daf26894ffd38433c90a4231ce529abe96cbcb86ab0d7cd305c28aa6161f7e97

Analysis

max time kernel
140s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe
Size

192KB
MD5

3612e9b7fabaf50628e51735afd4b5a0
SHA1

95efc5d3525bd3891fab4a8e0cc139c22e45ea7e
SHA256

daf26894ffd38433c90a4231ce529abe96cbcb86ab0d7cd305c28aa6161f7e97
SHA512

d41f20660f7d4a60d5ee88d3481ed015657c4b532e47a4ec00a8c284896e55134ac45898348e964086f3582bbee0fd1d0394c366227c2a646a4f2de95f66cbce
SSDEEP

3072:LHbTkfNRwOpWwy4GkMWkrSz/UPoE3eFKPD375lHzpa1P2FU6UK7q4+5DbGTO6GQJ:LP4NpvyMZkrSzMwE3eYr75lHzpaF2e6T

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iffmccbi.exe

Executes dropped EXE 64 IoCs

pid	Process
2792	Djnaji32.exe
4740	Dllmfd32.exe
4292	Dphifcoi.exe
1296	Dokjbp32.exe
1476	Daifnk32.exe
4880	Dfdbojmq.exe
2600	Djpnohej.exe
4208	Dlojkddn.exe
4380	Dpjflb32.exe
1672	Dchbhn32.exe
3792	Dakbckbe.exe
1276	Efgodj32.exe
3948	Ehekqe32.exe
4344	Epmcab32.exe
4944	Eoocmoao.exe
5112	Eckonn32.exe
4320	Efikji32.exe
4200	Ejegjh32.exe
4000	Elccfc32.exe
464	Eoapbo32.exe
3108	Ecmlcmhe.exe
228	Eflhoigi.exe
232	Ehjdldfl.exe
4204	Eqalmafo.exe
4672	Ecphimfb.exe
3328	Ebbidj32.exe
452	Efneehef.exe
4100	Ehlaaddj.exe
4968	Elhmablc.exe
4064	Eqciba32.exe
3780	Ebeejijj.exe
4536	Ejlmkgkl.exe
4440	Ehonfc32.exe
2212	Emjjgbjp.exe
4592	Eoifcnid.exe
3412	Fbgbpihg.exe
4284	Ffbnph32.exe
2992	Fjnjqfij.exe
5012	Fhajlc32.exe
4848	Fqhbmqqg.exe
932	Fokbim32.exe
1004	Fbioei32.exe
2040	Ffekegon.exe
4940	Fjqgff32.exe
1472	Fmocba32.exe
1056	Fqkocpod.exe
4620	Fbllkh32.exe
1852	Ffggkgmk.exe
2036	Fjcclf32.exe
3324	Fmapha32.exe
3928	Fqmlhpla.exe
60	Fopldmcl.exe
3056	Fbnhphbp.exe
1788	Gogbdl32.exe
4244	Gbenqg32.exe
4264	Gmkbnp32.exe
3492	Goiojk32.exe
1364	Gfcgge32.exe
1240	Gmmocpjk.exe
860	Gpklpkio.exe
4256	Gfedle32.exe
2300	Gidphq32.exe
3864	Gpnhekgl.exe
1924	Gbldaffp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jfjdddho.dll	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Djnaji32.exe	3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mhollf32.dll	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Fkokhc32.dll	Dokjbp32.exe
File opened for modification	C:\Windows\SysWOW64\Ehjdldfl.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Efneehef.exe	Ebbidj32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Ojigmkeg.dll	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Dpjflb32.exe	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Ecmlcmhe.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Dokjbp32.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eqciba32.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kbbfkb32.dll	Epmcab32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Dllmfd32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Jdmaid32.dll	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Ffggkgmk.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Dchbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Ehekqe32.exe	Efgodj32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Emjjgbjp.exe	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Fihpfl32.dll	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Knceql32.dll	Dllmfd32.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6284	6096	WerFault.exe	240

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll"	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Iabgaklg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2792	4240	3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe	82
PID 4240 wrote to memory of 2792	4240	3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe	82
PID 4240 wrote to memory of 2792	4240	3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe	82
PID 2792 wrote to memory of 4740	2792	Djnaji32.exe	83
PID 2792 wrote to memory of 4740	2792	Djnaji32.exe	83
PID 2792 wrote to memory of 4740	2792	Djnaji32.exe	83
PID 4740 wrote to memory of 4292	4740	Dllmfd32.exe	84
PID 4740 wrote to memory of 4292	4740	Dllmfd32.exe	84
PID 4740 wrote to memory of 4292	4740	Dllmfd32.exe	84
PID 4292 wrote to memory of 1296	4292	Dphifcoi.exe	85
PID 4292 wrote to memory of 1296	4292	Dphifcoi.exe	85
PID 4292 wrote to memory of 1296	4292	Dphifcoi.exe	85
PID 1296 wrote to memory of 1476	1296	Dokjbp32.exe	86
PID 1296 wrote to memory of 1476	1296	Dokjbp32.exe	86
PID 1296 wrote to memory of 1476	1296	Dokjbp32.exe	86
PID 1476 wrote to memory of 4880	1476	Daifnk32.exe	87
PID 1476 wrote to memory of 4880	1476	Daifnk32.exe	87
PID 1476 wrote to memory of 4880	1476	Daifnk32.exe	87
PID 4880 wrote to memory of 2600	4880	Dfdbojmq.exe	88
PID 4880 wrote to memory of 2600	4880	Dfdbojmq.exe	88
PID 4880 wrote to memory of 2600	4880	Dfdbojmq.exe	88
PID 2600 wrote to memory of 4208	2600	Djpnohej.exe	89
PID 2600 wrote to memory of 4208	2600	Djpnohej.exe	89
PID 2600 wrote to memory of 4208	2600	Djpnohej.exe	89
PID 4208 wrote to memory of 4380	4208	Dlojkddn.exe	90
PID 4208 wrote to memory of 4380	4208	Dlojkddn.exe	90
PID 4208 wrote to memory of 4380	4208	Dlojkddn.exe	90
PID 4380 wrote to memory of 1672	4380	Dpjflb32.exe	91
PID 4380 wrote to memory of 1672	4380	Dpjflb32.exe	91
PID 4380 wrote to memory of 1672	4380	Dpjflb32.exe	91
PID 1672 wrote to memory of 3792	1672	Dchbhn32.exe	92
PID 1672 wrote to memory of 3792	1672	Dchbhn32.exe	92
PID 1672 wrote to memory of 3792	1672	Dchbhn32.exe	92
PID 3792 wrote to memory of 1276	3792	Dakbckbe.exe	93
PID 3792 wrote to memory of 1276	3792	Dakbckbe.exe	93
PID 3792 wrote to memory of 1276	3792	Dakbckbe.exe	93
PID 1276 wrote to memory of 3948	1276	Efgodj32.exe	94
PID 1276 wrote to memory of 3948	1276	Efgodj32.exe	94
PID 1276 wrote to memory of 3948	1276	Efgodj32.exe	94
PID 3948 wrote to memory of 4344	3948	Ehekqe32.exe	95
PID 3948 wrote to memory of 4344	3948	Ehekqe32.exe	95
PID 3948 wrote to memory of 4344	3948	Ehekqe32.exe	95
PID 4344 wrote to memory of 4944	4344	Epmcab32.exe	96
PID 4344 wrote to memory of 4944	4344	Epmcab32.exe	96
PID 4344 wrote to memory of 4944	4344	Epmcab32.exe	96
PID 4944 wrote to memory of 5112	4944	Eoocmoao.exe	97
PID 4944 wrote to memory of 5112	4944	Eoocmoao.exe	97
PID 4944 wrote to memory of 5112	4944	Eoocmoao.exe	97
PID 5112 wrote to memory of 4320	5112	Eckonn32.exe	98
PID 5112 wrote to memory of 4320	5112	Eckonn32.exe	98
PID 5112 wrote to memory of 4320	5112	Eckonn32.exe	98
PID 4320 wrote to memory of 4200	4320	Efikji32.exe	99
PID 4320 wrote to memory of 4200	4320	Efikji32.exe	99
PID 4320 wrote to memory of 4200	4320	Efikji32.exe	99
PID 4200 wrote to memory of 4000	4200	Ejegjh32.exe	100
PID 4200 wrote to memory of 4000	4200	Ejegjh32.exe	100
PID 4200 wrote to memory of 4000	4200	Ejegjh32.exe	100
PID 4000 wrote to memory of 464	4000	Elccfc32.exe	101
PID 4000 wrote to memory of 464	4000	Elccfc32.exe	101
PID 4000 wrote to memory of 464	4000	Elccfc32.exe	101
PID 464 wrote to memory of 3108	464	Eoapbo32.exe	102
PID 464 wrote to memory of 3108	464	Eoapbo32.exe	102
PID 464 wrote to memory of 3108	464	Eoapbo32.exe	102
PID 3108 wrote to memory of 228	3108	Ecmlcmhe.exe	103

C:\Users\Admin\AppData\Local\Temp\3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3612e9b7fabaf50628e51735afd4b5a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\SysWOW64\Djnaji32.exe
  C:\Windows\system32\Djnaji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\Dllmfd32.exe
    C:\Windows\system32\Dllmfd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\SysWOW64\Dphifcoi.exe
      C:\Windows\system32\Dphifcoi.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        24⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        28⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        30⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        32⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        43⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        44⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        45⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        47⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        49⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        51⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        54⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        57⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        58⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        60⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        65⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3248
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        67⤵
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2936
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1212
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        71⤵
        
        PID:344
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        72⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        73⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:448
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2320
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        77⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        78⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        80⤵
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        82⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        83⤵
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        85⤵
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        86⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        87⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        89⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        91⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        92⤵
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3652
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        94⤵
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        95⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1656
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        97⤵
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        99⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        100⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        101⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        102⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        104⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        107⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        109⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        111⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        113⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        115⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        116⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        119⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        121⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        125⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        126⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        127⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        128⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        130⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        131⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        133⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        134⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        135⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        137⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        138⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        141⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        142⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        143⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        144⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        145⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        149⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        151⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        153⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        155⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 420
        156⤵
        Program crash
        
        PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6096 -ip 6096
1⤵
PID:6200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
192KB

MD5
86f0e1e1af8b5b690a12d575f94fa983

SHA1
297eeb12ba3945dfc292be5a2263a293ad123319

SHA256
3f69cca1e6eab4a7a55bcbcf67403395914848c1eb2d803df60e0cbcf487314b

SHA512
290f62fb76dfd934c8c74c8f5470fee486c6706ddab46fd0edf9b7d0c51053c5f4025ff916273de3c0e0bc2ea03100189b995277b3775acb3d91548db83d5cbf

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
192KB

MD5
1b1b2ce87075cddec7463554ea071369

SHA1
0e69da020b51e1b66194cf8ab72bb7a39766b28a

SHA256
23402c2961fab49bfca32eaa5d98f211f793f51653c0ebf37607dba17436b14e

SHA512
7d5c5ac66f2d007b8a07e6b84468c9de1db97cbd13d1200f4dea07af33a8c491f070a0e3f40e10f01cf007793005a6e167b26d2fe94e54e9c4bc99287055fde1

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
192KB

MD5
8323fa3bcbc64eaf5e80a66d7ef6b735

SHA1
e84f28b24644068fdccfa64c2c4137552d32b2dd

SHA256
a70e207ee19130443a561fb727f5c00aa1229ea95514e584e96312ff6536d6d4

SHA512
e28f3bd7704461a94053024511696c93d0391733893d0449e2643dcb30b44868fb3d9be8ff8fd3c779786521c415ad3744f83eee8bab5174d348ed1aaa7e2c3b

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
192KB

MD5
d8a540914ed203dbea06689fb4fcc424

SHA1
283c80c012337ec1e0265bb2c116b9b4726723f1

SHA256
e9172f63e1b6d89a8cef5fe335474013a127d80f0f4cca5bf092d493d2a00322

SHA512
5b2ae5ad4efa8037277a00b9b90285b0157874ecfb06f65a3cb999ecfac0c52b2eca0518a75d13312ade19ac51d778d1e2ec0215c4b0a0e148c32f19a158aa74

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
192KB

MD5
84238a941bbde430c96551bd1389b566

SHA1
512e4293344a1366a6378fd40aedc7539d99258c

SHA256
e18a21e7ae4180d7aa6872f78a8ec0d214c354d60e9fd4de804f91993e00f7d8

SHA512
76aff99a7df28fcaa59f493aa8e3d7cb4c9486e4f75df1d77a982e9c5ed66a569524f9b188cf913d4fafda04f36dd46a6140d6f3b412fc6be5ede8318fef4b53

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
192KB

MD5
8f42bef98f26d007f4e3cd3801f55d35

SHA1
891eaa56617579c403f457c29bd22a6202c75256

SHA256
d60281e5e0e51ce3512f6c4bb018902b01eacf80b039fbb3a2c1f44ceb05b034

SHA512
1693208753a31399f45711018ee13e5a01656f46af1ee7efab6c3bbb85341d898296ecdb3be70e7ef14847405db65ee2bababd79dd821cc161198bfc739a10b0

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
192KB

MD5
7b39335d2608b345c946a461ce1b0555

SHA1
5536e000254142f7bc4224dd589e65a9a94fe806

SHA256
65f5cc0eac9f89a7ff73aed9976868948b86dd93a665095a9033e9c719bbb766

SHA512
9fa108efcc8faa78737169f073c84e04ee3719209a55396346b3f0983218287013de68ba524aae5844b3860ff0435030e39151ba986ec2722d6f83e3a7bb918b

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
192KB

MD5
f8ca881b4320d2468a1462b705169e8b

SHA1
142454d2a04b7876c669b20660f1868c393aec1b

SHA256
e08e5818a641ad7ce89aa7cf7328a7a426fbd3adde21808f7f027dc60cb36b53

SHA512
72a838ffee0f8466c4835a2a97a96332936ff9226c8ba767c48c7b51631dc7100539ed61aef2e42019c0a536d5fa1add0325c2d10dcb6a85fbbfab2b9f01d723

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
192KB

MD5
d17d37237e2aa735c9f5edcbd0c44887

SHA1
a168ac18eff90a39d784b8148c3fcd0c152b2b17

SHA256
a7809737559e1225a4585d401be3f7d4df283b66e2ae9cf3fe87b942043ebeae

SHA512
70a56e387b954a711de623ebbebab801184e1791ff682ed3549567fc36a9ae1a40b1bb9a3bcc50005f1f1b3ed57bc69e74571aa74f358def58c53a403734f9d2

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
192KB

MD5
b9fde1eefe37b92ef8e86e9a99b7f0de

SHA1
0bebd29cb1065aa7b43b248b4cb47ed0dfb456be

SHA256
1e0130518d9a8ac1e49f32cd5366e52e564fe827d026fbca9fab38629860cde7

SHA512
ae44d3424dff9c24053338a507d91a59bc635be48bf23393c559ad04c132e4ca65ec76ebad8c269f91a724d695d8318aa0bddfa38db57e503fcb3004437ffce9

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
192KB

MD5
749a7070dd5ad2b73735927d63bd3609

SHA1
cecb1e4f72ca067de82a977d5e58fa070e63c46e

SHA256
5357f041f151c0921f9773e7af2d95f2a592f4d54712c0f70b7fba4717e3e6b7

SHA512
951b38b0f3144de7e3fccd8f3acb013758f717b93e95e6205814923c775033483098497797e606edb19d0e8d07075f434710919a97c04d9e9127cf6a26894d0d

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
192KB

MD5
fedb56ecc46025e406cca948e190a528

SHA1
d6521be33c04d9abbe1eb484b5c1ccba62dbbdf2

SHA256
9dc70cd91ac52f376087b6eb3690fa5eb85dd06d3e82839c12deb9e3f490de2c

SHA512
2d8f9a3d33032ed0f98b3580d125e5635070faba4e06f93eb0874bebbf2fc3023ab14ed6b02d81389712f55a6fdddbc4069c7dd5a3169635cf85c5124f6b3059

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
192KB

MD5
c2ae093cab7fe1c1b4a05ecfe1e9fcc7

SHA1
02287f6afc045744e08458735ef15cc497651ae1

SHA256
e9a9e2995f369f331cfb6d0ae0497fa267a9c6cfc74ae3dabb9658add49a2b1e

SHA512
cfff76fb86910d9bc5b9a6b7350509e87b8e2dab23b8640d02d5587edb30748f65311c2ceb9ae6916077f8106bb1de0d1d95d74bef11cae5370379604d06e58b

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
192KB

MD5
874c6cabe0affbd6808cee9601b2b8dc

SHA1
60b867eaee74171afb6f413780f88ad3dcf08eca

SHA256
be5d319a1c3ff82aac9ef42c120b83166705cdcb8a309513dec714bb2c3df858

SHA512
04827b4051db24df8605712a8143159d943d4d35d607931325278c053b27aca0438162b74b51881544c2b9cf180e7bf3b5fa4557a7a93891412bbdde20072549

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
192KB

MD5
7df7f161eec2e4bed6c0086a94f39aec

SHA1
0a6efa60c1b8fe1f7e03a48c688ecf90bbc3750b

SHA256
77ca8e2fa5be6f0b1c0b87f9a830c1d3648ee1400e8e73afb4e13f53cebd47bb

SHA512
7a188d424853358068c44c9318cabff9bf49b9f035dc8fa599a499bfd2fa871c50621a89b45309ccd3e9e22d3ffdf3e3061ce234edfc5334e7dfaaf6908c5fa2

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
192KB

MD5
c825c69943840682150aff8ce8609153

SHA1
73680c39f131ebdac150a785547837161bb5d9f4

SHA256
0174d2309b786d732e3d3b3501a059b832056409bfb434923c7288c031799fce

SHA512
0c24485bec2da2df14fa2de4649df44d92181cab31fa3e3ed1a26e204cea4d549327ecd59e4c4cb8ad100b4044c865b245be82d1b6b842d5466648ed5dfaf859

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
192KB

MD5
6bcbcbf7065f55496cb7e07b2a034f9b

SHA1
a2c3cb51302e2ff867fda78188d97ae60e7478f5

SHA256
e9758beda1bb879743a186ab424adfb5e1f95ba5a4f1aca6cad950a1f050e384

SHA512
edd4789db0b98c97d7b70b397f8c1197e109d4eeab7c1877928954957ea0ed6acc6c7087d950d24bdeb8b91e618763220d52c4c1992f65da88118b0f529259ed

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
192KB

MD5
cf9406250616e6c1ac092175678db2ec

SHA1
be06eb5d2826617ed24ad4be1493398b1cdb9265

SHA256
61732f52727d6f1115d569043703fd250c0888c7898f3eb41044442d3085efd7

SHA512
28e6d68f63617c1465b9f9220aa1154069faa60b3746fc6a6b636f0b3d33661c4f0985934c474dab8151eb0da3347fb149e2a77c2bc14860ef1b13b9f1a52fdc

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
192KB

MD5
fd9a55b2f422283e111d81ad20464509

SHA1
1fd0c915e21fb895266d0002e93549d0b68456e8

SHA256
3b14019aa22eca8403dd3f5c92ac69046717506b3461303a7f09072dcccbd685

SHA512
73a6ecf20d567be1071f4c4311413598ede2dae2a9b5e0d17f10cac5c72a3e425a9284cb41f9bab8e49321ce966a08e1914787d9327ace20edc90ddcf389ba0a

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
192KB

MD5
fbfbcf9b50728f88d13c112370f98a2a

SHA1
e58a8c1e033fb39e2b84b9c02629d3a5c76a41dd

SHA256
e573c659c62e1ea0a3d5d601363c140e206fcbd324830a6520264475254ec8e4

SHA512
8f4460bead9aa9cc78eb3332f4a68337e5da27347968176a9b53cd8faa68558598dc3d209d51299d4479f458699103d7d8c27a74e74571f77a852eb634421ff4

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
192KB

MD5
5a79929db9184188b674bb23551e308d

SHA1
e0c327cd56dd87efffd966981584ad8087336369

SHA256
57555f51f5fd3d45e460dc309eba9969771d31b103dbee2ea379272b3a2d4270

SHA512
808c8dbcccbe963c155ddb2b484b3f1747ef193402a38b517009aa29bfc58c2b8ee0da3a3ede7b953c565d59dbb757be04941f0ff91cc7c01633efa70d49aa84

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
192KB

MD5
83d09f354e6cbb850387be88dd330d4b

SHA1
fceb051be2bb9f9d3b6db19b84b9172636819ebd

SHA256
a7684fd842da5f2478043d5992cc875f98cf25cb04c57a0c878f983965858456

SHA512
73d95bea3ad2d303405dce12e106d177024cdddf8a1725d1440e69bb8b2015dd23797092a329fbe7661e48c649ac614e0b474653fcb3ba10b6af539059ff20db

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
192KB

MD5
b022ecb51a842a186ab94eb78d27916d

SHA1
82686dafb72da398e19f44fc4f1d90d649e20d2a

SHA256
d3dd2d15de2b0cc6e608d4d8f65d3c0ac7ed9225093e315c96aeac242b99cef4

SHA512
d14150c04700f92e4401c888e35d86c826aaa72ba407979ec53ca44d9d2caeef6f1819bbed3ca91438de845326eadf2179e9f0c35440b94bccfb26076daebf5f

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
192KB

MD5
9e3d8ea4e0e6484b295231dff30dc01c

SHA1
9a8ed88088f3f90f10a76b7543eacd4d09592c71

SHA256
6cb35d82292d92edde09b26b0565dc478057c2071e69dcdf323648ed482f4964

SHA512
d492e420d4661302215009960501c578901c9520e14d67d352f95265d5a3d8db5912a7cf332aa627adf66b01974ff9a258fdf46c00043c765c9643a7771af0c6

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
192KB

MD5
e813205481fca119de502dc77cf044c5

SHA1
04c1f63c196322a1c7a6ea84f8c27c3633f47a63

SHA256
69ebc75dd05ce3fa8451c921e19a0b859294a2afc680241686b70a68f6215e16

SHA512
8222482e8bc0ce11f6ed5cdbc3d099600ea7e0d2d12def9368f1b6651c6e68f54ad80111492f802f5bb863911f8b54a0511f459e4447a24cadd69002d195acb9

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
192KB

MD5
d5a30e2b005b01a2cc35a19c92e76d7d

SHA1
689da1c115991962690c4e7def45700fbad8b188

SHA256
910ba77f72e90e35010fbe73e7efd2ce7564ca2af0abad322e0ccc87afe83b0c

SHA512
6a274bdd26a29af5d35b61a1b8f256c11747019ab2a7f0113bb1084762963ab7f5b35cc5733b1a75b14c308232a64b92263c84fbe4ec08c3ccc8505bb763e99b

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
192KB

MD5
62e42f0a455512e18b31df2d9dc537cd

SHA1
21840d3ad6ba865743cfdb9ad6000bef276146e5

SHA256
316099887d0132f7eab4d2aeef8d01e292cd185cddbeded3c2d2d9ca2e5b743d

SHA512
a96619ee6ac7a4bb0b93c18a8aea6a2472a5ecef9c5360b4ef3e9cd0463a2b27bbf1e36a9262862651b9a2af21a24a97fd90dd6c97c26ddc178ca83e8fbee748

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
192KB

MD5
cf7ce80c282d872f56de211e09dc1cac

SHA1
b622b64b0cff364117755d8835b59daa8e5857dc

SHA256
8ddad518ebb8517c4e78118053de2a9491b9085249a76f9600e9e564ee9bdbf4

SHA512
7f4b3e236da4dee98db6795cd4a425c63d5e6fd56d38c38451b33003db90b1a82949e8daf101a6a29ccd4e1af7150701eae940983075ed7b88f873eaeb744ae4

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
192KB

MD5
8c3aea4a29b60df32849420033143b5b

SHA1
8dc1ff11316aae1e16e762d2674476eeb5e07433

SHA256
26551150d452ec1871cddfd3445d0b620a1c1980f0a8ce4ece20c8d663905291

SHA512
a98ca9ed05e6130b2bfb0861609bdaddb91e2ad51661170db48d78e0db49fd22fe87228b3de425c4df3a663701c8cb8f04d6f1c35c3509003a8521c1c1485206

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
192KB

MD5
301306232e0fd09d54107501f7e388d2

SHA1
04e617d1e1df449e50cda97d564f4e4e9a57e3ec

SHA256
789e5ddf385710f8ad8c635a14fb70c6497b1ccb1e65dea1cb2487c1ac1a59c0

SHA512
21643fed33153b4be7f7a7cd0a807d3d8f504a5618ac46ee9d0fe1282ffd6eaf0e0022551c96cf7af575703a625074ad2c5217766f9575dee49ba3a3c5edc325

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
192KB

MD5
b938e93999547aa99580de80441f0206

SHA1
c682600c7a15b41cbb99fd9053f35fc513c24017

SHA256
a1ac824cb00509d544ad81f2c956ba6fb52d011344c32d5b0a0dba4576626876

SHA512
9e65674f9a2e0bcc566a7487659b7ac0d1b33bfc6147e132e4972430c31a9cff2916c22acfdd4bdea5139beff2416a4299979b97858c5dad495c3c17bfa9f115

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
192KB

MD5
49e9416e919ead9f3b172e51dd6cd244

SHA1
44274fe0632348b9b1cfe0b229404e8649a0b40b

SHA256
790eb9edf37ef9c23043b45be55e5cad07f0b1f0fa90879cc0c546e58896c57a

SHA512
cdfde16f9ba04919ad8f1a66147255da89904ca7aa0db168dc823f3ddbefae5cb7ed33d595c77ff1c1cc2350c7ed5c49870a4e92df0e22a778cfc4702bed8870

Download Submit
C:\Windows\SysWOW64\Fkokhc32.dll

Filesize
7KB

MD5
8a17548bf9fc497f180ae2eb08b09018

SHA1
6cd13696d938d0c4b50544977ea0592145fddb90

SHA256
3896648053c594417673d80b42651b197551e79e35b5e452a0557c442a088f02

SHA512
5570a3e29720697dfa9a8fd669d2a34bcb1dd4560d99145307e56c16bf8b1c843c2570e5826eead754fa65cd95d53b93210b33d777ffbfe2d04940fca77c414a

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
192KB

MD5
79e166a8d4219f2ee00b40855d54e9b8

SHA1
7704fc1dab089c16a937faedd29370e5b4fa579f

SHA256
c75580b1e6f324ef555f2e9d0d7eb59d1151662ae905d5754938b3e6a0ea00d8

SHA512
fed95a72f91e9a1e2a217b173ac2909084ecb272a9788cdf3e1bcd87dfb97e6bffe18fc742ec7dfc930aabf8c4ba837bca881937be412b5b346369373ec18c92

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
192KB

MD5
3df7a03c8ffe4b3e9806eef25a8bcbc3

SHA1
2ceebb0f7bf4a3721acc6f19c740bb6ca152741b

SHA256
2c6666d56b84849ddcbe746d2d02df0ff06b7bdc49c542b6c02faed3abffe8ab

SHA512
35f77c3512a69954511442a67e176918de7d1af1623214ee7f7373f387b5440d0568110a12a30dfc3a743fc06cb18e2d2d5a9fc340b7e624eaca3a16e6dc28d3

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
192KB

MD5
8e33445e16e8d409844480a8086d8b22

SHA1
ddeb28254b2e1429892587cd057abf1eb2ff8e93

SHA256
63309ba91cad2fee47943cc841f6836f30bb96e4260aa0679cd8ee9ced4b3e41

SHA512
2a0586b9956ec31df4ef94338fdf3cc5cfcca6a09d74cf987557027b7a1e6e5481e89dd65a3d1f7d22b899c6c4ffd0a0c20272c9df90fd1b29ea9386d82960f7

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
192KB

MD5
b0630327fe6088aaacd83ea021a563f2

SHA1
f743f54b75262653c39ccae5ee0e7c8d8c1d1353

SHA256
69c9b5d1f57997293ed414ccaa1d4453e75d18d69b38542d25bba39d5b7519d2

SHA512
ae8be8fdeccb0aab0fe1a6baefbc8a5f9d1c97cc9e79f253e0d9805e88e136962a457aee4887e842fc9122418083b9574bce82627bf702421a0f8dd227ab2b67

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
192KB

MD5
c12148368b2da4d04a194d6ba504847f

SHA1
2c9fa4b58ab157cf012bc351958d9c910c9e1dcb

SHA256
cdc875215f3609a1104118084dc02c3b34d0fa87974a3c16710a462f07e8da68

SHA512
42ca85f851fd54ae33248aad19ea44f8c8d33cfb371d10a573c34a058416189a642aedb0c2a01ec424e4084c23d6ab337b91a4bd45380bb6ffe55dd40f8e23e3

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
192KB

MD5
383da89acdfcb930c6ac3cc6feef2294

SHA1
c4a0c6bc057ac4f65a9782047d4a1ef43a71db5f

SHA256
9a1ff9c0769363b4a0d2dd4a9ecf0be67bb52c7563db7e23163b14d09e7c4351

SHA512
22476ffbc20e08be1953a23702e3e975840cff330468180031a6f39bcf031caaafbf748699c82b28a222bc60619b457c3517e1c59683b16e45444ca017414dd3

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
192KB

MD5
53c33a86f8e5a3a36cd3ae3d1cff3177

SHA1
c98c64a8bfd827733aa703acae0ff7715ef3da03

SHA256
be2d123e853eec3e12c69b25bc6ab99f9c95e31c00da2642161cc25356ac450d

SHA512
3758e5bd77256de2b60b7ce08b2f5367be9f5fec8cb6dbc3548dc58d576c9cb51b7ed271b79ce2f8e830291b7a0a8904536c236f21d0ce17e420a532235fc534

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
192KB

MD5
b5bc465a996a07f0a79ca8cbdfe36161

SHA1
eb41f0cd33ed9bf1ac7176721510dfd7dc16c8d6

SHA256
41e41d98faa69af2c3b9f3e544a32ef5ae17c882e07033bd4b1288f8a8c141b8

SHA512
5f5ea1163f772169667ed6786ee4f81f2bedba9cec599fa79b9a3b32378b13939d8036182d227c590660d8aba50bd5119226f1a243705fd4182c898a29b77498

Download Submit
memory/60-381-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/228-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/232-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/344-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/448-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/452-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/540-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/716-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/728-543-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/860-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/932-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1004-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1240-423-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1276-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-50-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1616-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1656-634-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-549-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1852-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1904-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1924-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-372-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-362-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2300-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-513-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-217-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2792-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-628-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-367-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-622-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3108-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-610-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3248-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-379-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3372-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3412-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-620-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3780-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3792-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3928-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-608-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4208-218-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4240-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4256-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4264-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4440-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4484-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4592-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4652-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4672-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4848-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads