5
812792bbfd6e126d075df612bba04e54

SHA1
d5e2b5552fa8cf40b0ec57cd97a0b2709bf84b5d

SHA256
f2a4f5a17343a9724a64e85ab63c295bec4fb697825133e8929af540641d7567

SHA512
de0387c2ceb1d412769e76abb03fcdd4e2169379bcb5a32b29783404a82f9d50718b8421203c91c8286b54b9a6340e24cbae8530a0e2d5cd110e3fa8fddce38d

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
664KB

MD5
10c68d0708e5cb514119a48eb23b0e28

SHA1
0d79db436a06121a1529fd997a39f2855eae703e

SHA256
79f95865132186eecee176f23c276315c7c7a3ac5af9f6a3efc01c5d19baac8e

SHA512
a6dff22cd615ec938253219a88cb8a0abc087fb85d5ddecddaf4532582fadaeca8c0d39ca47e457570236be0ac1c285b227adff7fb0a05df5e38f14115c1ae47

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
664KB

MD5
bc526aeba121398a9656bcef0341b7e2

SHA1
c505f17c9012dbf015e6c781ab08d08eecb71361

SHA256
bb3197ab86953680ecf0bc13f7102fb779ad7a76dd3a152917cb41269a91d68c

SHA512
ff1ce88c57296319efd026febde40acc764d6a6c0a36c41d13f6965171fe3ce16321b59d4edce6b4611ce9a4c42e175b0de2615654a32d3bf2c2864cc003488f

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
664KB

MD5
87d6271ec9620e6ed88515e3d48fcec7

SHA1
f25c6fc6d0660a94a13555de3eae90a16e789cb3

SHA256
a153b945321d3a2e9669aa5b82fd47dba193eba838bce1f6906822d5f79d94d4

SHA512
18f4e5428544d849f52fe019a035fc91c4b48e16238304ed609181fa02020036fb13352bdaff01872b2eae91752a1d93857486bbed1c6eb7b8684ce65a755c0c

Download Submit
C:\Windows\SysWOW64\Ipbaol32.exe

Filesize
664KB

MD5
28223daae0710c6fc029432f8ac810e1

SHA1
b0b827133f324b5295b28181ada95ccc487ee40f

SHA256
e1c10e83124b2590512f09e85d3e956d07434bf395a2d1854614699bda3ee4bb

SHA512
b20c96ad941e80c1d65d90b9112deb828fb4a2cc988982b6caa267dbabe2d6becdaa3a21496322f60edced8feace34feeaef694fe7180c7371a535cafd450d7e

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
664KB

MD5
4e9b9f44cdc20993861708027a59829e

SHA1
2bb1e7bb46386e5c4b61d6aa3bb119cebd0f721d

SHA256
aeca90f6c0e43bffb61f56c178972d0f111855bcc3b38881483b0181e9ab11d5

SHA512
099189c5ab7abb7f3dc3a0f5543688c513733d5721a067eec04b1c0fc348ad009572a3f8dd92d35509d987909959a92373ff0b92410e7e7f09949fbf1c1f1fb5

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
664KB

MD5
0c338209e3bb907b51a73a80a8b66483

SHA1
5d9e433d6a37bb1657bfcbb9d868594d73f32330

SHA256
dbb6450697b29432c2195e7bd01f47c82e2487b67c15877c4086dfd3059a67e1

SHA512
3e079a3cf027843fc35b579f622d931b0af75eb376167b3e8a7c572221ba4533fdc1ae5ab89d26a119cfeff0a112e81b31828a4deec5d424e506df2b0409caae

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
664KB

MD5
e27fc16387f210a3151669d4e8be8065

SHA1
59a9eb23983bcf48734cb4ee5781c58bef369ee5

SHA256
aeb0f3564f151e31085552811d66eba9f420c2cda6bbee7fa5eaf0c0b253acc6

SHA512
b7e8816f8b2ef110828bc83f16826f02062d3a1befef592ad6be55a7eb05388c484c22fb89869cd010df7287473e83b9d4f7156de798bcfd43b2c57ad575cc5e

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
664KB

MD5
a2e2d35a6c9953ec7c46dab3ca5e7d1a

SHA1
1cb4f00a2e7c690886d4a83bbb9148e7269b73cd

SHA256
dcf273cc1a52bd57b0902eb355447f03c4990e305f49cd7d690a155ebc56b8da

SHA512
c21914856338605138edac55da2ada2f3077b7500757d8dcc4f0396b51fd27a1412de3cec7d7a378faae42da67f1f123354016d75532c32473825a4f87a2a50c

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
664KB

MD5
82c866eecc817ce56c2f8bb8e28e5246

SHA1
33e3d2cf519575abc5bf5eb3cf30337783b44f49

SHA256
e98adb23273740e185a0faf0ac71654aeb71e026d689ccd78b9ae39098e14aa4

SHA512
32d432eed2c9e299c7a1e64a246d0d5d8401d60c3e61ae48b5612a9b3db23b8983d24b33737cd2013643559ba1a4e54a616d1f10a2f1bfc8189e25af2aba29f4

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
664KB

MD5
5ba09cd80aa1f526169f6a6ea929e267

SHA1
137557e1ab8b94f1cff37c2e2d475a3d98773b54

SHA256
867b6e3751864b02935d295368e1ca10e1855b30837db814868e234d384bf12e

SHA512
afbafb641f4775498827289781b8f25dba7b046b4ae28332cb5b291f611aef62ee8901438f73149ad6169e9d3339d585cb683c093df5f3639fe9ffc1c78357e9

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
664KB

MD5
24fa01aa7b4686ec4daf86c95c64c456

SHA1
ab59286b76e0ffe1311415ef2ab82dfcd34be26f

SHA256
e35671d9fa22dee839b7714e93332ec4f4d1f521f8b4648b868ec512ccd10c56

SHA512
5bfc413970fa2dd2c1f9acfcafebf6d36056c3679e35e5c64ebf8be5cc79f441cd7c9d93ffac9bc34b0b5ca4b07cbf7fa8e759816ac6341292b488c3cd5f8a00

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
664KB

MD5
aee15c020fe4b804bcf8ba5074f96c85

SHA1
8c161ef10ef5adbb528452457c91cfe94852c14a

SHA256
ed96b9aa4c972745568f6d5d5eb400dc57904387fbeddbe2b946a6398807ed18

SHA512
6ac2baad1d680ead96f2853c0811d2c9d491dcfc74bd4ece826d758d6e220c49e3190f7ee0e40eee35c0c876d848169ab527f233c852b3d7e424383a71f82ccc

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
192KB

MD5
fda6b4bc1efa596eb537201f7040fd97

SHA1
ec40c853e0a44f93fdd1768090cd3dd9450ac643

SHA256
800b1ce7b1d0cfb157d668188423bee4dbe47067619d9b8a772e122205bdccd7

SHA512
90d5947d97eb6b9df1880869a30d4df11f126b556d05dbaab57ed936b6ea945b38ec27237a55e4c4be6563cd238866bdfd8e85df2d4e5ed4c6969f3eae1a5da7

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
664KB

MD5
92009fabd25e92882074735c1573321f

SHA1
f40334b826070341b5cb160a7b51de66a1417a5b

SHA256
2fd9b53119a4ab6a07e02b7abf1178b3aab475c3ae5b0b0796f629ebff1c6153

SHA512
85315e507fa99bc3530c26401ff8425ee522f9826c1b974200faf7f885b0e43a01a9bc020e640e237a9d48ee7136c9a44e6ee1fe7eb43156641a0cbc385712e7

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
664KB

MD5
78bdb32b0e787dc8f1d04dd81c0cc77f

SHA1
17440bf7d1313fab559381be7d40bbbae55f715c

SHA256
3c811665d91587c83221d932d9d38c3c3d1063fabe2b4f36a1a10aa495321340

SHA512
619207c1980d8c9cfd558de43c33832f22503948c3243efc6ec898ad2d2c965fbe17f2fcefcd4a50c90f393ab21a8c7942180594188edcc03a635d9dbf53ce62

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
664KB

MD5
cbb0681207aaaaa3039e859a9a0b2674

SHA1
8f973e039ab541d07269993f707d16b58bf0f606

SHA256
553683675596bfbf7bcf1f4a417e9e9261b77fedfb1a18b2bf1e9f6184055548

SHA512
6d170421989abc42371f34c94377f583d443045b7ce0978b1be66fd52d8d9bbcae7a8f83ae234da880ce62cbb15970f05d4587700327deead3ae84345a34c07a

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
256KB

MD5
d6353f0b05e7bec45071b705c201e6a6

SHA1
cf168a730be780d98ee3061bacdf3b90d2656a7c

SHA256
0213c8b8d8c30555668e0f6ef325f46466df62b21318349aecfa4e3693ea057c

SHA512
ed022d2af84aba88afe6791a53b714599f575345958ea47384398d9313d1c8f8fcccb996ccc355c05649fbdba5509c970af59e835abef4a1550de57cca4d2d59

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
664KB

MD5
a14badc8019d62e6e0cd0e54c7962007

SHA1
a9aea78a9ef229824cc00673318bef0895bc8afb

SHA256
7727dc8d61ea3c49c5d95fa47206969fc00170005c10ca6f7069d3cc7407a7fc

SHA512
fca94b19684326ccc3031c776e6a09afd7ccb34efd5741fd6429bcad9e52df1844ca8d2c1c289f9c1a2b05917e0864ed27860626706b91b3a5fda2c035e2d3aa

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
664KB

MD5
91da5d0f0a95d13a5e61ab3abac76ec6

SHA1
69066205a50b32b15d2034cbc2459c041c71fb91

SHA256
0878625d4f45f14e4a08fff93357fe50a60f8191501aed36be75a21b758c3105

SHA512
64e166d19206e19d11492b17e440fcbfe5c4ad8b4d4c017893d5b2951ede975880945b89c50079eb036383b1baf1ad8a4a68ee6e17234ef079f9d2191df068a9

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
664KB

MD5
f156b675b40caf1288dbe31e854d83fd

SHA1
18af3b055f0a27148bcdf0dcc50ec39781eb4dd5

SHA256
ef22fd4a90092700eb6d330e9b6645677970fae9fec4d920f38c9ef5143efaab

SHA512
f19ae311a338e1ab10d64c60f6a2d83d195296c919d31a5b23a0925e564581c0f2cbd896ac9abde1d4eeddad7f6646bbcca44765fcc6d2c3c730d830e483fc81

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
664KB

MD5
8b1a88a12f26734c96faae02d0facf98

SHA1
8b5f61ee65b5b8b0a5a0a8ea75ef7662a31cf075

SHA256
7ebf9bd045c0bf3e47dd4dc55993f0c913f1c4fc4deca000e79ba43eba2ad93a

SHA512
6254a5048da18ae771750fa251a8d253aaff187872dd4cc5d5ce4df0ac537e7079679f867bc7a16af7769589a7c1af152e456344a29219eef31ff2341b2f7f0d

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
664KB

MD5
8f10830a93b92e387bc479baae14595d

SHA1
750d2e52c035ea684c14af07ddfcfa35e3ccbb2d

SHA256
9cfe6a0a4fe5bdb94486d972ae6bf14e6fde026520fee0943c91fd9704f1fc83

SHA512
fa6d2fdd48fa7cd91fa0c6fc80f8a31f04a29b5816101b8ae723677cc1fffb2bcc82ad1b1d68761dc0fcc7fc60665eec899db6f4328c81bfaead38a7467a4281

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
664KB

MD5
bd142c7f23eec2fae2d53ecb92a341b4

SHA1
c962543118319f15c508eed8c1f46553588ecd94

SHA256
bbcbe830893e64b48c875e604de82c32182c079995f98bc6fc6ec2253e28386a

SHA512
aa7218b70d06c19726ec1977f16002c0e50875fa3d991c536674e9f201ad7f86539b38379d101647c9a9c80a94a0d53e77dad4e90c227b41084882bce3e90439

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
664KB

MD5
7a86a855ec85724a7d45523415e3b1b7

SHA1
c07fcdf835f8c5e12b4b1a9a1c47cfd20d4ee7a7

SHA256
f937c0b0b09621ef56e2c9304f3133fb031626158593b4b4772313b500095551

SHA512
693bdc7e1df442bb56435377307d2f98b091c4dc96e87c216b69f47285a0d8a6a612b84ce4255dc8b8b4b9c16ae153bd2ea606cd10f21c85e408359ddcf2774f

Download Submit
C:\Windows\SysWOW64\Pfagighf.exe

Filesize
512KB

MD5
57eeac2d857a07d040526581822fff6d

SHA1
f70d778dd68e300cfd9fdf753795f4265e07a329

SHA256
c29b06ec4806358075dffb2e1a7d6b7d3399424c0340dcbd289e9307c90d8a02

SHA512
89d6347dfc61b7bace43ecb75be6a870cdc03c95a6fe7848791245000b0d2b4ef262ae3b69e5c2426bbfa70406dc409203a447c9c7d03b7021dce88c8be0652e

Download Submit
C:\Windows\SysWOW64\Pimfpc32.exe

Filesize
664KB

MD5
b49467479dd63de9ac7890fc4dc890d2

SHA1
bee9773cc77db1274dd98872e38476c3102b1b77

SHA256
0602af4efad6165cd862ac89de99d10a5344af9ac397f8b016cff8669f66fd9d

SHA512
2ae6a3d39407e0ad83bebf79145b06f38a7e580fe9c6f094dbaeff9e0da3f35a3b563ccef812f8aa0dd4f3dd16b396f555fbec523e9b5e008f81644fc1482c56

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
664KB

MD5
c4ac29d4b3778e741c3edb5b5f396d08

SHA1
1a549bd2fb9ce6ff8a09cda8c457526334629fe6

SHA256
378edebed26bffecf31250bc39319f8ca5b4d692e2b78fd1a2b648c6d9b73c0a

SHA512
82bda31f4c62b9686046b3621b39b196d51380033493195f4baecb049c4ae03679da43b4d354a3c49c9fe6c92e042bd0bc5c770d1d5f3f07b17945de8c80d9fd

Download Submit
C:\Windows\SysWOW64\Pneall32.dll

Filesize
7KB

MD5
95eb78f99d860e1db6a01411044dd1e6

SHA1
807c053b29f48849e370dcb5b47ca168193e6786

SHA256
03b1b673f8ede5318b5659aa767a1a0fb11c69e018f741eda89fafa4cbf6ae49

SHA512
4ee7576d5e35a2baddb1fd0e082dc06f61483480737e12f167ce77627bd14b804c87b87cd9b9c8ee735b7ade3b6a9e133587b3605da17bf431f1229841c5addb

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
664KB

MD5
13776808f2a5835b80261810d7aefd82

SHA1
3bad54bc6a3cf4fb7b9bb9e0b135820810fde2e0

SHA256
e61c1b0d0884b5fbbed8d98a2f3211467940f4a8ebe0b3c22ccf7b36cbb8651c

SHA512
8e7bc22aa895a56b044a3d0d32e7cbd9d8295b8899a8f93ae160c6f3788432aa2c37c0258c6d1cdbd0b260f93f3e08f8087b99ebf721fcd501b62680f1ed35c3

Download Submit
C:\Windows\SysWOW64\Ppnenlka.exe

Filesize
664KB

MD5
c5e563369b8fcc5d28cee169f58eae3f

SHA1
35dff6379e75998dac85a1f83db7d308a0ffa6d3

SHA256
527b4ae0df7e7294e4c3244be37c11528c6f856535379e6e897412fa23252b17

SHA512
933d8f588c0889c7c7f0866c46769aa9ed72a0ca2bf2ab201c67db9a861766d2e51506b8073d03c02691d81261c6c99e6329badbba46a03606938e95a1e756d2

Download Submit
C:\Windows\SysWOW64\Qbonoghb.exe

Filesize
664KB

MD5
57dc4f52ce1c43f61d66a78225479668

SHA1
47fe6ab44615fed4866779b4a23c0330d2a1d1a4

SHA256
d3d770c62277dd38cab6e089c3c1b95803a33094c33ba113bc38999698c3275a

SHA512
bf65f1b0060ec1944b68448b4b8923cffc68bfbca8c96e33636706553b751bbd4c68d713291e4223fbd9164ef4b40bc1033abe874fad70c95b36c1311a72f192

Download Submit
C:\Windows\SysWOW64\Qpeahb32.exe

Filesize
664KB

MD5
b0925bd256ac75ba94c29b813422fb1a

SHA1
bf59efaaf19e98e9ccce0d7e4acce9e5e06083d0

SHA256
bb18c0f27260dd9764e8abb92b76ba4c16a9f594d4509d96dc3c2afd0005e367

SHA512
e13bd3bb043e6c19ab02e4613eb812c4e883528d35a1f6fc7fc84851e4ec8c5acc30d3c30030fe6220a56cdb88cc33e2d623efa9e43c8a5f8f84256df0fff1a6

Download Submit
memory/440-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/656-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/700-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/788-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1252-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1252-592-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1528-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1856-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1988-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2184-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3564-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3564-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3740-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3780-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4116-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4160-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4172-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4196-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4408-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-585-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4780-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4892-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4964-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5136-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5180-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5236-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5280-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5324-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5368-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5408-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5452-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5496-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads