668b5e4fa14621d35bdafd98cfda40f66888789122b6c690884850c0a58c4f37

Analysis

max time kernel
142s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe
Size

128KB
MD5

10d2a09e9ee7fbc11dffaa78335bec10
SHA1

66cb2ea8dcb1e07cfb425faca353f4643e7c5fb2
SHA256

668b5e4fa14621d35bdafd98cfda40f66888789122b6c690884850c0a58c4f37
SHA512

71e230065411d3221dd05c3faf48c8bffef43fddaa476814e0905385a085c4e3e492ae8d8e451cb29a948f413fddfab72b0fc2a4c5d2b23e73e39607961210a6
SSDEEP

3072:uOXnaFu/QQrxPQfz9PgncMA8ek9pui6yYPaI7DehizrVtNq:7npdIfz9IncMA3mpui6yYPaIGcs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebbidj32.exe

Executes dropped EXE 64 IoCs

pid	Process
4340	Dofpgqji.exe
4336	Dephckaf.exe
4556	Dljqpd32.exe
3980	Dohmlp32.exe
2028	Debeijoc.exe
2016	Dllmfd32.exe
2500	Dokjbp32.exe
4920	Dcfebonm.exe
3472	Dlojkddn.exe
4092	Domfgpca.exe
1076	Efgodj32.exe
1844	Elagacbk.exe
2392	Eckonn32.exe
3920	Efikji32.exe
3516	Elccfc32.exe
3120	Eoapbo32.exe
2448	Eflhoigi.exe
4932	Eleplc32.exe
2416	Eodlho32.exe
528	Ebbidj32.exe
1188	Ehlaaddj.exe
1048	Ecbenm32.exe
3432	Ejlmkgkl.exe
4248	Eqfeha32.exe
3400	Ecdbdl32.exe
3200	Ffbnph32.exe
2800	Fhajlc32.exe
408	Fokbim32.exe
3332	Fbioei32.exe
744	Ficgacna.exe
2244	Fqkocpod.exe
1500	Fbllkh32.exe
2128	Fqmlhpla.exe
3016	Fckhdk32.exe
1108	Ffjdqg32.exe
1332	Fmclmabe.exe
3396	Fcnejk32.exe
3032	Fjhmgeao.exe
3656	Fmficqpc.exe
3988	Fodeolof.exe
740	Gcpapkgp.exe
1624	Gjjjle32.exe
224	Gqdbiofi.exe
1916	Gogbdl32.exe
2180	Gbenqg32.exe
512	Gfqjafdq.exe
2536	Giofnacd.exe
2856	Goiojk32.exe
4768	Gcekkjcj.exe
320	Gfcgge32.exe
1936	Gjocgdkg.exe
3452	Gmmocpjk.exe
3116	Gpklpkio.exe
4720	Gcggpj32.exe
4680	Gjapmdid.exe
2756	Gidphq32.exe
4960	Gqkhjn32.exe
2384	Gpnhekgl.exe
1328	Gbldaffp.exe
1164	Gjclbc32.exe
3692	Gmaioo32.exe
2900	Gppekj32.exe
1888	Hclakimb.exe
4676	Hjfihc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dephckaf.exe	Dofpgqji.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Omlami32.dll	10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fphbondi.dll	Efikji32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Efgodj32.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Efgodj32.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Njqijj32.dll	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Debeijoc.exe	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6576	6336	WerFault.exe	267

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkklocjg.dll"	Elagacbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Domfgpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omlami32.dll"	10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejlmkgkl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4340	552	10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe	82
PID 552 wrote to memory of 4340	552	10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe	82
PID 552 wrote to memory of 4340	552	10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe	82
PID 4340 wrote to memory of 4336	4340	Dofpgqji.exe	83
PID 4340 wrote to memory of 4336	4340	Dofpgqji.exe	83
PID 4340 wrote to memory of 4336	4340	Dofpgqji.exe	83
PID 4336 wrote to memory of 4556	4336	Dephckaf.exe	84
PID 4336 wrote to memory of 4556	4336	Dephckaf.exe	84
PID 4336 wrote to memory of 4556	4336	Dephckaf.exe	84
PID 4556 wrote to memory of 3980	4556	Dljqpd32.exe	85
PID 4556 wrote to memory of 3980	4556	Dljqpd32.exe	85
PID 4556 wrote to memory of 3980	4556	Dljqpd32.exe	85
PID 3980 wrote to memory of 2028	3980	Dohmlp32.exe	86
PID 3980 wrote to memory of 2028	3980	Dohmlp32.exe	86
PID 3980 wrote to memory of 2028	3980	Dohmlp32.exe	86
PID 2028 wrote to memory of 2016	2028	Debeijoc.exe	87
PID 2028 wrote to memory of 2016	2028	Debeijoc.exe	87
PID 2028 wrote to memory of 2016	2028	Debeijoc.exe	87
PID 2016 wrote to memory of 2500	2016	Dllmfd32.exe	88
PID 2016 wrote to memory of 2500	2016	Dllmfd32.exe	88
PID 2016 wrote to memory of 2500	2016	Dllmfd32.exe	88
PID 2500 wrote to memory of 4920	2500	Dokjbp32.exe	89
PID 2500 wrote to memory of 4920	2500	Dokjbp32.exe	89
PID 2500 wrote to memory of 4920	2500	Dokjbp32.exe	89
PID 4920 wrote to memory of 3472	4920	Dcfebonm.exe	90
PID 4920 wrote to memory of 3472	4920	Dcfebonm.exe	90
PID 4920 wrote to memory of 3472	4920	Dcfebonm.exe	90
PID 3472 wrote to memory of 4092	3472	Dlojkddn.exe	91
PID 3472 wrote to memory of 4092	3472	Dlojkddn.exe	91
PID 3472 wrote to memory of 4092	3472	Dlojkddn.exe	91
PID 4092 wrote to memory of 1076	4092	Domfgpca.exe	92
PID 4092 wrote to memory of 1076	4092	Domfgpca.exe	92
PID 4092 wrote to memory of 1076	4092	Domfgpca.exe	92
PID 1076 wrote to memory of 1844	1076	Efgodj32.exe	93
PID 1076 wrote to memory of 1844	1076	Efgodj32.exe	93
PID 1076 wrote to memory of 1844	1076	Efgodj32.exe	93
PID 1844 wrote to memory of 2392	1844	Elagacbk.exe	94
PID 1844 wrote to memory of 2392	1844	Elagacbk.exe	94
PID 1844 wrote to memory of 2392	1844	Elagacbk.exe	94
PID 2392 wrote to memory of 3920	2392	Eckonn32.exe	95
PID 2392 wrote to memory of 3920	2392	Eckonn32.exe	95
PID 2392 wrote to memory of 3920	2392	Eckonn32.exe	95
PID 3920 wrote to memory of 3516	3920	Efikji32.exe	96
PID 3920 wrote to memory of 3516	3920	Efikji32.exe	96
PID 3920 wrote to memory of 3516	3920	Efikji32.exe	96
PID 3516 wrote to memory of 3120	3516	Elccfc32.exe	97
PID 3516 wrote to memory of 3120	3516	Elccfc32.exe	97
PID 3516 wrote to memory of 3120	3516	Elccfc32.exe	97
PID 3120 wrote to memory of 2448	3120	Eoapbo32.exe	98
PID 3120 wrote to memory of 2448	3120	Eoapbo32.exe	98
PID 3120 wrote to memory of 2448	3120	Eoapbo32.exe	98
PID 2448 wrote to memory of 4932	2448	Eflhoigi.exe	99
PID 2448 wrote to memory of 4932	2448	Eflhoigi.exe	99
PID 2448 wrote to memory of 4932	2448	Eflhoigi.exe	99
PID 4932 wrote to memory of 2416	4932	Eleplc32.exe	101
PID 4932 wrote to memory of 2416	4932	Eleplc32.exe	101
PID 4932 wrote to memory of 2416	4932	Eleplc32.exe	101
PID 2416 wrote to memory of 528	2416	Eodlho32.exe	102
PID 2416 wrote to memory of 528	2416	Eodlho32.exe	102
PID 2416 wrote to memory of 528	2416	Eodlho32.exe	102
PID 528 wrote to memory of 1188	528	Ebbidj32.exe	103
PID 528 wrote to memory of 1188	528	Ebbidj32.exe	103
PID 528 wrote to memory of 1188	528	Ebbidj32.exe	103
PID 1188 wrote to memory of 1048	1188	Ehlaaddj.exe	104

C:\Users\Admin\AppData\Local\Temp\10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10d2a09e9ee7fbc11dffaa78335bec10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\Dofpgqji.exe
  C:\Windows\system32\Dofpgqji.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\Dephckaf.exe
    C:\Windows\system32\Dephckaf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\Dljqpd32.exe
      C:\Windows\system32\Dljqpd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        23⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        27⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        29⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        30⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        32⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        36⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        40⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        41⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        42⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        44⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        46⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        47⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        48⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        52⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        53⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        54⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        55⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        56⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        63⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        67⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        68⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        69⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        70⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        71⤵
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        72⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        73⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        74⤵
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        75⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4448
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        79⤵
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        80⤵
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        81⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        82⤵
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        83⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        85⤵
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        86⤵
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        87⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        89⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        90⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        93⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        95⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        96⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        99⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        100⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        101⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        103⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        105⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        107⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        108⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        109⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        112⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        113⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        115⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        120⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        121⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        124⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        125⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        127⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        134⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        135⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        136⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        140⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        145⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        147⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        149⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        150⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        153⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        155⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        156⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7108
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        164⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        167⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        170⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        173⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        174⤵
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        176⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        178⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        179⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        180⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 420
        181⤵
        Program crash
        
        PID:6576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6336 -ip 6336
1⤵
PID:6508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
128KB

MD5
274d5032a829df96a0187b60a1c5b36e

SHA1
544139ad4a07c4fed305e845e325ba3bfbc5bf2f

SHA256
33bd6c68a67797ae7d2b39015133bd86afcb045562b792a5204578b483b0218c

SHA512
a56449aebc36cbe3b9347c5d81f89db0d3d4ce7d102ffce972f3ec5ba8c7110334a478db5ec9b43f323909751a4340aba69f2c54c41b8f2ab8d62147d48a2f93

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
128KB

MD5
20b0ecc737b2efbc4d4db51b16791373

SHA1
ebcdb4b086c6bc1a78b0735130e14e729a17b929

SHA256
806852488f9f5d284dd39dc01e446edf5c4865409cdd784be790da18c6be064f

SHA512
3db219374c0376b4f773a037401108dc50f148eaf941773ae141ee293b232a478ca5423b0f75957dd4762364431a802e214b6d21a5001b03da7358f9a03f3078

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
128KB

MD5
1c0ff347f9291994b8c61d2ef6ded1b8

SHA1
95e84e0dbd36e46f8a3562586cc2a9195cbb227c

SHA256
eb8623ca850972e57a0fe6bfb400f0ab726b39ed7542d57c0eb5a2e0e31e7bd7

SHA512
7ce9d0720ffb4f1d7898c9048461cbf918a1ef128a63195f54db0237ca559c28772a9681df9c2b54ac699cfd9567eb572de27d89037c3aa09a347d8bc12e7350

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
128KB

MD5
467c58b702c57c89828d4f663e0891be

SHA1
eff095cc1ac714e8b12116edf2d23ca59a1921e2

SHA256
d541200ca5fc881c167ca34bd6822a3e31c84afe886c56852839e178cc32e56b

SHA512
3a4824d9bc4e55ee55c8f77a1a2e9ec8c7c7d53beaacd9c6d7ae495095acc4a34fe442228d53bc59862653ea469867317e8eaa5951f32935ad003b2eb1b1fac4

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
128KB

MD5
97b7f3a4e9922236173a56f221732e8a

SHA1
22be8d87cf6f004ea4ed64d6859cf6c75b8b1d2d

SHA256
40aeb2adb29e2d34229e1dfac49556ab7b2fd4bd75cf36806639720637353020

SHA512
e52f18e83eee7d6cb3d4ce3fd61c0386c9351c20379388efe0406e7be8efcb9f61564a5d38f6f4f642dfd6c5bf694c8d0ab09885123a80b28aacfd25559df559

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
128KB

MD5
2775befb2b768d7239425cfbd4de6f66

SHA1
7c8339424d6d46961eba02b8b17e029dd1046def

SHA256
5f2ead4862a82c320e6f77e7a437f9947aa923b173f9def68f313bbd987af0f0

SHA512
c10b9817540ec65b86249ceaded4bf7dbdb5f976c0d4dcb7a3aaf98f71420dffce5cb128456676da63ba4ddd2ca86ab65e8f5bcce87b1b8f9e176b1ef647ee70

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
128KB

MD5
0678ed51d6795437f6086960831d023a

SHA1
f06811a582a833598640111e3b64aa4e3a805979

SHA256
8abcbebb4fbcf6c3f1a4a7ee52ec105c74abd34203ca2db1a6c80fa5526e1e2c

SHA512
8aac23f1147e8b7de840a2e7138077a8f65cf6e298be0df217fb2890eeec6694b1f6f5c95d5f75a7227955dca4cd4869be4bcdfe469e08ff46e9fa6d568e2519

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
128KB

MD5
4532ca842e19cb12a5a43c8e7da3c7ad

SHA1
361779b664b7356e5f4edc3bce705b1f339990e8

SHA256
2bfb5261976742f1d7df5443dc7db4cfbe8040d8f6f8441f5d02d6f676417fb3

SHA512
04829bf11c7c7d316e2feee774b50993151f3143ac7081f6d5e59dc3aab20ac7345d147244927551d0185992f26a6d2ba3f2fa32c45c7e4b51c20fddbcecb508

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
128KB

MD5
5699145d137a5ed49ca8771bd701c692

SHA1
d799648c594c18eb883b1d378bb3fba6306e6a28

SHA256
8a167195625f86cfde33812adf5db44755b443c58e744574cd46006fe67078d8

SHA512
5537afba2f236bb1ca219a8c24485b5d895b4a1dfba481024d70ebcc18ef6b5fac0cc55cc0e6c0f89e3079c641e974705549f6b7914591424ae5040eccb858ad

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
128KB

MD5
3103018b1e2f0c99ddc5d5370bb90a5f

SHA1
4167b2d48401a4758d7773221e181cfa0946388c

SHA256
ecd6f03679b51c56521619fd6750f460c75023f02a78d5a2238f74151b03339d

SHA512
1a34ed3bcc51c83e66f47814857eccc3c1a2dab916ca659c03534c134a76fa48b34da80b81aa606a00195fd6b5fa1a416dedf9daab617a08d4a8d27f05f702ce

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
128KB

MD5
2da0d80d1dec3cb0f38fd4e2ae8ab474

SHA1
9ea86cb79ccec4c9153ec445dc6cf41a63422452

SHA256
9e4f30c7895a2b8dc2a747065fbad5c65a2faf072fc4ac5fcea57bf5956767db

SHA512
5f79f2142b681adef0e70362c263d4c8abb67cd1a496b7bdaa4312fabe2dc5c96a93ebe2bacf3f562af0bc0efa38f8a407316d13e12d54da730118e0270c7f04

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
128KB

MD5
0362a722edc7765da9a9ab25ce59fb1a

SHA1
8fd4cd3a533393730ab6faf54bef7ffb3cb90716

SHA256
6cbc5b08a280ee879c694881cd8e1b7c64ed9aa2f92eb039418b78e9ce01a421

SHA512
eb86ec890919114304c63061a5f2f79ced16be5e46d9487cbf6e867866a42460ab55ae9337b87174072a6ebebe6da746657dc708262b59b672b2d4454b528357

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
128KB

MD5
abca5ad273967db5ec55fc0d504daa66

SHA1
1ea540ac6506fc8d4fb7d98a8612d540e06826db

SHA256
560a076f1de0ed9e1538f9b93a3df6b7f78e391f0cbbb29a2c6c0371768ffc0b

SHA512
cb7b5ff92391d476846a3a2a0bb5f1704c8b3634ca7122bd911ea74296b608a3c8737a95e4ada57b0c5dab1ba850fab29511e0dfa22c8bf9b94b5a3c92090017

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
128KB

MD5
58d36e56c324a59b3e973636629b8dbe

SHA1
00a265863c7a209f5793c5d1a464fc590587c468

SHA256
347c70804eacd2e06191ed3a1607507921b9836943b90a3ee15accc016d2d236

SHA512
6b91cc49907f77176507ade2517cd7092d350c89ed35049c568a7d8052ef65aad559263b32caab330eb55672436ac6eb749d145eba46161b8a75b381fff85f44

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
128KB

MD5
2c9c5c7c5790dae32cc5006f6b8e8bd7

SHA1
9c16c116dd705b304b413811a979587ce874049b

SHA256
78f22e37f67a7187e2f98192d88e791931812c97616cd375baeb1d5c73e9e00c

SHA512
fb07a75e03587227ddfb84a8751d74ccffda2d64ae5db1d97e0c1d58832c8629c9eecdb85bf38fdb576e3c83179997343c142e0f91f5ec928dad59b33260162c

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
128KB

MD5
165313c5ce31c702de6f14f14bf583d3

SHA1
8b19c24797a7e2afd5ee70c3de795b94fbf84dfb

SHA256
76fd9ccda5e6533855e73b2b5b9045b9ecd5ea2bcedc9ae3a611c53f7be33160

SHA512
c1d6d3c4cd655c3edd50133823de8723809a167ef5d01131797398d9680d9aad6eda092950fd36701276e7f22ace0f27eabdfae215cce3bf7c7a596cae898b8f

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
128KB

MD5
d4f7a66582fe201e14b02a54afa53f82

SHA1
5d02e61e2d8f9d93e6a0a26c6ec726a6471136b6

SHA256
37d778f917f6998785ed996d0f639d7709b90a99d82f45033f619b24248eaa25

SHA512
50963bfa9fef181ca32d3a08b5bc8406af07cf4d845feca9873e19cf92afe6ea87802d3014cb0524085ed900db1493af7e238007d581bda96046297e1f431e74

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
128KB

MD5
a30ed1fbd113fdee393f034d9cce13cf

SHA1
6d8fef5535f39db52be3838a076e1930f8ed3c6d

SHA256
1122c2c4bcef5327d5a6c5ec9a44baf1a561ee5f42746b1fd211c24d3a9a42cd

SHA512
100eee294f834b57c284c0eba5e29eea200d502b3f4baf6bfc2e55689e0fd8e68719582058f70cc23f5580ecb6756ba0797d8121ef6ad76fa7b1f2913b1e740d

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
128KB

MD5
cc5a0687d2293e2dbd322a6497d987ab

SHA1
90c19f5b718571a3a4e2b39df8ba19dbf5eaffc9

SHA256
5e4a2cf9d89aa0b1e816ab5099776be49912ddaff7172b3f20976bd7032e4a03

SHA512
c36cfa388219535efa2ce0d88e241380e8626bdafb549f56f0434c93a4936797b0bc58432c1f12de325e1ccb58fbcf3ab02011de0e07687ce65669d2cca5a854

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
128KB

MD5
3c7dcf5c3800a3dc87ad7c4d77431921

SHA1
35075d450b7ff2b3615a061feb718ed2fb393cbe

SHA256
9b9e15c964ac5743e6b79227439083bd8f51427ac9d9b0de6aff9d1cba679eb0

SHA512
5b7e6f485b76f55c547261c26f51d3023f4f38e08cc145492db49033df87d8ed6a1b320958d653dd75dc8811a6dfa8edb95746138f285d776b71d2ac590db5c3

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
128KB

MD5
72b31a5b85f82ee0f749da0586e1d9c1

SHA1
59bfd0a081e321c857b6cba477579a2a278f05c7

SHA256
f14aecd5807959cffe6d78cedae4dd0f9a1ad6dd0123f3823650292e8fa4490d

SHA512
1a7b1cb0eaea11ecd76a593631a745eef2a1a13a264fc7abe262f3bccc4514c29b62073ff618c74496b17d3b572d1d0f8ea9e236e9e3df9738a4ac59df17e8e7

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
128KB

MD5
2e92ac3317621e9069c78932729e1061

SHA1
e8f7e9bca5933206287a307721e857b64a368a7f

SHA256
827d0e1c20cee695d0156796370b0b0a62a36f5967b7a79ea4a6e584a0b9c78c

SHA512
355ad5fcbd323edd9343f0580fe782cd6ec202d3dfa1ead88f80b3d996bb4863d1bf5310ca98d2a8f67a16ad8b36618aeb2598f52f69d4189a93642108d0539f

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
128KB

MD5
719898a37862e7b37cdd423d107965f2

SHA1
58b36c594d38b21c854e3062947d47237a393463

SHA256
0e9918d3f690de8c86263be435be695262cdf76677520ce6206b1dfa27db1533

SHA512
68ec06d17d7469badb67241500f769f3604509cd57812f20d8975a81426c050f35dc31e4909fd8a38f5c617586f2e0f0bf44e3797129b71ee6e96ce7b027233c

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
128KB

MD5
99eae2a4c9c351877c703042d0002515

SHA1
04109befdcd5173f9c6c9ca3801a1ad77dd7d8d7

SHA256
ba1ef1a15e4914d667e98800063044ff9bff653a36e10694f382c1e51339c58c

SHA512
ab499bd56d560b47d72f0178f1050f5bd556dce71afee1078d473f910d70a0f5e0d50ed94d2551da49c1e287fc703c56fe7242bcae228b8db9b134076890ea06

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
128KB

MD5
1760bb64dc88764c8b481c6bbaa6e8e6

SHA1
163a482cc3c7ff5370705c05fd08266514e3c893

SHA256
1561f061e663c4220bca6ef242a703c3a8aad62b9e08954acbc1efd2ead05d20

SHA512
20df8d416cb25b127a477f96d83617dc437ef637117d01138c4e808b2478d423305f03bf805b4528b36586ad889b1b18edcb3e2bec2be046380da1b5d5fee9cc

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
128KB

MD5
dbf71272f36106d88c9737a43f95ca4e

SHA1
6db1eb2befdd6e85775f2801849dd625b4269a51

SHA256
3007e113da50d8169312e94bb32a4418f0e2dec7944f1035c02c21888855f688

SHA512
1b25ad3b941265a6700fcff17f8603498ff66208a21ebca29ead8873ed953b6702552a396ce7a670f286c1ce5b5669d3e05ed2492c538d609820926c7fc65d81

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
128KB

MD5
212f2a49ab912b950998b39c65d870a5

SHA1
b2e89e051acf38e2943213656b1ba33345842b35

SHA256
678d7b13473bd36d9eea02a2a1a6e06dab932b7538c389d70232a7cd3266412a

SHA512
14e9144b6cda1308248d44b4b546fa7da30e7934290a87c6bb035319b85ec67ccc6f19496d6ed76771eb2655313b060af5137dc66ca6f923750fbb75a09be063

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
128KB

MD5
b5221f87c3aa5ce6efb238a82083ce18

SHA1
088abc5ead806790d6b7905c4b25eba53aeb4081

SHA256
9c50685773c3f442db1b9eae1475f9360140c27304541652fb016feadf4f615d

SHA512
77693841d9a5f057a04082263b2856a8c9fc30e4a528594294bb082a676c1de3f5257563596cf2c67db2f8d6576af3344c658e9f10a7825c8b619e059c55bb84

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
128KB

MD5
bb2705566d3b4d6ffac725fe75af2022

SHA1
d3d6c25513335ab46b707b2e55ce9c855e5fc93c

SHA256
9b49a06212857ce61d4afa7795065c73478f7bf8a44ca27a84d86b6f5e81a3f5

SHA512
2c83f2878e24eec265a030c40dc64c3279cc557a35590bc10afd21a81dc8393cb85ce2803639edba51ebc033537787308959b56e627a0984d18f87cc4af78f76

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
128KB

MD5
a3a520815c25ad331b5c5815a22729c2

SHA1
f448bcece45defada6c06b2df9fcc3cc8c789c03

SHA256
0d35c45f6946385680053f7dcc791da982e457aab732756b50dfa431e78ee910

SHA512
82233601b05732d4296671d1a9c328afa2992d3bae741785c9353085eea4a066dbebda044cb7e62baf8e80d67787ba285eb89c3eb1e4acb450840a9af411d57f

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
128KB

MD5
f7f73e1b4354eabca31764f1dd8fb53d

SHA1
87973b3e6d8449d0a4eb5bc2b6364986d5e1c34b

SHA256
120677dd6d468e4334d0695bafc11c2f5ee661c8ab70863a65b66164da5fa9fa

SHA512
8cb380dc90e9403da657668ff5714ffc782ea6aa4ab61727b09027157f6dc2c87609a4ea816c8d5e9256241a9f60f89a5546b42a81fc996c73b56affd101c6e4

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
128KB

MD5
ee840e72d76b457a16e3f34a40f0ac6d

SHA1
564ac7a3cc96c9281654f0aa9e90e386a39075f2

SHA256
d1451ac47dc6b88ad2a78258356ecf00e3fcdf531e2e5d4d72fd62c5d620d380

SHA512
d884a611f4ec9968b17d3291b617e3299a1fcc639bc81779de23a87b70201674241f9814266a7c91ad01037420516ea5fe16677f337efbd0f5a5471b3ff07ee4

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
128KB

MD5
e2f798de5f949b2748c7f9b8d1dd79f3

SHA1
eaa0aa4e7b9388634777a7a1dcfb7afb7a08dd51

SHA256
1e8bf4b691c236c12a445dfc7495f5500e9d77106c11adcd5decdaa859bea058

SHA512
4f99277c850f17588c1f270cf745812c1f82d041dfcd1feab51746c831a116982d7e8cce0fd6dfe2bca6877b8373df5ea3f545711e3ac4229d6d1edc7170f8c3

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
128KB

MD5
6bf57e886432c343ce73a4e97cc0592b

SHA1
00fbcc8d83b62c7375e34832dcf8594dbe5aa350

SHA256
b17ff65d5f53613ae39f0ce61d62ecb158091b39211f6242b0f7cce18b90ae97

SHA512
a46772865baa318eb331d670cfeeeb7e1e07a884ad82d964129be53dd03db7fb6104da32f9942c4fef1441c1fdbd16df6a2b3c7c609974f47b3c077dfff3807a

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
128KB

MD5
418459ef9e15493aa6209116fe8e4b75

SHA1
f0a01260a61e6979f07a4a3778570cc42e8a67ef

SHA256
371dfa879226984c23c439e498480ee6d5189845e9f7e629f134053f03625d2e

SHA512
95489f8e468fe4e404febb56d6b734cb3483d72090e7852101cdb16bd843fc65bf73f65a155acd3ba964402a06d79fa113f3172198dccc718004b12ce7bb6394

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
128KB

MD5
2a9eb12338522b1d9dd5120d33a07e70

SHA1
7bd64fc94aa06f597f5e50d03f728ac3897eafc3

SHA256
3c23fd7755d5962f0ad6076324241e138bad17d7978f0020b7544f372a6cd171

SHA512
c5cae869330651c34e7ba7c79f03cc2e7d38a6b55712ed3593b092332696782658b71c70792b19f68911cda2aa9af95bf3fdecd7699c11fe8e0e1eea8c6fd098

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
128KB

MD5
96243e7afa69fab4ebf64f66df4e3835

SHA1
9125b0b40567f53c294e3f871a41c8f1c3f709c3

SHA256
f4367b179529b66117df4e47a0ff2a926e279b2b5227e8fee6352210d07f500f

SHA512
39e04216254428007cd544a59022e4a821cd5697772f87434fc35440ffaae9b05e228633ac257e31ca1b1f0a32a5a5fe27e8e26b45324ae9704a975cea793eb2

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
128KB

MD5
0b78fc564fa3e87c0e1bfcfe195ea94f

SHA1
31e3b1783c7695d342b1da500923266ed204b1fc

SHA256
b23e3b8b84a69fa85800a99498433e169a76889b7be1ed8151f69fe33b9ba12e

SHA512
a695a747234bd11dc2530393bf41a2eb4c5013cb7ff1c841c7cc136294099e9090711e4a42e7fbad3c9ffc9c30a1191cc8184a3945aa7b0d54d4baa78e0d2066

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
128KB

MD5
c2cd800cdf1539c11f72c25b38734c1b

SHA1
5a3b2959d854154b10397f2d00cb996be694d942

SHA256
1e5b7438797ff519a8b0bdc5fa1d17001363ae06aefb6cc489df6503324dc5a8

SHA512
30ff33af769a72f03ea1ef6bd75c3e1b33114495100a22507aa8b04bb7263735c17a32e8cce2e20b6a2a92ed849557f025fc47f5d50273b72e0cb2585eedc8e9

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
128KB

MD5
1e1b1df9f600a73eb6a915f46e58c5d6

SHA1
205d3b2c43b78f286bdbaa82483f15bae6f961b6

SHA256
19adc6098fcec89712f0b6353212d0880bb388700000e0f8234f1274a3464f3e

SHA512
ee038872b45ba6c6febdfde3cbd9c8c2987063de85578cddaa6a3d59281f448c87b8bb5f0504e409acff90aae2bf289e9f2f4c31dda1e7c0a3d1ddbf1f725c72

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
128KB

MD5
ee25e2393e415d5c9d81a4c58d3014cb

SHA1
894c6157295425c275e01bc600dc626cfb308c5d

SHA256
402a05de9c42ee0e40ee6de8b0bd77f70838563509a3e1ed1de9da20888048da

SHA512
a240a17e29f42174196d331c7b998764d8350914758f84d2f9f1c93925188c39fcbdcdbff915888c66be8a6616edfdae99e54f366dcdb363bb80f3d62ab366d2

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
128KB

MD5
13e1320812e1e01f868968913f9079fa

SHA1
fef0a69cb93785b3d3adfb8c16ff31f1bea1d9d2

SHA256
b58637c5ef9f63c884be576e97591c8210d41c148b62b6d59db8e19f1224ff94

SHA512
cd51cc0fc092ec6961d6ff9c68b6303ced5473c9849d02b63c369e397070fe3f534e37ceb19ebaecd6493a8ed13a8d6749a9b24d24a51f2acd1669f96ff4bee4

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
128KB

MD5
20a7be69793df373391c777a92c20162

SHA1
807514d15f1f09944d24213ec4f8f87601ffcae8

SHA256
6e451df0e8360ed06c953ca259626a2bd407450522d6a4ea2175ec8e643e1f38

SHA512
8c806867307bc32206e66faf7bceb4da1303e074a7a9a83202974077a6f3eb926cc1de1a9f98703ab48d4b8284437a3617a5b62365d35aaf48c7943eab45cae8

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
128KB

MD5
205037d07cf5a6fb5402b84db6f7c5c3

SHA1
be30f53e8ddb80b0d10b23373aafa526bf138166

SHA256
6d193393b6bf98aef4c12aeb1dfd4c5615a36e50679549ddc5e02a0f08d45471

SHA512
b7255a6db7defbef11675561e1ec53b8026588bd6c01ed5744cdfd09dcfb3941382067071cd6a06ed7ed4102514814111c5c864ff83bf5b6c967491ce5bd4200

Download Submit
C:\Windows\SysWOW64\Omccgkde.dll

Filesize
7KB

MD5
3050c478a446c9711e116826cc55d7ef

SHA1
bcacc8d1ab1de5c157cf8caefb5e6fda64e60a8b

SHA256
a95e4ee64d23a2d45bdf4bb24912f80f5271dfb64e107609b787313ac6802333

SHA512
d4abca878b0a5b8b0e1007bd3685534c0d01f1100b007d4a8994fd86db241363b27611855910feefac278586c01e1aeafc63a477f5d244eea6f6f1308ec1fa84

Download Submit
memory/224-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5676-1320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6016-1302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7064-1245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads