a62fbd0955fc37b49009cb2f76bade8ac9a015af9c5e7addcd22d333432bd0de

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4012328538fa57ef47e0b18f1cd0f870_NeikiAnalytics.exe
Size

128KB
MD5

4012328538fa57ef47e0b18f1cd0f870
SHA1

bfc6996ffcd88119c65454652471c89d97591f77
SHA256

a62fbd0955fc37b49009cb2f76bade8ac9a015af9c5e7addcd22d333432bd0de
SHA512

8533c85c3e3f276bdc8138a79625bdef46fdab4e590d716e3edaed9659b4dbe6aee473fa1eb87bd3c5f2cf766bfb4f02a7ff74f1c9e18cce66bd8ec5651a0a11
SSDEEP

3072:qAD7I9+rcCLD6rmF2hidUqaHYJ2YvoDXr5EznYfzB9BSwW:qAIPCLNGR3DXr5YOzLc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlho32.exe

Executes dropped EXE 64 IoCs

pid	Process
4188	Ejbkehcg.exe
3244	Epmcab32.exe
8	Eckonn32.exe
996	Efikji32.exe
4916	Ehhgfdho.exe
208	Eoapbo32.exe
2660	Eflhoigi.exe
2488	Ehjdldfl.exe
2008	Eodlho32.exe
3232	Efneehef.exe
3964	Elhmablc.exe
5044	Eofinnkf.exe
4444	Efpajh32.exe
2904	Emjjgbjp.exe
5112	Eoifcnid.exe
3208	Fbgbpihg.exe
3044	Fmmfmbhn.exe
3012	Fcgoilpj.exe
3496	Ficgacna.exe
1588	Fqkocpod.exe
2416	Fbllkh32.exe
1016	Fmapha32.exe
3024	Fckhdk32.exe
2164	Ffjdqg32.exe
3140	Fihqmb32.exe
1672	Fmclmabe.exe
4996	Fcnejk32.exe
4032	Fflaff32.exe
4908	Fijmbb32.exe
3844	Fmficqpc.exe
400	Gjjjle32.exe
3920	Gqdbiofi.exe
3264	Gcbnejem.exe
1928	Gfqjafdq.exe
4548	Giofnacd.exe
1112	Gqfooodg.exe
752	Gcekkjcj.exe
4132	Gfcgge32.exe
4816	Giacca32.exe
2360	Gpklpkio.exe
4344	Gbjhlfhb.exe
3780	Gidphq32.exe
4488	Gqkhjn32.exe
3644	Gcidfi32.exe
3756	Gfhqbe32.exe
3940	Gjclbc32.exe
4392	Gameonno.exe
4584	Gppekj32.exe
2592	Hfjmgdlf.exe
2840	Hjfihc32.exe
5068	Hpbaqj32.exe
2548	Hbanme32.exe
4540	Hfljmdjc.exe
4544	Hikfip32.exe
2044	Hpenfjad.exe
4712	Hcqjfh32.exe
3356	Hfofbd32.exe
4472	Himcoo32.exe
4988	Hpgkkioa.exe
3004	Hfachc32.exe
376	Hippdo32.exe
3692	Hpihai32.exe
2720	Hbhdmd32.exe
1820	Hfcpncdk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Efpajh32.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7160	6976	WerFault.exe	263

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 4188	3740	4012328538fa57ef47e0b18f1cd0f870_NeikiAnalytics.exe	82
PID 3740 wrote to memory of 4188	3740	4012328538fa57ef47e0b18f1cd0f870_NeikiAnalytics.exe	82
PID 3740 wrote to memory of 4188	3740	4012328538fa57ef47e0b18f1cd0f870_NeikiAnalytics.exe	82
PID 4188 wrote to memory of 3244	4188	Ejbkehcg.exe	83
PID 4188 wrote to memory of 3244	4188	Ejbkehcg.exe	83
PID 4188 wrote to memory of 3244	4188	Ejbkehcg.exe	83
PID 3244 wrote to memory of 8	3244	Epmcab32.exe	84
PID 3244 wrote to memory of 8	3244	Epmcab32.exe	84
PID 3244 wrote to memory of 8	3244	Epmcab32.exe	84
PID 8 wrote to memory of 996	8	Eckonn32.exe	85
PID 8 wrote to memory of 996	8	Eckonn32.exe	85
PID 8 wrote to memory of 996	8	Eckonn32.exe	85
PID 996 wrote to memory of 4916	996	Efikji32.exe	86
PID 996 wrote to memory of 4916	996	Efikji32.exe	86
PID 996 wrote to memory of 4916	996	Efikji32.exe	86
PID 4916 wrote to memory of 208	4916	Ehhgfdho.exe	87
PID 4916 wrote to memory of 208	4916	Ehhgfdho.exe	87
PID 4916 wrote to memory of 208	4916	Ehhgfdho.exe	87
PID 208 wrote to memory of 2660	208	Eoapbo32.exe	88
PID 208 wrote to memory of 2660	208	Eoapbo32.exe	88
PID 208 wrote to memory of 2660	208	Eoapbo32.exe	88
PID 2660 wrote to memory of 2488	2660	Eflhoigi.exe	89
PID 2660 wrote to memory of 2488	2660	Eflhoigi.exe	89
PID 2660 wrote to memory of 2488	2660	Eflhoigi.exe	89
PID 2488 wrote to memory of 2008	2488	Ehjdldfl.exe	90
PID 2488 wrote to memory of 2008	2488	Ehjdldfl.exe	90
PID 2488 wrote to memory of 2008	2488	Ehjdldfl.exe	90
PID 2008 wrote to memory of 3232	2008	Eodlho32.exe	91
PID 2008 wrote to memory of 3232	2008	Eodlho32.exe	91
PID 2008 wrote to memory of 3232	2008	Eodlho32.exe	91
PID 3232 wrote to memory of 3964	3232	Efneehef.exe	92
PID 3232 wrote to memory of 3964	3232	Efneehef.exe	92
PID 3232 wrote to memory of 3964	3232	Efneehef.exe	92
PID 3964 wrote to memory of 5044	3964	Elhmablc.exe	93
PID 3964 wrote to memory of 5044	3964	Elhmablc.exe	93
PID 3964 wrote to memory of 5044	3964	Elhmablc.exe	93
PID 5044 wrote to memory of 4444	5044	Eofinnkf.exe	94
PID 5044 wrote to memory of 4444	5044	Eofinnkf.exe	94
PID 5044 wrote to memory of 4444	5044	Eofinnkf.exe	94
PID 4444 wrote to memory of 2904	4444	Efpajh32.exe	95
PID 4444 wrote to memory of 2904	4444	Efpajh32.exe	95
PID 4444 wrote to memory of 2904	4444	Efpajh32.exe	95
PID 2904 wrote to memory of 5112	2904	Emjjgbjp.exe	96
PID 2904 wrote to memory of 5112	2904	Emjjgbjp.exe	96
PID 2904 wrote to memory of 5112	2904	Emjjgbjp.exe	96
PID 5112 wrote to memory of 3208	5112	Eoifcnid.exe	97
PID 5112 wrote to memory of 3208	5112	Eoifcnid.exe	97
PID 5112 wrote to memory of 3208	5112	Eoifcnid.exe	97
PID 3208 wrote to memory of 3044	3208	Fbgbpihg.exe	99
PID 3208 wrote to memory of 3044	3208	Fbgbpihg.exe	99
PID 3208 wrote to memory of 3044	3208	Fbgbpihg.exe	99
PID 3044 wrote to memory of 3012	3044	Fmmfmbhn.exe	100
PID 3044 wrote to memory of 3012	3044	Fmmfmbhn.exe	100
PID 3044 wrote to memory of 3012	3044	Fmmfmbhn.exe	100
PID 3012 wrote to memory of 3496	3012	Fcgoilpj.exe	101
PID 3012 wrote to memory of 3496	3012	Fcgoilpj.exe	101
PID 3012 wrote to memory of 3496	3012	Fcgoilpj.exe	101
PID 3496 wrote to memory of 1588	3496	Ficgacna.exe	103
PID 3496 wrote to memory of 1588	3496	Ficgacna.exe	103
PID 3496 wrote to memory of 1588	3496	Ficgacna.exe	103
PID 1588 wrote to memory of 2416	1588	Fqkocpod.exe	104
PID 1588 wrote to memory of 2416	1588	Fqkocpod.exe	104
PID 1588 wrote to memory of 2416	1588	Fqkocpod.exe	104
PID 2416 wrote to memory of 1016	2416	Fbllkh32.exe	105

C:\Users\Admin\AppData\Local\Temp\4012328538fa57ef47e0b18f1cd0f870_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4012328538fa57ef47e0b18f1cd0f870_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\Ejbkehcg.exe
  C:\Windows\system32\Ejbkehcg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\Epmcab32.exe
    C:\Windows\system32\Epmcab32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\SysWOW64\Eckonn32.exe
      C:\Windows\system32\Eckonn32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        30⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4312
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        34⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        35⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        39⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        41⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        42⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        45⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        49⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        54⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        59⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        61⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        62⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2776
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        70⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        71⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        72⤵
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        73⤵
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        74⤵
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        79⤵
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        80⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        81⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        82⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        83⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        85⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        86⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        87⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        88⤵
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        89⤵
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        90⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        91⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        95⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        96⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        97⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        98⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        99⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        100⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        102⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        104⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        107⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        111⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:660
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        116⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        118⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        122⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        124⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        125⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        126⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        129⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        133⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        135⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        137⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        141⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        143⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        146⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        147⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        148⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        149⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        150⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        153⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        154⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        155⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        159⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        160⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7068
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        162⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        163⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        166⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        169⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6724
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        173⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        176⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 412
        177⤵
        Program crash
        
        PID:7160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6976 -ip 6976
1⤵
PID:7116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eckonn32.exe

Filesize
128KB

MD5
8bd0746d3bf8943f34464116c405ac6e

SHA1
15d1206361d01dbf4580969f43f5fb2808a7516e

SHA256
37031a0c012c38bf8a174ac80e5ecbb4092ae9a38f98f0b85e77ea55b5310358

SHA512
2d0c92f0f754f934622a56b2ee3f6d0acb6d9d1f5ccb965910aef8e609c31bc50800ab7505747656beaaa1b5503f534dff73d623e4606eff8884c5886d519fbd

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
128KB

MD5
ab4fb0464cfe7a374750563007225e58

SHA1
2174ab6f9abec5f2145dcbb2fe9edf023c88c028

SHA256
c9a0cb496f0cf7a96f51a5d60b3a618989150e03c9e6212786d9a100f1f78827

SHA512
c501d9ad2ad2eccb1cb15f40514cd6366774573504bf6e2b80ec04bec9c7faa74a98bdc04704320422109b8140cc04e9aaf2a97104025fd0867dd7e9292712d6

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
128KB

MD5
b556f4c027c0e5210cf6d58a106ed8e6

SHA1
a2ecc98449936ffc930bac5cfdc73d2dd6663da2

SHA256
4c4d17f033dbba8706d095c916e7b320df49b18f52cc711bae4eed1995c5996e

SHA512
2d3d5bdcbef614c9925ed0b1886ed60fe0a3cb4712955baeefe3bca9729100c4724f8729c3a56027414f25e4fbd26f2dab61a2ffee5ba2c736fa61cdbf76136c

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
128KB

MD5
8926940a357832a47163341c6a5bbdb9

SHA1
0b512874341f13997a3d1059d4a75ac2f4946c5b

SHA256
a4839f7b4749f36940ccdbe10cccf4067be53b483ce954e90697745d7e6704fb

SHA512
561249ed6e2e1ac7ed49be8fffade52d98c232336ae01ca04ac328dc5214a61b9d6d2145bd45a251410d9ae434518fdc0b8bc3e9b0fa6d5d2cb28b91936562b5

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
128KB

MD5
77c391134eecca47a8d9b5a8e5b34f6b

SHA1
2bf69c1266ade4b29618da11b0b15af6ba8a711e

SHA256
71728c4b1c91a4e069cf0c5a0228a1dd365d9363129a2b97a66b92c81dfd7b82

SHA512
1f53e594af88ee0bbd7f0af4d56aab2f2ad96eeaeec4d736cdfd4db5ad48c142790f145a2b3d3087882439f3fd75efeec203fb715953544e92444765654b4ed3

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
128KB

MD5
068cd1dd47bd2d2eb9d3edded89304f2

SHA1
e83951508f8e1548695367b2277e5c10668190e3

SHA256
e1dcc8accad4471dc87c4d1f11c49bf125d164564fcd92d126c6eed1f7e8dd9b

SHA512
63b6ca904f0be6278fce5218f3f61086ae74e2557e6e22eef4182d1acdc3dcb1e65555297e85b654157a6e9fefb35653258207dff98763f484f98d0157438787

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
128KB

MD5
96cdd57bd991c2d1f2fe324a8c6dea1d

SHA1
52bb61f5b49c6459c2fe5e1d2d29a05beca44add

SHA256
6f9adfa4307c199f988025a933259058a5b86f4941bec2cc21b6c1074989ba5f

SHA512
443b3903b66419aafbe4339840ee0336478bde89e0ebf089ee5ef4651c9ee1ddea05d4fce0832229a1a1cd9ca13d5742c6641a02309c3fa4b42d8b69168903b9

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
128KB

MD5
9bbd1776caea94a1d8ce71976ebf138e

SHA1
342008761ba6efc98005cd38b82a7cfe188490b9

SHA256
13a8c3b7e881ab568d33a22f64197a5188cce2d9706215646b5cfdc40e9d16a0

SHA512
8e63218fa7f980237ef31050dc8e6bf545d5cbac3695ab60f022ce9d027107f55a6f63425293409443967432ee9024e7da0912a2cff09f31e19319c712202b6f

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
128KB

MD5
42bad361a1f273654393a521bb75b626

SHA1
0db25200b10350c54b8c8558c10c626af8480ead

SHA256
a89e0b477e3903f7b5de148660c05728dee7f67d85f854e0323a5d5fd9eceb27

SHA512
f5b71d5afa8ab7c70350795f9c2ca7c7ace3c4f4ac043daa1673384d6903008a26a7ae46705b7e7ee3c70ad62ab3efcebf94d81d072375340cc8991764757e9a

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
128KB

MD5
99b545e9b80e6b29deed7b0ba99e51a7

SHA1
72cc0c24964d2465fe00c46b7d8494ea0bed855c

SHA256
802f35e65f19a321a3f28d393340a282e8752009ed0f34c399f645d474672f06

SHA512
d2601471821500ae4e160e459e0ae3a2f752820d1d0dba2f5e59f6c449c8dc7516a75d3cfc31d6c91f320ba87089ff105041189f4bdc12503c34d1691eefd46f

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
128KB

MD5
f7b6cfe62554e413e2780693a11d3b77

SHA1
8410d438cf535c0f438308a9d8b6d713e3b745cf

SHA256
720c361b5bd2d32ee4ae9a88a3ef2d1758564ad60c82d490227087baa8c14f46

SHA512
b52bae579e4c61fb3b489d60a59b370df9628d9051b0925fdbbaedefcb9943bec08970872308cced3d55d12610b70171f9b364a79287cdec8aa7149385cddb77

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
128KB

MD5
0a9961974cb3610d6438ca112315be1f

SHA1
9ebe3cab3894e6ec1327e006703b53efbed76ea7

SHA256
8cf14b6e8981456142cca17e7efeb55ecd836bd950ef46f59218ef7c6bb663f8

SHA512
231cb6d45b2c4bde8b0f654fb19004ef526e0be8d8c0c282184fece0c79dd2d8261f6a8939a219fb32cf97b15f3937aa1ad1d85bb62734fd6351ff3c82eefcc5

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
128KB

MD5
8cde1a17d99edc88dd329a01284d0382

SHA1
01412e1a5f37fe9d11f9b6381b075a35659cdcc4

SHA256
f234d587cc1e1d41e978cdc8fbd991450d5a6432847843850c3f73337b6b362e

SHA512
81a1aafa134aa33607c0b532065dee0aa418cb2fafceae3389bd97611703c12ecc26c5d91781d2344c4526e2ff23d66cedb3113d06bd78d9b5c0b86b0928ef8b

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
128KB

MD5
18849a78036a3fa8326ddde96ddfccb4

SHA1
1f1b7fc47b39ea5ce99ff02e32fdad7b4c9fbdbe

SHA256
bff0f735966a3021521758fa68e6f60307713c293c2667aad5fd8435615b0289

SHA512
f9f1b7006be02aa84dc47743a3653d8a576b0c25edbce1a360f5cd11bfc208ad6c960126e019b41a8b0e4322b21269160b3cc1e55df71368dac6ec36e6cb3651

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
128KB

MD5
6639397c0bffe9d132161823f23e7e0b

SHA1
552b82475ad0353ea0994e1f18870a6f8826e932

SHA256
4ec14ecbd6f9cfa0bdb410c3dba97572df3f22b69414698a2462b5ba9dd4399f

SHA512
2ba6d5369edd7c8f8995a2fe2d71bcb1c41c6b37ea8a6ea90dfd4dec63515b40795ca837f22e1678d45c630ce3a17712b84cc7bef6d27c6404d20f0eb6e9b832

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
128KB

MD5
b96f96814a6d62175539caa2e36235aa

SHA1
510bfd078cd827b067be130bbc2b4e98a8427bc6

SHA256
6d37271f9573592d203c7daf75038f38cf952fe4b72735a040f813b3d8875e5f

SHA512
eb4f8b873b96113142f885579ce34a25bfa6d18ff46931c7db5fc154a9fcaab808142ccbb5cf440eb4aef7897b6ecd0c96fa371f674721ea51df9d04234da6ec

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
128KB

MD5
183918865e2393abc4d5038573ac286e

SHA1
48e1aff3d176e284dfe3d0d62bd3d8bf63add687

SHA256
22e18c50145feabd6108c39f7488851c083c155f0cc91f24b21b701f496fc1b0

SHA512
06cc7ad2b8edce71005cd4f683721f69c0585c3c9fed87c3c07b2a6067e28b0809125b9cc62cc1196f3b77653e52ce971e4c9b71460cba928e032ef21b2d6262

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
128KB

MD5
953418a4df3c83f38baddb3f86dd5001

SHA1
ed797bfea40a7713a1e26a1df13a201f63235587

SHA256
2d9e087e4619616c6462d3b75b6c584559eb48e9f26406d63db82eb6afce320a

SHA512
9fb7fcf02b42713b592a9fe86ec3fa0fd1648729274e0e72d624ca470e5e4c620fd6ca1dd82dfc9ce11a9e7ff213f840bdfbc053ad73a9de6e25ef0c65bc0e41

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
128KB

MD5
1e7a150ed35f3e81692bcecba38c4c65

SHA1
90a07c1ce8c75590297830b0b162234cf5063fb5

SHA256
d302baeaaed0b7d9da03cf52679b097ec9d9ce464a3938fbbc13a506b203fec6

SHA512
18b8ae52f6a6d86ad833cbca7059cde75ee67f31cfc489df5e0ba51d03c13b75459ba6c7819a6b2b7a50c6df124100100a77ff4c5c7abcce5897b22633243bb2

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
128KB

MD5
4125915d543ecad19a150035a74e20f9

SHA1
90b3536a9e1025134fab49574e69cd31af596838

SHA256
f4de37b37de64a5b44f63bde104fb0d1ee450d452662fb745c9c61f97387fb75

SHA512
5360dcc5beffd985c7720d3e8ad6af2f54c469c42f401c5bce4385aa950b3a22dc18fb25ce80426f532c4e85c4c2a6a97dbb989a753b5a1bf2fe85a1d9bd2dba

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
128KB

MD5
1bc59c9d020049d2e1ad5c15f95230aa

SHA1
fc7f32580c46ff06c28feaeffab8f111722c671c

SHA256
a6e411d94fe05f3970ef925ef62e3b5ec92698f99d973f496f3c16798d1976c6

SHA512
cff606902da9e5a9bbc9c17999eadbb2086728b36986e928d9eae77946e70a3b36945843e853874a67599cc00b24528723996b55fea3c98f8774b36c69713462

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
128KB

MD5
bec53d79b6560184d429003c5ed3ec24

SHA1
dd7d400e41b0f3e3af3f8d67c7ff4baa12075ed5

SHA256
6718685f2d1232b34819d89e20db9450abd375adbe9383ba772cd70985e3bf25

SHA512
aea20d91b4927bc97f261039c522148871e0a1450e820ff1495ae58242ff737670c7b38b44ffb9e396b15cc09105533fc3b45650f65705b547c8258c07b407c5

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
128KB

MD5
72e2aa783fbdb400ae3ac7a241a1b224

SHA1
8bed07b133faf1c230f67f4ca01c671fbe1f9d8d

SHA256
0139a6dad4da9d1ef9c0b8ce7a2ad5deb4280010878d511c87b553f73ad5e440

SHA512
5cc3a7b0e8d4f015d299062c587b43d572c66824c3d9fe17fe70f514cb0d91345f392663ba58eff3fa23a87be3e3719746338e53052fb6d14fff1c6704f03564

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
128KB

MD5
b56d8ca0d489cbf2418949874e9c6943

SHA1
8369aba5eec385d395341c1422035879914e5239

SHA256
50f6920671590810f86bee4cac86405d0780f18c8bc0f5d18bbdea7c6bbedd73

SHA512
2cc7ec994979dceac8fecbdaa4b987d03dab8fcb90620974ec79fb99665c1189473596fd3daedb1726f3b1eeda4627a5ac509778dfd4d1ccdbbf6fef3fa9f8d4

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
128KB

MD5
f15e7bc0e2b37c7518c5e938137e8c5c

SHA1
9e45e5af31b2e844eb781129f22f3c986677690e

SHA256
a90d249b0d8f00be0f0faf2f2576c09cc51a4585f2c0124a4110d3619f2c0de7

SHA512
81933abee0ec8abf9f9cdf36248912930aac4044774f9c9f557c950511dd80e1f06d046816bf4b027efb3bce8a6bad6b005244fc10136c3f6714dcd1dfa62a0a

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
128KB

MD5
eb297ba188670f5117f9995ccc29c3c5

SHA1
d12d4a09dcbc7bcebca0ce4a25b732ce70f6a658

SHA256
93b93b282ff6f6835c072ce6fb2eedf8cf2d93737245c0044baced8faf75de0d

SHA512
72a247c166317c150f29c0878bd9735921c29a35ab5bc82c42283a359e5505bff61efca9eb1729398d56fdaf55e3b5c28eee8da9b467f7d0e9f07ee66f055553

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
128KB

MD5
e61fe6cda7e6e15f9084da60050a0ed5

SHA1
b08e8c2f2e4c2894a9507496f992ffe95e6992b1

SHA256
b4688a72a8e7d74a786db29f5c1d4207552d67f5c5b605170b90162a63629f32

SHA512
0cc035e4f30f589e37976016344e072e93eda8850d08c3923d0dc4dac4e1e0792fc9679e1165542a470010904c4bfd22415547fed5c26c208e468c743a02ccbf

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
128KB

MD5
0a08987c0a610a20c62401731c3a8064

SHA1
1f180caf855adf7b32a513d9a346aad8f7a1961e

SHA256
837f20ed77e5a0aa834d4c8058f096c58dfc59d4e5a58ad3417842505cc7d323

SHA512
267d578bb36bab1ab9f18ad227c2281ddcaff35b8103ed6bd015fc3f953996d5b6d4651424d87473051aff6f03154df7926afa4cfe379a6d0b5c8bdf46d2d67b

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
128KB

MD5
306f771b9af233a427e19ac74fee445d

SHA1
f0ca734d261876db058985bd1be4b8702d274890

SHA256
d215e02af78c7d6abfb6a5580fb680cf131aabebc0ef02c066c25c4c213562f9

SHA512
c078097665c90226a1d4037cc2bbb693668fb2314e43d035fadb704aef8a36d56e4a87c4b9d747b1653dca1ad369822aecdb46e1294e85526cfaef57215b64dc

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
128KB

MD5
03dc5b5aad77b0736b262e293ebe97f0

SHA1
0819b08bea93476f9c29ad7c1b572c97b1304b26

SHA256
574c5501233b0dd731b68db7ea2e05a6a780941fb105466a9d8ac9cce378b4d1

SHA512
4b1f72b1cb3b5dcc9ab16aac6314d66fb4ec979dd40bddef3b8cad83fd39b64751bcec1907c3cba2cd10e115cc1e3ebedf5543cff042db170134f8d737812bf3

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
128KB

MD5
b3d76730805ba75662a6af0fd1025e3b

SHA1
b0dacbc1b6429c88cbcdf84b34df6d56939d37e7

SHA256
8c48cfd6dceb9e490bff06ec3b9cef30a82312bd5c3448c8c3c88b81031eff72

SHA512
f87c0f6210a137370b089ee26877bc8136a742660d6f22021a421635502aa9e74ab536e61c8691ab0d80af25691957abd5552aeee456e1a95666eac2f2bc3332

Download Submit
C:\Windows\SysWOW64\Gagaaq32.dll

Filesize
7KB

MD5
01a4034e2940d4349a03bce40bd0e1dc

SHA1
a74fb7ea5d59a08840bf69dcd194a2291da99a52

SHA256
e9f16e2462803b60ec3087b20559b655bcb53af10e55eaa8e5eee03e8c9c7e95

SHA512
35eaaf85915e79f4f9eecbb723f044a4003a994ef9dfc2b0b93dc1abc228c0caf12928f5ec4e728005f901e6a8f70f09624c9e881de2278ecb1a9ced10e1facb

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
128KB

MD5
a282f263329491c2e076d96c1f7f3fa0

SHA1
239f7c0f2d9d26c0cf4ccf60136070f3ee7e2ad6

SHA256
d5011023881447f7fd37ad8c58a88624e6520fe3f45d1b7b0faa319100359576

SHA512
1c43551b58fca8fcb8ad011dce79086c815987cfa749df157dd874489615e8a5a96c8c03d8660dd0c138784e16869b9564ec89e190c523872f7aeb28ac4bbc4b

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
128KB

MD5
5ba8fd211bad5e02a5772484873bd7ee

SHA1
fdb92397e108a24dc02189d07403784bb7746da1

SHA256
500cbd27c6842e407285f38cbfe7c5fc67fb3a1cb921e19f8b18065007632ca5

SHA512
3dfc2af0454c5f74540e2c5b534b3b7c02a4170bd4e35b02179216b672c85879f5b12a77961d2cf0a127a9c1c9c0f6a84e4d62764ac115a1e3ac2dd76e917b35

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
128KB

MD5
b31b4929005edc6181ddb892b1004f49

SHA1
616ecd2bd250fc6776834149a654f5d7ed7c7576

SHA256
3eb58e31cfdf7ac2be5f6398db85cef9064cd70f462b327210aca1bd6bf18d66

SHA512
c2283f3b0ced5e0b7446ba1cf0922abf3ac0a36de41feb5c8c3f8bbcdd1aaf196b67cc10b8bbbefe93690e523238fc65db9b2920bb4e5903760cdf5b58022b18

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
128KB

MD5
afed4197a6eb11ab17c89bd4acd6a3cf

SHA1
50e9474581a5f1d58c88c62e7df217e04c05435f

SHA256
0d1cd4c523f82e187438494770d5fc62bf8eb93ce0c492d32c9cb4235c6ad4b4

SHA512
16a10ee75e63414774419b0c120b70f5591050864f55d50fc4997829dc46de7b5060bc75a861d89dbd829b3e66b403143cec2887a96a89823b40ed312cf2c3ad

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
128KB

MD5
337072396bd8e222f6392007e9cca6ea

SHA1
5da3b48d3d0a38ce725325efa159c830088e6c53

SHA256
84967e8ed1538d6dfbd14b272fd1a9eea01df7743ef88524d76dcba73bad1db9

SHA512
526c7affbfecc344de4d8ba09abfdc0d855e1891b6f6a84a44fc160c3511c538f5d1dc2597e4bacab8be97852aa5d97054e0c43d42f85db81514c44a89eb6eeb

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
128KB

MD5
abfbaec264f8df4fdc59cf9c601b478b

SHA1
cd95e508850ea21c157f8b07fc057189920ed421

SHA256
fe8237fc8c2bcd4095fa28034aa47fe43d5acb6d9afc713ea588085c4dfb6ba7

SHA512
9a98e0d9c84a0fad9ef6fcd700550773240ea7f7b6af5908207dbf82a8b2d70cfaac864a8bce56a7b2bbce51c6f10decc8474d2d1dbd2395bc664200699dd1cd

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
128KB

MD5
157294dc029a9f12de7234751d0c83a9

SHA1
7bbfaa86fdc29fcc9e3331df232d7dc0a987ccbc

SHA256
9abec8de37e29865da53752e87f823610747a11075120176f47c85c47d8e105e

SHA512
df4d4985c1d3ab1261405604f42a1ba51c7f2681b228b715cf9e4aadf38275bb639b407df7f7999f8d9c80872a6b7259410e81fff6ecede9085e9d45d025f2fc

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
128KB

MD5
f43f710e3d1f3f939e35d536f8b25e99

SHA1
d5b9e73ff836238cfdd50b66b5b56a09d7595e7f

SHA256
6c4d719427292c0160cad68cea9ad698d170d91adebd11c1637ccd6c9eead935

SHA512
1f35cd1cf7396fbb6a3b28a6167a9d1a7d3173387c73a8f9c6a596259aedb96ac1b3b57fa98d5c0acd22c6fe0b4e199d41f87131871f5da407c5fcc920f51b38

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
128KB

MD5
7095d8967bbb5d0bb233c4d7daa68f61

SHA1
9a52a6e1d32d1f9ec3783e5467a0286811c47348

SHA256
afff01753878b516e774d3281c35aead3ccd598409c6f7e48acc9dfd01df0bd5

SHA512
71f427770f4114b77b2a2fcb89bb2b87b0608f5db0fb292c424e89aae219f8d7a61f4bbe86c4ac8f5782776b94d073938ebe584f52d78b74aa1bbe052124d06c

Download Submit
memory/8-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/208-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/208-603-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/376-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/400-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/752-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/852-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/996-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/996-584-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1052-578-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1112-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1204-596-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1588-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-589-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2008-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2044-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2164-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-547-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2488-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2548-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2572-509-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2592-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2660-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2904-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3004-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3024-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3208-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3232-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-574-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3264-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3444-499-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3496-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3656-489-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3756-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3780-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3844-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3920-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3940-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3964-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4132-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-480-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4188-564-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4188-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4312-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4344-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4352-525-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4408-515-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4472-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-469-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4712-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4816-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-576-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-591-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4988-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5044-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5148-604-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads