85b286f2dde9d475405c1066139eb4143f800359542c4fd7263f7117ede812a1

Analysis

max time kernel
134s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe
Size

71KB
MD5

7ff3bbb6c9ca656a7bc1e5ed0ea11980
SHA1

d52c1b35e2535ba8d8e0aa73e693415aa7b570dc
SHA256

85b286f2dde9d475405c1066139eb4143f800359542c4fd7263f7117ede812a1
SHA512

c3d77d174110f4e8fc573eb7e66dd0bbedbd90a0806b47e231a1755016960a6b12fc1d794e535527004619657a82a9feb7836a18bb566e98fcfe48c4d8584f31
SSDEEP

1536:xI5zHL+RDM+UkboOFcNTGx/uh79PRQxIDbEyRCRRRoR4Rk:xI5zHiRg+5siM3e0Ey032ya

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmmfmbhn.exe

Executes dropped EXE 64 IoCs

pid	Process
4564	Eflhoigi.exe
3148	Ehjdldfl.exe
816	Eqalmafo.exe
4728	Ecphimfb.exe
396	Efneehef.exe
1224	Elhmablc.exe
2252	Eofinnkf.exe
3084	Ecbenm32.exe
1216	Ejlmkgkl.exe
4936	Emjjgbjp.exe
3888	Eoifcnid.exe
3120	Ffbnph32.exe
4976	Fjnjqfij.exe
1384	Fmmfmbhn.exe
1296	Fcgoilpj.exe
4512	Ffekegon.exe
1596	Ficgacna.exe
1328	Fomonm32.exe
332	Fjhmgeao.exe
3944	Fmficqpc.exe
576	Gcpapkgp.exe
1708	Gbcakg32.exe
3160	Gimjhafg.exe
2056	Gmhfhp32.exe
4560	Gogbdl32.exe
1432	Gbenqg32.exe
3668	Giofnacd.exe
1284	Gqfooodg.exe
1752	Goiojk32.exe
4432	Gbgkfg32.exe
2192	Gmmocpjk.exe
4364	Gbjhlfhb.exe
4480	Gfedle32.exe
2748	Gidphq32.exe
1240	Gqkhjn32.exe
2364	Gfhqbe32.exe
2080	Gifmnpnl.exe
4744	Gameonno.exe
4588	Hclakimb.exe
228	Hjfihc32.exe
888	Hihicplj.exe
3648	Hapaemll.exe
4080	Hcnnaikp.exe
2140	Hbanme32.exe
1904	Hjhfnccl.exe
920	Habnjm32.exe
652	Hcqjfh32.exe
1428	Hbckbepg.exe
3092	Hjjbcbqj.exe
3588	Hmioonpn.exe
1868	Hpgkkioa.exe
4452	Hbeghene.exe
5016	Hfachc32.exe
4760	Hippdo32.exe
1516	Haggelfd.exe
3480	Hcedaheh.exe
4964	Hfcpncdk.exe
2604	Hibljoco.exe
3296	Ipldfi32.exe
5052	Ibjqcd32.exe
1664	Ijaida32.exe
2316	Iidipnal.exe
2736	Ipnalhii.exe
4148	Ibmmhdhm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Oijnep32.dll	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Elhmablc.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Iebapp32.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Giofnacd.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6920	6776	WerFault.exe	255

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4564	5112	7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe	82
PID 5112 wrote to memory of 4564	5112	7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe	82
PID 5112 wrote to memory of 4564	5112	7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe	82
PID 4564 wrote to memory of 3148	4564	Eflhoigi.exe	83
PID 4564 wrote to memory of 3148	4564	Eflhoigi.exe	83
PID 4564 wrote to memory of 3148	4564	Eflhoigi.exe	83
PID 3148 wrote to memory of 816	3148	Ehjdldfl.exe	84
PID 3148 wrote to memory of 816	3148	Ehjdldfl.exe	84
PID 3148 wrote to memory of 816	3148	Ehjdldfl.exe	84
PID 816 wrote to memory of 4728	816	Eqalmafo.exe	85
PID 816 wrote to memory of 4728	816	Eqalmafo.exe	85
PID 816 wrote to memory of 4728	816	Eqalmafo.exe	85
PID 4728 wrote to memory of 396	4728	Ecphimfb.exe	86
PID 4728 wrote to memory of 396	4728	Ecphimfb.exe	86
PID 4728 wrote to memory of 396	4728	Ecphimfb.exe	86
PID 396 wrote to memory of 1224	396	Efneehef.exe	87
PID 396 wrote to memory of 1224	396	Efneehef.exe	87
PID 396 wrote to memory of 1224	396	Efneehef.exe	87
PID 1224 wrote to memory of 2252	1224	Elhmablc.exe	88
PID 1224 wrote to memory of 2252	1224	Elhmablc.exe	88
PID 1224 wrote to memory of 2252	1224	Elhmablc.exe	88
PID 2252 wrote to memory of 3084	2252	Eofinnkf.exe	89
PID 2252 wrote to memory of 3084	2252	Eofinnkf.exe	89
PID 2252 wrote to memory of 3084	2252	Eofinnkf.exe	89
PID 3084 wrote to memory of 1216	3084	Ecbenm32.exe	90
PID 3084 wrote to memory of 1216	3084	Ecbenm32.exe	90
PID 3084 wrote to memory of 1216	3084	Ecbenm32.exe	90
PID 1216 wrote to memory of 4936	1216	Ejlmkgkl.exe	91
PID 1216 wrote to memory of 4936	1216	Ejlmkgkl.exe	91
PID 1216 wrote to memory of 4936	1216	Ejlmkgkl.exe	91
PID 4936 wrote to memory of 3888	4936	Emjjgbjp.exe	92
PID 4936 wrote to memory of 3888	4936	Emjjgbjp.exe	92
PID 4936 wrote to memory of 3888	4936	Emjjgbjp.exe	92
PID 3888 wrote to memory of 3120	3888	Eoifcnid.exe	93
PID 3888 wrote to memory of 3120	3888	Eoifcnid.exe	93
PID 3888 wrote to memory of 3120	3888	Eoifcnid.exe	93
PID 3120 wrote to memory of 4976	3120	Ffbnph32.exe	94
PID 3120 wrote to memory of 4976	3120	Ffbnph32.exe	94
PID 3120 wrote to memory of 4976	3120	Ffbnph32.exe	94
PID 4976 wrote to memory of 1384	4976	Fjnjqfij.exe	95
PID 4976 wrote to memory of 1384	4976	Fjnjqfij.exe	95
PID 4976 wrote to memory of 1384	4976	Fjnjqfij.exe	95
PID 1384 wrote to memory of 1296	1384	Fmmfmbhn.exe	96
PID 1384 wrote to memory of 1296	1384	Fmmfmbhn.exe	96
PID 1384 wrote to memory of 1296	1384	Fmmfmbhn.exe	96
PID 1296 wrote to memory of 4512	1296	Fcgoilpj.exe	98
PID 1296 wrote to memory of 4512	1296	Fcgoilpj.exe	98
PID 1296 wrote to memory of 4512	1296	Fcgoilpj.exe	98
PID 4512 wrote to memory of 1596	4512	Ffekegon.exe	99
PID 4512 wrote to memory of 1596	4512	Ffekegon.exe	99
PID 4512 wrote to memory of 1596	4512	Ffekegon.exe	99
PID 1596 wrote to memory of 1328	1596	Ficgacna.exe	100
PID 1596 wrote to memory of 1328	1596	Ficgacna.exe	100
PID 1596 wrote to memory of 1328	1596	Ficgacna.exe	100
PID 1328 wrote to memory of 332	1328	Fomonm32.exe	101
PID 1328 wrote to memory of 332	1328	Fomonm32.exe	101
PID 1328 wrote to memory of 332	1328	Fomonm32.exe	101
PID 332 wrote to memory of 3944	332	Fjhmgeao.exe	102
PID 332 wrote to memory of 3944	332	Fjhmgeao.exe	102
PID 332 wrote to memory of 3944	332	Fjhmgeao.exe	102
PID 3944 wrote to memory of 576	3944	Fmficqpc.exe	104
PID 3944 wrote to memory of 576	3944	Fmficqpc.exe	104
PID 3944 wrote to memory of 576	3944	Fmficqpc.exe	104
PID 576 wrote to memory of 1708	576	Gcpapkgp.exe	105

C:\Users\Admin\AppData\Local\Temp\7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ff3bbb6c9ca656a7bc1e5ed0ea11980_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\Eflhoigi.exe
  C:\Windows\system32\Eflhoigi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\Ehjdldfl.exe
    C:\Windows\system32\Ehjdldfl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\SysWOW64\Eqalmafo.exe
      C:\Windows\system32\Eqalmafo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
      - C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        26⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        41⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        43⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        48⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        54⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        56⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        58⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        59⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        63⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        66⤵
        
        PID:796
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        69⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        70⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        72⤵
        
        PID:648
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        73⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        75⤵
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        76⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        77⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3256
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2848
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        83⤵
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        84⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        86⤵
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        87⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1792
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        89⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        90⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        91⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        92⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        93⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        95⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        96⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        97⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        100⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        101⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        102⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        105⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        106⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        107⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        111⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        113⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        114⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        115⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        118⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        120⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        124⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        129⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        130⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        132⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        134⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        136⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        138⤵
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        139⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        140⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        142⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        144⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        146⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        147⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        149⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        150⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        152⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        153⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        154⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        155⤵
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        156⤵
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        157⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        162⤵
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        163⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        165⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        167⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        168⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 412
        169⤵
        Program crash
        
        PID:6920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6776 -ip 6776
1⤵
PID:6880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
71KB

MD5
0055d20dbbc2c7dd15c04d81490045ee

SHA1
2951c38b2223a893f3834714372f1dd986cbddb9

SHA256
874bf41ddafa6072e086c18547b523ca1eecbba0db25b289d9293729b49599a2

SHA512
26b932d2036cf716241a0c627d83e5e5a87232985c50f2d68434185bfdedd7e071f59b60ac17619747197972fc6541825ae56106fa1cfe67d8173791626ba395

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
71KB

MD5
068dd561bd53163f2cc844c94546c5b2

SHA1
64cd72d4f58c23671d554cbdf96fbd09ba6fdc91

SHA256
9cf29a527b636040ff7f427b106189604c9914b5055ba553411132b468114aa1

SHA512
23a84bd83c56185da550a23e3a58dc653a52a8672bb92ae8fd3d734628d2392b7e260be5727f4345e4db67ab158d4247091b2988808734dcc23810c0e495af88

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
71KB

MD5
18ec180bbf26b5375b3430088f38dcfe

SHA1
63b29af0527eb7f09f3693cc3fb1a253af5d7a24

SHA256
c0fc7cb6649329c9faeae8294a2136afaeff8d8050b24679f42531c4b802e0e8

SHA512
e179189a11fc517e1458538967e38ccd2ea8660b4e23474fcb4e4434b3bf41d0593f69e1e406e6e5954875188dd0da85d2fad7a6c326121441596db1367c939a

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
71KB

MD5
a5465110d851013c5d59717d5e11042e

SHA1
d46fcc5dabbc44e23e797dc689c5c15ed3370f31

SHA256
70047a82d2066d3e50780eeffa5ad1b7ce8bb023cf6e577badedf856565f7a54

SHA512
d759a67e11318879ba70e446ec4c116bc1bd512e1ec4ac7b8c22aeaac05112a4ecb9ae43efb834080d729dedf68d3f780c3b86088fd00c3bb3a2eff2f44daf65

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
71KB

MD5
d6f968ff8aa9152d4e24f9b65ce77b48

SHA1
06bfe3a316cd7844f2d51584df60b579df56c709

SHA256
e89be2ce732aac36a0dee7c64c54628a4e7fe67b467943079610eddc5b5ceb55

SHA512
c9a0c9c76b66a7855a4620335192339ef88e64b200c267f2a7a505cef9bc354ef7c45484f574bab582cf50126709ea341492a8fffe0d6bbae6a33deed136270c

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
71KB

MD5
3c47688ca1740c0a755360f63db7585a

SHA1
ea25509def183ffb87eed83e18a411c29826acb5

SHA256
374e5338e13fa72869d526a4a0841e0d14652926e932f9f0cf7dab6fe1514106

SHA512
fcd379755db87957c3310b5377257bed080f1b36908860bd9227ba6e0b53250ef1632d45b2d4d2c4520d8b1c0ef9b338cad35c97e0fff06dcd308b5dd9b23fd2

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
71KB

MD5
71018a9be720a592ef95e1ecb95d7c62

SHA1
80b20ce2f66369479a5420f38c348dd942276c0d

SHA256
c1ba75a04b71b990fda1bf07a84e35b0e6b6ec35dc8d0a3d428f545e64c3e458

SHA512
72a4b3ae70027eacb8d833192092fc30b4b1951ae86de081a3805f1e16ec65f40a1e24b8eb22a94dd94fd1141c8cd5d237be58fdbd28669f3d5d077f9da4c924

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
71KB

MD5
5d31b46e29d277d9371b772f0c2865fd

SHA1
df2d0541d48e96e18c7c945a2a252b4ac08a338a

SHA256
48fe811373db387475e49e060a84ec3c3a843ceac93e2b83447d0298e324c694

SHA512
e6d86394d882cd33a251c943c8af460cbd0b9c475608ba236db7673fc1ca52701e06dd6f2858a7c5db726e09948dfd0c6b1a10f682391a898a3ac94be5fa40b2

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
71KB

MD5
3e052a618c56873c90e27fce958a1628

SHA1
a3690ecdeae5373e8a082eb308b0fa25429a35d5

SHA256
1a08dc18b2870afa7966349a1d57b1f314e67fc9030477d389116015fb76a154

SHA512
46d28d983f3fe620aa879afce43054851183072b8cfe16df1e256df2086252e6f776e0f4254044fedc33d8e292c873cf1f76f488f186c6544ffa653e05210535

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
71KB

MD5
ccaccb9232d38640b0ab32b7495bed22

SHA1
5b89d4cd8bf036aadc451120cc3eb38038aa9c1b

SHA256
c3fab58a5ea8ca023225372bce7a9737a260a8892aa3b0ed7aab4964ba448220

SHA512
f1f0b2fc082a5caf06e40d186b7b492094121bdf12cd24cebbd0b2d8327fc2e535344a1ed7f0306b2c9b71e9308fb0cde63fc524085881a67a1f91d6e1c0d9a9

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
71KB

MD5
c3edcc0958075f2197fa5054c2b21ffb

SHA1
81d29bfd12df0f9d90ed41bcb561d0835cc46623

SHA256
fff171da3d91264e3c150b83e6a39d5ff88b6141cb2a6c1a34bef7cd27e9e230

SHA512
5f75746610422d729b9364c1d8c0dd836de81b884416002e515347e40b6ab8afd30a6f9bf6221a7e73ededf337f681e2ea6fe341f05e607e8f8555e2178c644c

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
71KB

MD5
8542534a819c72babd93ee7a34f623ef

SHA1
0083d26be6525bac3a8585a7eb016288d1efe10f

SHA256
3613905a154b6e8f2d010d19054017d004d37133ec66a3f8c8333adfc432eddd

SHA512
89fa9132889052c724773ccaf9a1f7906db464219e0dd4056f6b48747e7400d251b04b88f34c470d443ef0062e481819ce9891c6011de7d53f2d57cc37cd8abe

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
71KB

MD5
5e829d7ed32771a62c9a0470e0da46c8

SHA1
52b19116d28d00423815700109e037cf493aa3d0

SHA256
1973ae2dda0c6fa60079af588e1eaed96698d1f2244783587e631c1a2afdb005

SHA512
90196b550e2e74c3ebb0e6546cc043a2dee3281fa197680e482b24547ce2bf3457029eeabcbcffb79b43233802672cc7b82ff3ee4b461293f7a020cf4779b639

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
71KB

MD5
a763761cdc25aaa05682d1ad9b039b2c

SHA1
a5267d79365e88edc0bc76962b490e34952b887a

SHA256
4e79ac29b269e85f075ad9906a113bcf584bed64b497d62f20870272ddede623

SHA512
6848f4fc16d68c4152b43bfed9d388ff8ca78ff2f012ee8e87e2338d67b240f7a10e7ba284efd6e5cd7d506d3740cf9602fa15e947e833eea5e224bcde2588b6

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
71KB

MD5
e62bd557cc23348f3825098e6f54245d

SHA1
ffb8ed56b35e2b0be5de29e2b00b4e4d9189190c

SHA256
521820932eb4683d2e561efc611e0b0040f445fdcd20dcb7af2af6f624c07183

SHA512
128525dc59de5247506f435760265401bbca0283d63a7870da43a6a91f13fc7ae41efe7ef56937aa9b153a5680e1801e3d89b2637515078a32694b00ad824470

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
71KB

MD5
7d8fb7e85755f886b7fc42b535601038

SHA1
076cf49a39b29a6c6668d22ded9ba57f8e259ddb

SHA256
2836eb565d542e58e8244a2abec5a1dca44c053cdc8b7863506540f59c94237d

SHA512
6bf3df758a4205da08a3a92dfeee0373fe6b5c11a0dc33ef4bba3b1567563b341bef7d7cd4d18fc3a32501a4d8e16e92c3c39e656380d0cd8b8ddf22910f7269

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
71KB

MD5
16f03d28c4262bda57c00ca0eb306562

SHA1
a9dbc085b5231ecb9fb386dde5aae6db1d5d529b

SHA256
16b312e1542db25b5e328cd54a48fd1583ab4334433bf707c7638ef318e3d343

SHA512
4c5aa2087d0025ccf7580b21b6a677decdf95cba7acb79b3d6ff14387deaafc21ce7f9d3b24ebf7ddbf8242f5f99df45e12aafc5f16bff8f16eae839a795afa2

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
71KB

MD5
b514a42376b437a3a0ef59c89c2d87b7

SHA1
7a021ba27fa86c7f324be70f8538b695095ae904

SHA256
4f2b29121b07681de854562b4919be5159e1a746a536cbb9f2a6fc75988d2230

SHA512
3135e2e6a1f2b0c033f94f7526a15007c575da8cdbde61c36c6228666d44b55e6fe84fead65453e3de9d391a439760481d556460329fa5e917a7ab986b2da0e6

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
71KB

MD5
2f8768c429db5959d44f4a1ad305c6f6

SHA1
69eb16a3b6c3498d1e10674570e394e930d30035

SHA256
c8f9f2e4353e7a6f8db1873d5ea036bfabf9c8359f75e165c507d4e2f5748cc9

SHA512
7cf1687bb3e8cf74485f2b58433f4102e5704030d2902640d1415a82cd29518b440021b279707c846df63db029e1a6362c8a4675d5147c2f875887b840634cc8

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
71KB

MD5
d9bb7b95f704300e1a9e641cc34f2754

SHA1
49b67638c9e0fa28b047f55b5f639487fb016cb5

SHA256
9c95fb02b64d97581624f058ee9cf2332b57c70ed0f0964c27be515fc9d4d025

SHA512
52ab6441af0c73a82f89d24b2927c3e31cdd5fde5a7bd4f146b7baa1ec91e69ddfd5b3f6c23456cda0f00dd40b6beab1ecd4619a1dbefae2d0d0a624a3edf9f3

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
71KB

MD5
62f182d7d3249b45bc97e9a076446365

SHA1
4a0e6810dd6d794f3058eeb1872a849e1abb2e2b

SHA256
7fd4241905b59873c9fdc68103c367aeec78cfef7665010c34daaf237fb2fb67

SHA512
fe9b404f43beecb9a93016d04bf3618832c6b45ff72160220b9452dbdac1eadf6c307d4af63edea7dac2faea8f8c7ea4a92c299f0bba7bd57caffc6db31b04d2

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
71KB

MD5
2e689905dce266a1fa321c1fb9262448

SHA1
56ca3f0e63d9d066c1ac190e43e39c4965a2d54c

SHA256
3743f83d985c0ab3fb5977be84de5b5f2e29c57ba3e1ce8a900de72e6c43fbcf

SHA512
c0d4deb188d802ee9e366a4dd51db9c6e00b313ceb8bc39cef29f682e9cab146e78c483611075b3d7afaddd6cfdef434da3c00c1cfe758dd603d1d96ac99d17e

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
71KB

MD5
3e7271d4c19c00d85660a52c2eee7ca7

SHA1
0fc143a129ba7b4571a12f97cbc94c987ad5e77d

SHA256
641f168f2899d52ec28ed1ff6523cf83157d77c83c01b432a9a91161a88fc31f

SHA512
8c4d3388368b78b093e95011f20c7bbed0ef0bc07212a5c1faedd108855b31c0f06ca1a74f13b69c1b280ef68c959566eedf7138df0ab9d52c0dd9c0a60041ff

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
71KB

MD5
b7403fff640dfcef176bdb8b4e3a1c23

SHA1
c674da49745c993a80046a7596d09ab130650f93

SHA256
12f7df9084e4e63b0f3724fdbcd6f4df3877be80ecacb8e94cb33f660ce84e38

SHA512
6d99d773f1f3c699999e342d0c002f1364df4d7c9960b70a136206d639fbe9f292682b8e36c915583eb372c85ccc180efddfad14d3e9cd54c1b84d2b0d88aa8b

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
71KB

MD5
a4d730f5a08d9da852b6aa424880b788

SHA1
8a30b0f792c0ff3d5c8986c86e38adfcd48329bc

SHA256
4b7b4a98feef53104a420a2cd90ebf5ad20af0a72b638ebc385efe7bbe8f2f6b

SHA512
bd36b34db6fcb930a42eb95b718bd676a1f64b6fb692c9c8a64970e4a30bb5141dbcec877fe9dc78a41059a0b5787bb6c2e9c3d06374631f499befbbe31bd1b6

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
71KB

MD5
c0352570f9e50e6fb3c105fe442dcee7

SHA1
f8eb14408df5a0e09194a77cb754e03896e539d5

SHA256
9d9ffdc41dd7464fab268508aaef5dcbd9918f76f664021de95fd594964812b9

SHA512
a1995d2d5aaf29bcf3797d3f10de86495f702c8cec28712cebb0180429c05c9c17c59255b605c6513c0735072fed733431d1bb59d86d999016d29f47ee7aaa88

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
71KB

MD5
bf1795915556498020dd62c8f1717586

SHA1
c6c0a216b99c8e9b187b0483e08d26fd85351ae7

SHA256
95330109716bb64d4047e531fac34a7d30f56d45049627ed4c8bf8b5c6b42e68

SHA512
8d5188ba88f711b20e3a9cca0dcea986104f9c21cdbd04a8a90f89e59309dd7a6e15af60ba48479490ab4948abe465c0deec6625aec7288cc0f1fee2fe44304a

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
71KB

MD5
e7eba746380f1e47995c80030b755ae2

SHA1
a4b337eddd05f014c61699c84a0ca0742aad43a5

SHA256
1b5caf0a2d618d3752f4c22450b4901034a423c543bb3885ce31a000dd45c9cd

SHA512
a1a6a2c4595b5815f186f78679b2d4d7f4a4028cdfc329ba7f057fc3eb14b1f6dabf944e5de1fd399d4f7ebb88c0a6aa151e4de933a0f4622786f29f2145035a

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
71KB

MD5
3ac741459beae85ada0f1cc6afda0b85

SHA1
b0299cb9e4cc73bf7759e10c10f8bf84d2e85da4

SHA256
afec55fd83028a585226653e5591e9b1b70ae4d21231e0e1559ef806b10f8c6e

SHA512
04735aade36efcd91dcfd0a82f6bcd271e21f14f6988f23beac351a6e94e19b3747aa5a3b3ff8a5fd8d60aabdd5025d194819731096ebab4e60a0a9012ba1988

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
71KB

MD5
85016195b56c2ef00bd661f4ccfca0c0

SHA1
b32bf3a489b325fbbc54f9fab5303d440c4eda4e

SHA256
5f2015ebc11cc2d250d1c4e2519874ce4a9f97c36298a8f9d8b9e38ad538bb77

SHA512
6dce87bc8b24155efa5991c6bc253dfd75fb2ed610754ff8120f39e9cefba2cb3bd601440298d2d9fb3b7ca1da38cdc0aabada9210fcf1fd4dfc6726e17bce38

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
71KB

MD5
381471fb1355bb7847859ba6a596eadf

SHA1
37c5fed20a4b7bd326cddd55d0129083034a0fd1

SHA256
07363e4903ce072468a9a89bababa38313397628405809ba8b5389aa30d492c7

SHA512
b552e1c2ce5148b398d3a0c47bd1ddcadeb1c55e465bfc790da841310736615bf5102ced504665c7e6308711e72abd812c74d44c93a6eacbf53efff7c378681d

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
71KB

MD5
1f1053168baf73759b6b4f2a5dcb1575

SHA1
7ffeeae71b78b497d98cad2d46de73d5cc0d9544

SHA256
cc642a109991dff59b13c449615db830e0ea2e310f3ee9655d46df4e37bf1e97

SHA512
91886249135add8007ceaec9dc461f7183cb77d0c185a4122b55f59032025688d91c36c6dd3898be1dd993d5922a86db435cc7fd64d80f2538daa76c524db850

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
71KB

MD5
7c8061e15ce5d77a4f87b61d489e56e6

SHA1
0cf8a20f91c2240dd4200fa5d60b7fc60aa8f9b7

SHA256
bc66b7e399427725705178cd6fc91bf46204310dac7ade4a3c4d69ea40f56275

SHA512
5fb6a735e2cfda0cafda04e3435e9cc399c9678c1bc6ce03c402e39122a97272f2d4727cf9c4b9034da5b1cb3d6fa8950568ee47e29ac0e2b8b458687370822b

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
71KB

MD5
acdc7badb1c714586651568d233f1b28

SHA1
9a7072cace0bb15db9798c945ce41ecfb8dd1fac

SHA256
9413e105286e4da7f8c89950707b6880b9cae0fa08013228e1b603922139eed2

SHA512
65db3882748bcdcfd3d2289495f2e280c95b0471337dda6cb131009fbf6da124b492614d885cf934579337b70bef72a550adca976292b34cc9f6bf2cc56fbb4e

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
71KB

MD5
10b3138d40eb8bed7699efde2a42a78b

SHA1
ced31e79b5cc940a770db4d8e3a69aa220a0ff91

SHA256
180da60e4c03533f18b1aa04a1bf226d9e10e4cbd69d21311ae205efd9595792

SHA512
0f25c443da44c23fd05bf58049ed82123f02565312fa4e86614f77f8ee4aa8aa6df989e10a53b0f504d522c104fabd2b36baa7f7fc418897539b9f97a832b07a

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
71KB

MD5
0d97362447f13e64d3dd358d9e131cf8

SHA1
aa6d1c902fe3df2d6f9cba91ef8595c7f665d0fb

SHA256
0a801e8fd6d50e1e9dbf9391fe268573436fbbc75fff2dcffe7651c5b9bdc1db

SHA512
9e7b3c9105904b66ed16fa855a8a24aa1c437f39cab766c5dc9a0880e65332268beec7efcd623416983b5d620b6eaacde25abed5bb46c2130d864e82d736efb1

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
71KB

MD5
5bc018b989f192c8d279aad8f7a3a305

SHA1
c7306ebc65eff546430f80336d0772a52e9937b4

SHA256
2a54b2ee3cbf0063e5ad4073210eac3479bc1ad6c6ce731ec6fe6639d01f7564

SHA512
f570749609ed0106d660de97973aabfa605f3fc617106c7cd3b136795df362a0bbbe0db71134d27341216349061963fe2d4159c9ba8fc13253366923ba1593a5

Download Submit
C:\Windows\SysWOW64\Klfbpcko.dll

Filesize
7KB

MD5
520796408a274f6d5c73c06d4519475d

SHA1
0906c1085fcc3c638398486abdb9a132e7090d6e

SHA256
66a1415de5cd9589c24f0d3684a49438ef7f8a08daeb7e2a3f28c867802bcdd0

SHA512
81ff029a91ee07e2f03d7287875d26d4458d36e3c2a174763fe7bea7edbe1327ec7d6102b1f496369dbe4081364f2b9ca75a892f83811a5aadd38a9ddbb1c27c

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
71KB

MD5
bac78265a640d105196364722954b1a3

SHA1
8f381abedf3a0f82adbb097f17295ce76eeca77f

SHA256
cb889489f8a353a0defecf119781057e70d9e6067ce8924433187c1fcfddb16f

SHA512
54ddf739d3a2eeecbebbc64833ebdd5b0defac47e0377a7808ce35cffdde4b9e4a98e09cefe7a62415efeb0c39ee31be80d62623617c515bb78ad63b0d18284b

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
71KB

MD5
693378f62ab6ed46f826ac20e4c134c2

SHA1
18abe98964b147a9ed7226b7b35f34d25ea59694

SHA256
a55dea2553cdca20beae707627efa0897d2d3c15448304bd72ff94dd9b2ec04c

SHA512
0e19e7fc13c34661437a9419d6b01172051f5dfec34415e68bfec16d1f6d2ba9d59f342a38d71d37d1a2b3aefe9e2cc3be6709a89d460eda3d95264560f2bed7

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
71KB

MD5
225ee5212938edd7c1161f9d4865821c

SHA1
1d2c7e8c7b2e4e1dd6e636f8e7487b8f582462d9

SHA256
222e5a9ea82ed64014d72d25920f7c1030d8af78e65b917fc953c1005e537049

SHA512
d64afdbd70a439a5fc365eae5b4c59f801faabec6cbe18579b355b729a71dcf3bc8e8c2a83d6a3252d2d220434d8887fcf4c73f54662aaa007e75d57064587f6

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
71KB

MD5
29c65988cade813871b11cea8bacf0e8

SHA1
98cd700a0c39707e186bd663456bced8d8118cdd

SHA256
3dd57e579726688c37ef3dd0ffa544e13f0345143d27e16e21f9ba00bc53cf89

SHA512
33bc53c577d2b45ef2659cdff51100e464bfcd6695bfbd837432cad326f6831259474e7d458b5a1237e476c9351b4e7c1556a594078c734380d778b00c8ad51a

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
71KB

MD5
653761a686c04d7552b3e77095ac2898

SHA1
6a863bf1ed6a628da982b94628181772eaa8672a

SHA256
36fd3f987f1593ed60314946614003b7b2ed344eabd157afe3fe77509020c515

SHA512
5bdc7f77495f36b6a18753d3dc5f495a8462a67de441815d3532b2ecae62db8c4a42d9c0fdba377dcc390c03326e1e140224ea0da2dac7c9716342d80dd18eb3

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
71KB

MD5
983e0daba324c3720f09b58894b65175

SHA1
b83451f8ffce06cd4e4551c7932a225176b7c0cc

SHA256
332234d6aa13892bd8c1216b282cb1bc4936aed0183a129ea82e5edcdb4c9f04

SHA512
ba471a4bf76f62b3f0547c0276a08f9164723817640c2aaba8536ed7ea8857be826f7bbbc98aa43967f8c08a060a2d37a3d26e9104fed6a6eabd67cae6120398

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
71KB

MD5
58ba22211f5f9bbce89770d5a7f9ba8b

SHA1
9727b1a75c9856bcf136993ab2a3295cd8dab447

SHA256
b3f57cf5bf2804836374c3a3164137c811c093569e3510ac9944f43da20c3001

SHA512
215639ec9f3859504cccffc92333dcb0df2377d153788a449a42aab3829da49b39db9676f20338f1e867204f8dbe96c2df130e75bcb01f4aff4d72621c4067ef

Download Submit
memory/228-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/232-482-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/332-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-583-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/396-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/432-496-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/576-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/648-490-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/652-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/796-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/816-569-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/816-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/888-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/920-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1140-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1164-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1216-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1224-586-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1224-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1284-228-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1296-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1328-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1384-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1400-512-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1428-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1432-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1616-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1664-435-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1712-571-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1752-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1792-597-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1868-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1904-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2056-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2108-559-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2140-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2252-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2316-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2656-584-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2736-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2748-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-538-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-587-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3084-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3084-599-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3092-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3120-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3148-558-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3148-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3160-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3256-526-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3296-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3468-520-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3480-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3580-514-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3648-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3668-220-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3684-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-573-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3888-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3944-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4080-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4148-452-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4152-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4364-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4432-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4452-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4480-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-545-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-551-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4564-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4588-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4728-572-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4728-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4744-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4760-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4936-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4964-409-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5028-552-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5032-532-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5052-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5112-544-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5112-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads