a994ec80a8d52b5541c3b78bf2c80d99baa4fa2f05701f7a05a5dd1110c93aae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe
Size

300KB
MD5

5faeabcf6a3a6df60a3d17d5d327ffb0
SHA1

7a60e9fc8bd0454249be3871fef246fb6018235e
SHA256

a994ec80a8d52b5541c3b78bf2c80d99baa4fa2f05701f7a05a5dd1110c93aae
SHA512

06057a5345ca065a6cf0cc11f3cf1864dc16a18b441480ae5387ee76b2678ea5b9fec611de763cdbf8a0740a0dccff04931efc9b69647a6e62d6dd96fe8d9595
SSDEEP

6144:JqjTBXD2jvosK6mUzW0jAWRD2jvosK6mUzWJEmQ/xvAORykVbn9X6:JqjTtx67fLx67+dQ/XR5bn0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe

Executes dropped EXE 64 IoCs

pid	Process
4072	Dagiil32.exe
3216	Dhqaefng.exe
3796	Dokjbp32.exe
4832	Djpnohej.exe
4664	Dlojkddn.exe
452	Domfgpca.exe
3520	Dakbckbe.exe
4588	Ejbkehcg.exe
3672	Eoocmoao.exe
3572	Ejegjh32.exe
1476	Elccfc32.exe
2392	Ebploj32.exe
3472	Eflhoigi.exe
3708	Eodlho32.exe
916	Efneehef.exe
1672	Elhmablc.exe
4792	Ecbenm32.exe
388	Emjjgbjp.exe
2560	Ecdbdl32.exe
1068	Fjnjqfij.exe
2496	Fqhbmqqg.exe
428	Fbioei32.exe
4640	Ffekegon.exe
2104	Fqkocpod.exe
3596	Ffggkgmk.exe
1920	Fjcclf32.exe
5056	Fqmlhpla.exe
3988	Fbnhphbp.exe
1256	Fihqmb32.exe
4068	Fqohnp32.exe
2376	Fflaff32.exe
2516	Fijmbb32.exe
2268	Fqaeco32.exe
1928	Gbcakg32.exe
4188	Gjjjle32.exe
2732	Gimjhafg.exe
1296	Gogbdl32.exe
2888	Gcbnejem.exe
3488	Gfqjafdq.exe
3252	Giofnacd.exe
4976	Goiojk32.exe
4300	Gcekkjcj.exe
4716	Gfcgge32.exe
1712	Giacca32.exe
1176	Gqikdn32.exe
3500	Gcggpj32.exe
2408	Gbjhlfhb.exe
3524	Gjapmdid.exe
3120	Gqkhjn32.exe
3116	Gcidfi32.exe
4708	Gjclbc32.exe
4984	Gifmnpnl.exe
3616	Gppekj32.exe
1656	Hclakimb.exe
3752	Hjfihc32.exe
5000	Hpbaqj32.exe
640	Hbanme32.exe
3296	Hikfip32.exe
5060	Hpenfjad.exe
2188	Hbckbepg.exe
4952	Hjjbcbqj.exe
4596	Hpgkkioa.exe
1564	Hjmoibog.exe
3964	Hmklen32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Kmihaj32.dll	Ecbenm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Elhmablc.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lbdcekmm.dll	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Elccfc32.exe	Ejegjh32.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Dokjbp32.exe	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6692	6520	WerFault.exe	258

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4072	1224	5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe	82
PID 1224 wrote to memory of 4072	1224	5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe	82
PID 1224 wrote to memory of 4072	1224	5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe	82
PID 4072 wrote to memory of 3216	4072	Dagiil32.exe	83
PID 4072 wrote to memory of 3216	4072	Dagiil32.exe	83
PID 4072 wrote to memory of 3216	4072	Dagiil32.exe	83
PID 3216 wrote to memory of 3796	3216	Dhqaefng.exe	84
PID 3216 wrote to memory of 3796	3216	Dhqaefng.exe	84
PID 3216 wrote to memory of 3796	3216	Dhqaefng.exe	84
PID 3796 wrote to memory of 4832	3796	Dokjbp32.exe	85
PID 3796 wrote to memory of 4832	3796	Dokjbp32.exe	85
PID 3796 wrote to memory of 4832	3796	Dokjbp32.exe	85
PID 4832 wrote to memory of 4664	4832	Djpnohej.exe	86
PID 4832 wrote to memory of 4664	4832	Djpnohej.exe	86
PID 4832 wrote to memory of 4664	4832	Djpnohej.exe	86
PID 4664 wrote to memory of 452	4664	Dlojkddn.exe	87
PID 4664 wrote to memory of 452	4664	Dlojkddn.exe	87
PID 4664 wrote to memory of 452	4664	Dlojkddn.exe	87
PID 452 wrote to memory of 3520	452	Domfgpca.exe	89
PID 452 wrote to memory of 3520	452	Domfgpca.exe	89
PID 452 wrote to memory of 3520	452	Domfgpca.exe	89
PID 3520 wrote to memory of 4588	3520	Dakbckbe.exe	90
PID 3520 wrote to memory of 4588	3520	Dakbckbe.exe	90
PID 3520 wrote to memory of 4588	3520	Dakbckbe.exe	90
PID 4588 wrote to memory of 3672	4588	Ejbkehcg.exe	92
PID 4588 wrote to memory of 3672	4588	Ejbkehcg.exe	92
PID 4588 wrote to memory of 3672	4588	Ejbkehcg.exe	92
PID 3672 wrote to memory of 3572	3672	Eoocmoao.exe	93
PID 3672 wrote to memory of 3572	3672	Eoocmoao.exe	93
PID 3672 wrote to memory of 3572	3672	Eoocmoao.exe	93
PID 3572 wrote to memory of 1476	3572	Ejegjh32.exe	95
PID 3572 wrote to memory of 1476	3572	Ejegjh32.exe	95
PID 3572 wrote to memory of 1476	3572	Ejegjh32.exe	95
PID 1476 wrote to memory of 2392	1476	Elccfc32.exe	96
PID 1476 wrote to memory of 2392	1476	Elccfc32.exe	96
PID 1476 wrote to memory of 2392	1476	Elccfc32.exe	96
PID 2392 wrote to memory of 3472	2392	Ebploj32.exe	97
PID 2392 wrote to memory of 3472	2392	Ebploj32.exe	97
PID 2392 wrote to memory of 3472	2392	Ebploj32.exe	97
PID 3472 wrote to memory of 3708	3472	Eflhoigi.exe	98
PID 3472 wrote to memory of 3708	3472	Eflhoigi.exe	98
PID 3472 wrote to memory of 3708	3472	Eflhoigi.exe	98
PID 3708 wrote to memory of 916	3708	Eodlho32.exe	99
PID 3708 wrote to memory of 916	3708	Eodlho32.exe	99
PID 3708 wrote to memory of 916	3708	Eodlho32.exe	99
PID 916 wrote to memory of 1672	916	Efneehef.exe	100
PID 916 wrote to memory of 1672	916	Efneehef.exe	100
PID 916 wrote to memory of 1672	916	Efneehef.exe	100
PID 1672 wrote to memory of 4792	1672	Elhmablc.exe	102
PID 1672 wrote to memory of 4792	1672	Elhmablc.exe	102
PID 1672 wrote to memory of 4792	1672	Elhmablc.exe	102
PID 4792 wrote to memory of 388	4792	Ecbenm32.exe	103
PID 4792 wrote to memory of 388	4792	Ecbenm32.exe	103
PID 4792 wrote to memory of 388	4792	Ecbenm32.exe	103
PID 388 wrote to memory of 2560	388	Emjjgbjp.exe	104
PID 388 wrote to memory of 2560	388	Emjjgbjp.exe	104
PID 388 wrote to memory of 2560	388	Emjjgbjp.exe	104
PID 2560 wrote to memory of 1068	2560	Ecdbdl32.exe	105
PID 2560 wrote to memory of 1068	2560	Ecdbdl32.exe	105
PID 2560 wrote to memory of 1068	2560	Ecdbdl32.exe	105
PID 1068 wrote to memory of 2496	1068	Fjnjqfij.exe	106
PID 1068 wrote to memory of 2496	1068	Fjnjqfij.exe	106
PID 1068 wrote to memory of 2496	1068	Fjnjqfij.exe	106
PID 2496 wrote to memory of 428	2496	Fqhbmqqg.exe	107

C:\Users\Admin\AppData\Local\Temp\5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5faeabcf6a3a6df60a3d17d5d327ffb0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\Dagiil32.exe
  C:\Windows\system32\Dagiil32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\Dhqaefng.exe
    C:\Windows\system32\Dhqaefng.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\Dokjbp32.exe
      C:\Windows\system32\Dokjbp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3796
    - - C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        28⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        30⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        36⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        41⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        42⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        43⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        49⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        51⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        54⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        58⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        59⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        63⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        66⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        67⤵
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        68⤵
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4652
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        72⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        74⤵
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        75⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        77⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        78⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        79⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        81⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        84⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        88⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        90⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        93⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        94⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        98⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        99⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        101⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        102⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        103⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        104⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        105⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        106⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        108⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        113⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        116⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        118⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        119⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        121⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        122⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        124⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        125⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        126⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        128⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        129⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        131⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        133⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        135⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        136⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        138⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        139⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        140⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        141⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        142⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6312
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        145⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        146⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        147⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        149⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        150⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        151⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        152⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        156⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        157⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        158⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        159⤵
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        160⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        161⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        164⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        166⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6432
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        168⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 404
        169⤵
        Program crash
        
        PID:6692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6520 -ip 6520
1⤵
PID:6636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dagiil32.exe

Filesize
300KB

MD5
dc30ce8f342d55d0a4519c0d69c7e052

SHA1
a0e7575ae7b6ce527d29538373765f07332c1bfe

SHA256
e14e9c637929353492646b6e881eb7012faa7055783364799ea7d898e1498698

SHA512
7f366e258ca8d1448253d4c2799e5f5c8d9528b01cb20ac7ef13374e7c262e7b78538800d10fc73fe8b3a538f2bfe5d7afc344e1f7fc4787f8fd5705c1f9e405

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
300KB

MD5
6504a5c6f63906c4d04d1196bf7398ee

SHA1
d69bd1c98dddc1652780020742e297b6ad5abeb0

SHA256
d34dbf9c5b36f28b898c54a95ab5c2bbfa36b9967656a32afd1f16eadce55fec

SHA512
19bb889515a5240f7e10252873bad7d4a1c3332446238f3e4f8bb826897420424b0cfe6b9e730646eb9a283093f7b0e08fce2b6a10f0e7edcbdbbf4ad1ddbf9e

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
300KB

MD5
7c001100237fd5633c1d8913897aae70

SHA1
4da7346eec008719fb5a2c61b6f19bdf939b8d22

SHA256
f88548fce63b94bfa48386430edfa1a19aaa0af7668b4361841210aa0edf3e45

SHA512
0f9b406575ff9ac604525eb4c66ed53f6bdefe99ef0a85f0715aea0bffd05eabb8689bc8a47f5334b651eeba7836e884f31c947dfbae2d64cb9bb94ea9853511

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
300KB

MD5
87ea4c83426d207f380241f5452c377f

SHA1
dbfab1496669ffdf6bc2c6c296bbae2e62fcf5d8

SHA256
ccdc9094a15ee2a3aa775ac1b40a52500056759adaf48bc301ee5bf59ef95ba9

SHA512
6f1494f9f5eca6e1b57bfaa3bc7b31d3ead1b4c4f86e30bf38d884cb2f38017c874cf35c208681eed7be88de850acc71b1ed476a8f345520c2432864d5c80e9b

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
300KB

MD5
c1eb153e2687c1d97fe6d43814f357af

SHA1
b10d8d77a6fbfdac27e4d186b87e7e340c53d0ae

SHA256
bb274a6d88d6a8fa67d681fa2f3527bef9b81ff2fe8783fde173393a029d4e2a

SHA512
3cefe2dc74ce91f9148add067ba97784528d468bec723a0d87791d7df8ecf31f8aa323ddec190bb5666fc661c7633c64c2ec723067798e54357448cb090bb9d1

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
300KB

MD5
a27663e974669eab413f1e146aa34a5d

SHA1
5571189592466bdf3fedba2ab1b2dcf56ea9f5ef

SHA256
6bd0715bf9ba3e15e1fdcc36627e608da5502cd01fc127fe9cb13d08a1c6c6cb

SHA512
96e316404cdc0b9323b3ddba1a1671610c121f73d3aef4f387d53e09f8cd7b1e9ecea3801993ebe34c39768ddd802b2be585d58f55d6b8785cd612a248f6d462

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
300KB

MD5
b91c7adcbe0f7cfefcc677c0ab0ce06b

SHA1
bb1f2489859164e4f684804965ced3bfbe3fabea

SHA256
d6b4a4fef3d5cd3e2d59bf5cf0e867bada316a5adcc9ca222f092cff706b1554

SHA512
583d0fe0e6173ceb4dfa55979a2161ade2f3f8d1a07b7f6aa020d51144abcd0b66f45a77938aef409305a31d9d89cdfac48e78ad6340ee99d38d4a24db7cfecf

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
300KB

MD5
862696f83bb0a89264c42b8f8a456eaa

SHA1
404a4e563fd746af32238e0e18a296c32ae192ff

SHA256
14c039f8bb44f467936992a38ac566c4568ffb576d2671d89bdc12bcad1d62bf

SHA512
e90569b78945b9b3602fe6d6b2de9c8277c82fd42c8d167e2de3b92e240746378ad70d96c340a1ce4684ae55ea412331534df0040c7e51dab5a45529358566fd

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
300KB

MD5
97787ce146c61dc204d62d53e35d7fb2

SHA1
9d5cc43804bb5227b14f92d5301b46f5f03d814e

SHA256
b2183cb58b18665ea9cb9c48ef19f53cf1117635d6c1fb248a794fe0f69d3824

SHA512
9aa5e89875e4069bbbe1c18122c97caa6eacb72227a8ef6aa30104de734fe4f9d6f5d9b63d45d9b30ae3f1240cc44db9585c96b2d48cf10145314911c84622cd

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
300KB

MD5
a16edf17703c3702c614757b7e0f992f

SHA1
bc2625574d49fca4292582a3783a46d85d4b1e98

SHA256
e2125294c45a5cc87258f7eb61ff4245ff92b9318d750175d4ec75206080011c

SHA512
f4f5510ca78aa79ba1059843652d3541b2e67318675d8c393ec882fd4d85a8bf14b7946635b4f149f9ac1f018106a0555051383b4a464f26a167c9013146a1ce

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
300KB

MD5
987d526c3db6fde1e61365f57f1435ce

SHA1
c9c8c5f8922ede791f6d777299f5a30907c6f244

SHA256
edc9624d1909872a207144fe77e0c7d1499d47c37030e2faa39898a89216f05d

SHA512
a1694ae310ac26fb307ec2f2759e72cc865c8e848f1d2366471a259b158c8848e667a69907fa40024326f94fd95ae58a6b4d76476fc7ce1c51fe6e5e9ec869a1

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
256KB

MD5
71909919514acc03f16aad571f532bf8

SHA1
baee977a0955071ea000d3c6a6476cf3558fe477

SHA256
2e8d6e8dbbb76c6c1880f4c2b61d10ccedb6eac004832c79ff587933a5e60d3a

SHA512
4e66618f255b77d11407f16bf7da4da7a87eb4a75b462c9f14c9840ee47ad1df8e046bb220e6d169f26f7b559d9754af1ef5650d0519c3db1fe287d58dad9324

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
300KB

MD5
dd2ce9fab546a058d8800164a1ab1194

SHA1
fa77e5b0c495baa4cc46a9ccba5fc79045f87807

SHA256
5b79d9bd9b6b4844f149df3090ebb8b24e81ee0b2494d5c3d742ec77522e766c

SHA512
46f0f1afeb25ca5c4dc16c140ba4a0252b5c64744c9094d600c4080e83ce379aba8ba94679a2a2178e3de06e09156fac454c584193351324052e8631c6fa7570

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
300KB

MD5
987d0cda8accae7b79411bdf949c43b1

SHA1
ee055dddd72c28bb03988fd3e6db0d0c2ece6bae

SHA256
65bcf8f6079c958f5d67bd9bcfd85c53c3a0d4d4b4f1280485e95cc17f763f24

SHA512
a2ed9233eea2c35e90c353d00fe7a915d58abde625a247d233fbac3d699462913d2516e574960d460b90bc3e6ab5f808602a936d38ead0b3db6e28bc73ce18cd

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
300KB

MD5
b96a7f8098359cbd8aca4d92909c8792

SHA1
7692e5bdb8e6e63da8d4947bc267588dbeb47663

SHA256
36c44f0b691fd964271e538fe19a788551c0614fcfa89bdfab6f83283dc291a7

SHA512
c9f6fed66131f5a72b428ef89c5031fc45ca1c09b041e6d6751fc180647edb148f14e61c8cb8776a01352074a9b9eaefec709554c5d0f48aa7473a05b5e4824b

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
300KB

MD5
9c0cfa0f6ddee9fe6cdf7f5bd53b54b2

SHA1
64b2e551298416d579fdbbe348d32342fd6e82ce

SHA256
8f0b25498a45b1520a61a09420d9dff470d8a31e571bde339cf55fa35ee69be9

SHA512
01c01e3166f00aa1190f27f48c9344c60d436660a50f04e6cdc84376b7d2e9f66505b5e7a9b02ec275726a30bc5dadb08e54ffd18c7efd67dd5e8a2bc128ee30

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
300KB

MD5
2a66e022e668fc752494fdf16c9ca01f

SHA1
e58d0c845ea0f92ee3df98c0fe819a037a3c452e

SHA256
f729a817f750183d98b47dfabab95dc3309cac7f280ece3d72ad23c105b1e231

SHA512
c7c7681426c712fb20e3abba0469ef4b0b65b1f0c086fe592c0aafd83241aac3ee46a1b649235856bd27ca0bf728e127096d17f822193507ac877c90f35022d5

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
300KB

MD5
415cec739f575abf8161a9e60af13081

SHA1
1979253b62884300ea0d30c6833b598b75bca3ce

SHA256
7a6d63aa23773132f57e889ec658fc4de9db1de563506e522ea667ad90e508dd

SHA512
81b0b45ed7f9ae6e1706f889913099fe38be6b2bd9f191057db3afd8f2c9ee9c59fb7068b7c379ecf4fa10f649c343f306cc7ac488a7d90e5d29b7a239f9e7e2

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
300KB

MD5
4935bf9bac7812ac57cd9628d399bedf

SHA1
1743435dd07d47a4b9a268de5cc4f20d704f8034

SHA256
9f6b2b430e362f66e188478a8268fc132882daee9dbb2cc063a4ee17241a5a9c

SHA512
0dedc76f39cf0750129138e491c85bcf3d42d848ba7bb99f5a9312ac063c21d1aa1729210424a50e9b540838b563336695f50224d92059150dceba628683b8ce

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
300KB

MD5
b4203851d63a5b7f841d88db0ca1d04d

SHA1
3b4b5c9ff7355a601ccc72a87fce439e45e7d37c

SHA256
17ec4567c11882875eb51f0d0c8a670cf466bce18a08b7f65232e00c2b0bb9ea

SHA512
96d1678c4bcfe3541091589ce02526c6e60b6f39e1358e395b6a268baf4627acaf8959325198cccaf8bfae0168162c80c737239f61d5f306eb0f03ae1761d4e2

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
300KB

MD5
b3b51512638c98f2863a65509c075943

SHA1
6ad5d84dc6fa9e35e323163363157faaac8e16b2

SHA256
5279a5fb5e8ab5373b21021802d944d68dfc842b491e9bde4c9ba4696799ec0d

SHA512
d07d1d18b01e7fb31aa4a7458cde131ba23cf0e7848633df5fbca79188d63da5a8bc6916029ff41b5c3fab0e9143e1592ed3e8eb2a6a968beff6ae4a11e76db0

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
300KB

MD5
67543de9d0f880adeadd7c167c01e338

SHA1
5125b75c5ab28daa0d3ac7a8560873b104243e71

SHA256
571ac3edfd13d85b89b7ffe893c9a1ed3b4a944b499e9765983b8c2c7e9caf2a

SHA512
ebb609b3ee8bc7fb3e1a10d2bc59416a34b22b3193300cbd86aaf796b3af98cc7f1ec8eeb3ee7c1d9f9cce5daf3270712002cb217fe8028c316c3f10f9fa29e6

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
300KB

MD5
ca3e37fe4000e20bdfe28db0e660638d

SHA1
bc274848b361df05a37cca53abc69fc9ef70cc29

SHA256
0cc39b4451afc17a2b9a928f2752f986eeb9ba1a52cb9436b57447a924e2120f

SHA512
4281b4c98f72453e4ec2279a72e5b5fbc5824bca2e9771d0ef94b8c6f8d596783970d9985b0df07a63ccd7b34f3c5bfd383faa3b1733bd200cd299b513dac4a0

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
300KB

MD5
fca1c0531c1ca8918ae546b1eea22451

SHA1
7b12f2134db0f829d16c826fb5650fe57e3f29e1

SHA256
5d8b02a13f7a54b96143739c6f7a5228e02b1d31fcc243ab6ed6009cff6be876

SHA512
e4a27d0a9c3ffe8ed4f542ee5d91d18b6f1d1ea67fd6063802590d028f958b53fcbd0e3f4757a027ce66b2ecd88051ff11efa4e23d7fa1eda7514aefc93ebff7

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
300KB

MD5
5bde763f5e84225cdd15a15e29f35e29

SHA1
4f640bc6b2581c1748f1ddbf992c9fb557b8979f

SHA256
d04488aec07ec36df3ca11b03b17979b176cc75602b0b10b1c1b626e628f09d4

SHA512
0743bd942bb49e6b968541f0bd85912d56082dce7b46bd062fff93cd80072ddb2ee74bb3c005822bd836eb0f127d1f96fd4d06bbfd667e10def86512009f3195

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
300KB

MD5
ba2e427583cceee52295274f689dbe82

SHA1
5ae1c5031aab1343056fe33ed3380732ffa2a448

SHA256
5f5ebed9a831dd36b73f7ac6023f7438010bc7147cb0801db14f408b5e08bd17

SHA512
8cc1c03ce9e5fd8a59e13c1af6b649ab32e4efac76e494d19b67ef602fc2d4492ce4fa8b0d775674e1079317b8d143564a872d91b98f7aaa11d5d41430269f5d

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
300KB

MD5
1bd2a8a19be5abf9aa0c668f53384fe3

SHA1
74ffe3a32f64286794aef09a653a4162ed2439a6

SHA256
53965c8a18ceae2739d11067e671f3cdd7e4362567f948d9f536cb334c3b60c6

SHA512
92188fd9e9bb8639ff6ec71e83bb97d2066a9012098ecc878d1b9941bcf3c9fb860b5249f93285de140603b2ed12fc6207fd0a504f33ba70a9bc3f18ae01a99f

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
300KB

MD5
34481dd9c293526d1a1fd6aba6601533

SHA1
52f0b77d7b217ceb608f9751cf54aaa18feb5a76

SHA256
5b8475d6d0b5017a7491f11afc195411534ea2fdd0f51cb4202fcd38a9b5c4de

SHA512
cf27bed934bd31760bd13a576bfaf9375c263e84fcb0576c1363c6c0f6ec0e958188dd3a3056d7a816ae294229a70f501d08bb9e7c2a0f7ba5e274e25a38ff71

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
300KB

MD5
0669ffbc5458c47c15e30c51a4a4103f

SHA1
0dea0bfc5f4e1f74f959854086557b8e5ce0e933

SHA256
fafe5ca82910104b4ac6c0108383ed6d394ee3959b392c20d334c58389c2f39d

SHA512
f56627e264f053d033469e156dd455f33b3e2fb973af6103df76710b9aec0f6678d34c3288e9ce403259acdf0853f6690cef6dd61c632cb8233311f99741e85b

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
300KB

MD5
ef8e89b64f0a32d880758cfd04cbd22b

SHA1
02ab934ada1260bc39f39342a03e53dc7a18e255

SHA256
40df29216d8231425267d09fbdf54583289af747204077fa7707bda2943861cb

SHA512
af1ab333073e4f9ad541f948ce7aeafe237c97ee5a1bee4eb5a6d4acec3c58e10ffc33ed3c91f990da152a7f3748496188f9f799bdca06afda517a2d4b612faf

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
300KB

MD5
8f5a9d6fa65e29d40abfe3dec997b448

SHA1
8934c7dd8e6a40e3096409334fa92931542de208

SHA256
c78f4855e9f9b6533c492a237dcc13aba06c78ea7eb59a95b5eda1061ed000e1

SHA512
860d4a2a816f9221f54367e7712ffd4a81a2dc2c094961c6c6070eefafb157cd13d4783b498a2d3fd07598653ba39e4df682bc823fa246cd90c1c2ba3c1628f7

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
300KB

MD5
42601270699c05d9a5e495460d10f862

SHA1
3bc38b962640330e57c59352f39a041778e058b9

SHA256
d52b9d10cacc2214c594d0c2db9ce9ae47e081243c3e35e6a0185732d62d53b2

SHA512
7c5a79594c6ffec908ebd3c0ea8129fe599c257a17a4504b36e04e2c85cae93630b54f47d26577907db491d6a50175abdfe3e860b39cc10c6f2424ba43dddf60

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
300KB

MD5
d2fc1056ec2f4a32b1087a09bc8844a2

SHA1
d2d5dc9681c6bde50022da545ff88a7e17373edd

SHA256
72805e8b116a1f17df364844bef80757d02849b01ec0a8ef0487e0452d8a426e

SHA512
8b45df2662553f3e4959e4068f78225ec37b2a0a76c97c8ae0fcb34c3fc16b2787dff4fd39b384d3046d0e30c126d59ba9edbf382234e81bce9b7d54627c5a9b

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
300KB

MD5
a0f16e3301464efbd5e114e32c334e90

SHA1
486d598f42d7789988d9dc8af1c6a4536f86d289

SHA256
ab2e40642c9f675887d091caada0e50cf07008a45265fcff6545f02971624fa9

SHA512
f4d899d2479ad59ac2aedd303dbf8c7f68ecaa2cf43d374561363a9785fdc9d5a378d6f10912ec211f919910c1e57d4b217303c34d7e9ca4e3ec18043455df44

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
300KB

MD5
745db04b6e86ded8982445a7189e156a

SHA1
f06b9022fe2d3881ffbb4a3781eb6cac47cccdd2

SHA256
9f6ec9c177f0dd34586474624b6732e719d73d9515b5e94c5a2b614c4c3087c6

SHA512
4a2375ec4f0707ce61159c962990599081e9db3aa5345d08e16ed1666c13fe586ef84b29542b5a52bbf7e3e7e850582543218322d00468e53e4835e15a6d88b3

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
300KB

MD5
eaad39d4d7ae74ed016b68abf28612b8

SHA1
c01118b7cac220d2eceeb875c976530ae48cad12

SHA256
66791851e63bd5425802e56af30c0fbe167f9c41e0f4fad1fc74644b7da7e9c5

SHA512
99b1fdf63cd29e0a6675a01cfd2c84b177be1a68520c1d74eae2363d04129223b1be9482da0b7a101e044eff9cfe30bc02504ac9541eb008ce93598190c135a2

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
300KB

MD5
5a45816714b96d16af459d283ed1795f

SHA1
ed1d218634ae2fbcced1ed3033e9ea3ab51c2678

SHA256
eca4141946c1427d979e0ac3e50d0151a90bdc050016750d97a0d3ef661032e1

SHA512
06db773590fa4a67b30f7e1264773edca85649305c507979ccacc6ac14068996dc273976755efce3b0c8146fc7818825533cd7972d7eb669ae8639f7cb22b765

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
300KB

MD5
a547541842e0152b7fc3ed00b607fde0

SHA1
05f0ba238fccce182cbc6b58f38e5212415ce38b

SHA256
efef1deca7a859afb3af5c8b01f9e2abba8e736a9a7d7d60c644de01fcc502d0

SHA512
ded2d5485d758d401dd91e151d298bdcd85a20afbbeba1fcb2e69c692c1fe3aae8f73bf47a5ea07603128c5ebc7caf8f5c7d32bd857fd56743988c25aeac4080

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
300KB

MD5
f6df8cef96fc38c0f8f6d939246c1b67

SHA1
d9e584ab6860be5cf86cb8168974b6f76825130e

SHA256
dbdca8fa819e4ec4aa9aec42ff270e401b60636a3da55391b8ac5662f79379ec

SHA512
0441042132c7468f1517a95aa9dd37752da41baec47b825d23791d4d2d95785388ecb213bc63a0d3d48fb224d1b73905201783bf9d3464eae8a9f4cc282eedc3

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
300KB

MD5
2d1d50ae071261f5e63a80857f0fd10d

SHA1
60c9d04fa89963c8cdb2ae6209c1b210a35d0c98

SHA256
480ccd7f8766f29499ab5ed46f273317beb788128411583c4ea993c8d9373a26

SHA512
33f4dc32a676e0b8a9f2a15f176b554e9b09baf5f5e75ceb3cc2c1b768eb48d78a535a45e7dc74cc841453c99ee35e4486295a2ed7e25d7a3b856a81dbd6a2a7

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
300KB

MD5
942f699af4a514f2a47eef15c53e7fa8

SHA1
d9104b884d14dd9f61a80922cc54d626d777b35e

SHA256
0f678e8e103aba60a735e1d2e337a27e0cf9d3f8e24f841a5021f65198a5fa57

SHA512
a95e941290c5bee7915a878d85607ccdb85f974dd7a393810e8c1ddef873af284213301d3dc1c69960a45b9aeac7896ee1f562ffd6f196d81ee1e21bdfd20f47

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
300KB

MD5
cfd60866f2c317cdbf640debdab91ab5

SHA1
3291a2097c3038fbeca84d35dc38d10a2a2f7238

SHA256
936a6405cf80065ae64d64caa03cadd36071aba4e5076781411a3524ba984e61

SHA512
cb13bf451304e04006343cd62c315404178558d62319c40859a54c82b1ad9698682a4a461466342afaaf25a63227059302e57d709008588bb8d6ff70f487381d

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
300KB

MD5
b6d5e125b0b01d07e5f52a3fa2516437

SHA1
9e87344130bc690c72aa771410f670100d122e67

SHA256
7bf86825b738100f7fe697b5a15333da39ae0ffdcc3e77ceb7742263718b470a

SHA512
5f1be408f06003c02b32d002b14be17266b55e69807ac14d17fdd8f6a062b8a6fb361a786b1bdeca39633de83cad02f264632b56daf88394bf1f0c68e5d87f71

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
300KB

MD5
50ce2d46ec2d0f3d93813335d6b18e2b

SHA1
6b879006784b88e7b3316879f12b1ca97ce3436f

SHA256
ab201044b7b012b574e17d890ec2da63498d66d560c001f0e88fb115a11b5e8f

SHA512
0e159909291eb0e121bf681002ed18333040f8c317bb95b7b2fc34a1fa9df410d4239f7cb9536537a8934804ce6a1edd4d672549ab16089551e9afd5ab4f7ccd

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
300KB

MD5
7ff54754143290c3be696396ad0a7350

SHA1
f4cf6aab808f699eeaff41ffea7083cbd6d54d29

SHA256
4b891c010dc9b1c6034cc10119a8f18e16e16284872c908dfc2084f410954443

SHA512
938efb40563b9e526d993d83fc81cea3f1a480a288856f928d9d776ff5d5cb590352a78dee5649377b60d748891f9547e6fabc9e35a0869ddbc65cb482326cbf

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
300KB

MD5
30cac88cbd5aeeb9ce5a2b2e344eef3d

SHA1
39493b65cc9d6a0de4777bbae63f1e48970b7330

SHA256
fc610351376dff612f601c0d1ef24afdea6938318f5752b1c98207fc849354e5

SHA512
bf143ed25c807d0d33731c21b8b52c1cd3014c3fec669f4d16c24d0a36a2b972e328d148c1bb2a4647d958de5750da8f78cb954c16500c0fb897736d1f7bc13d

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
300KB

MD5
a4e27c283ccc338baf61751ffe1fdbc7

SHA1
c223c7b0859d20f11b025d0cfc31ed7b57c2324b

SHA256
b2ffd6b569baedb7d68d541cdaa10b4a80af0a499b60d7c18627eebf1307d557

SHA512
c9abb84e563dbbcdaf9a58251a9f20df016846541888de56b304213eb609bdd0fa0433971edae1ac35c9d3a62bb5c12a9ae2bb156d67b3911b955fa83f1b16d8

Download Submit
memory/316-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-7-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1224-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads