26019e410d7f4f99bcbb250f8ca134d65f53a4fc2656b3a65af463c4a88f1a52

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe
Size

336KB
MD5

546aee7652643852d7bddeb9a1d79750
SHA1

ae57b5ae8bad0758ccdb6b9ec90f6ade77d82a7a
SHA256

26019e410d7f4f99bcbb250f8ca134d65f53a4fc2656b3a65af463c4a88f1a52
SHA512

adf49e6646f30bca409f71b09dc6f39a15d4db7d518d0c71c965624bb6732cc72d3550d37a98975a77190ffa4bd1931c0e121b24e3a12b0ff0f24efd2ee3c1f8
SSDEEP

6144:OQ6goPe6le3w7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOE:v6FPe6P7aOlxzr3cOK3Taj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eleplc32.exe

Executes dropped EXE 64 IoCs

pid	Process
4504	Dchbhn32.exe
1836	Efgodj32.exe
3512	Eckonn32.exe
3404	Ehhgfdho.exe
2876	Ecmlcmhe.exe
4320	Ebploj32.exe
2760	Ehjdldfl.exe
5428	Eleplc32.exe
2092	Eodlho32.exe
5032	Elhmablc.exe
4064	Efpajh32.exe
4468	Eqfeha32.exe
5220	Fbgbpihg.exe
404	Fqhbmqqg.exe
4548	Fcgoilpj.exe
2868	Ficgacna.exe
5604	Fqkocpod.exe
5532	Fjcclf32.exe
5416	Fmapha32.exe
3688	Fckhdk32.exe
5600	Fihqmb32.exe
4844	Fbqefhpm.exe
5700	Fmficqpc.exe
3292	Fodeolof.exe
5648	Gimjhafg.exe
3120	Gqdbiofi.exe
1456	Gjlfbd32.exe
2076	Gqfooodg.exe
4940	Gfcgge32.exe
2152	Gcggpj32.exe
1632	Gjapmdid.exe
5852	Gmoliohh.exe
2420	Gcidfi32.exe
4804	Gfhqbe32.exe
3016	Gifmnpnl.exe
4580	Gppekj32.exe
5192	Hboagf32.exe
1176	Hjfihc32.exe
5692	Hapaemll.exe
724	Hcnnaikp.exe
732	Hfljmdjc.exe
5436	Hmfbjnbp.exe
1092	Hpenfjad.exe
1932	Hbckbepg.exe
3028	Hfofbd32.exe
2952	Hmioonpn.exe
1956	Hpgkkioa.exe
1776	Hbeghene.exe
4924	Hjmoibog.exe
1320	Haggelfd.exe
408	Hcedaheh.exe
4376	Hfcpncdk.exe
2824	Hjolnb32.exe
4288	Hmmhjm32.exe
3348	Icgqggce.exe
4420	Iffmccbi.exe
3908	Iidipnal.exe
3156	Iakaql32.exe
4224	Icjmmg32.exe
1576	Ifhiib32.exe
6088	Iiffen32.exe
1036	Iannfk32.exe
3508	Ibojncfj.exe
3168	Ijfboafl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ehjdldfl.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Elhmablc.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ecmlcmhe.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6752	6664	WerFault.exe	242

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4504	2856	546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe	82
PID 2856 wrote to memory of 4504	2856	546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe	82
PID 2856 wrote to memory of 4504	2856	546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe	82
PID 4504 wrote to memory of 1836	4504	Dchbhn32.exe	83
PID 4504 wrote to memory of 1836	4504	Dchbhn32.exe	83
PID 4504 wrote to memory of 1836	4504	Dchbhn32.exe	83
PID 1836 wrote to memory of 3512	1836	Efgodj32.exe	84
PID 1836 wrote to memory of 3512	1836	Efgodj32.exe	84
PID 1836 wrote to memory of 3512	1836	Efgodj32.exe	84
PID 3512 wrote to memory of 3404	3512	Eckonn32.exe	85
PID 3512 wrote to memory of 3404	3512	Eckonn32.exe	85
PID 3512 wrote to memory of 3404	3512	Eckonn32.exe	85
PID 3404 wrote to memory of 2876	3404	Ehhgfdho.exe	86
PID 3404 wrote to memory of 2876	3404	Ehhgfdho.exe	86
PID 3404 wrote to memory of 2876	3404	Ehhgfdho.exe	86
PID 2876 wrote to memory of 4320	2876	Ecmlcmhe.exe	87
PID 2876 wrote to memory of 4320	2876	Ecmlcmhe.exe	87
PID 2876 wrote to memory of 4320	2876	Ecmlcmhe.exe	87
PID 4320 wrote to memory of 2760	4320	Ebploj32.exe	88
PID 4320 wrote to memory of 2760	4320	Ebploj32.exe	88
PID 4320 wrote to memory of 2760	4320	Ebploj32.exe	88
PID 2760 wrote to memory of 5428	2760	Ehjdldfl.exe	89
PID 2760 wrote to memory of 5428	2760	Ehjdldfl.exe	89
PID 2760 wrote to memory of 5428	2760	Ehjdldfl.exe	89
PID 5428 wrote to memory of 2092	5428	Eleplc32.exe	90
PID 5428 wrote to memory of 2092	5428	Eleplc32.exe	90
PID 5428 wrote to memory of 2092	5428	Eleplc32.exe	90
PID 2092 wrote to memory of 5032	2092	Eodlho32.exe	91
PID 2092 wrote to memory of 5032	2092	Eodlho32.exe	91
PID 2092 wrote to memory of 5032	2092	Eodlho32.exe	91
PID 5032 wrote to memory of 4064	5032	Elhmablc.exe	93
PID 5032 wrote to memory of 4064	5032	Elhmablc.exe	93
PID 5032 wrote to memory of 4064	5032	Elhmablc.exe	93
PID 4064 wrote to memory of 4468	4064	Efpajh32.exe	94
PID 4064 wrote to memory of 4468	4064	Efpajh32.exe	94
PID 4064 wrote to memory of 4468	4064	Efpajh32.exe	94
PID 4468 wrote to memory of 5220	4468	Eqfeha32.exe	95
PID 4468 wrote to memory of 5220	4468	Eqfeha32.exe	95
PID 4468 wrote to memory of 5220	4468	Eqfeha32.exe	95
PID 5220 wrote to memory of 404	5220	Fbgbpihg.exe	97
PID 5220 wrote to memory of 404	5220	Fbgbpihg.exe	97
PID 5220 wrote to memory of 404	5220	Fbgbpihg.exe	97
PID 404 wrote to memory of 4548	404	Fqhbmqqg.exe	98
PID 404 wrote to memory of 4548	404	Fqhbmqqg.exe	98
PID 404 wrote to memory of 4548	404	Fqhbmqqg.exe	98
PID 4548 wrote to memory of 2868	4548	Fcgoilpj.exe	99
PID 4548 wrote to memory of 2868	4548	Fcgoilpj.exe	99
PID 4548 wrote to memory of 2868	4548	Fcgoilpj.exe	99
PID 2868 wrote to memory of 5604	2868	Ficgacna.exe	100
PID 2868 wrote to memory of 5604	2868	Ficgacna.exe	100
PID 2868 wrote to memory of 5604	2868	Ficgacna.exe	100
PID 5604 wrote to memory of 5532	5604	Fqkocpod.exe	102
PID 5604 wrote to memory of 5532	5604	Fqkocpod.exe	102
PID 5604 wrote to memory of 5532	5604	Fqkocpod.exe	102
PID 5532 wrote to memory of 5416	5532	Fjcclf32.exe	103
PID 5532 wrote to memory of 5416	5532	Fjcclf32.exe	103
PID 5532 wrote to memory of 5416	5532	Fjcclf32.exe	103
PID 5416 wrote to memory of 3688	5416	Fmapha32.exe	104
PID 5416 wrote to memory of 3688	5416	Fmapha32.exe	104
PID 5416 wrote to memory of 3688	5416	Fmapha32.exe	104
PID 3688 wrote to memory of 5600	3688	Fckhdk32.exe	105
PID 3688 wrote to memory of 5600	3688	Fckhdk32.exe	105
PID 3688 wrote to memory of 5600	3688	Fckhdk32.exe	105
PID 5600 wrote to memory of 4844	5600	Fihqmb32.exe	106

C:\Users\Admin\AppData\Local\Temp\546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\546aee7652643852d7bddeb9a1d79750_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Dchbhn32.exe
  C:\Windows\system32\Dchbhn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\Efgodj32.exe
    C:\Windows\system32\Efgodj32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\Eckonn32.exe
      C:\Windows\system32\Eckonn32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5428
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5220
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5604
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5532
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5416
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5600
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        24⤵
        Executes dropped EXE
        
        PID:5700
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        29⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        30⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        33⤵
        Executes dropped EXE
        
        PID:5852
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        34⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        36⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        42⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        46⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        48⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        49⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        56⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        60⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2660
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        69⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        71⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        72⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        73⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        76⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        77⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1376
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        80⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        85⤵
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        87⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        89⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        90⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        93⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1408
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        98⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        100⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        102⤵
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        103⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3064
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        105⤵
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        106⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        107⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4036
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        111⤵
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        112⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:764
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        114⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        115⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3844
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        117⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        118⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        119⤵
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        120⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        121⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        122⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        123⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        124⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        126⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        127⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        129⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        131⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1356
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        134⤵
        
        PID:672
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        136⤵
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        137⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        139⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        140⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        141⤵
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3280
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        145⤵
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        146⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        147⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        148⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        150⤵
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        153⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        154⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        155⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 424
        156⤵
        Program crash
        
        PID:6752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6664 -ip 6664
1⤵
PID:6728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
336KB

MD5
8046d4211adae80de95cb7a969e9595e

SHA1
b0e8b0d9dcbcab06c7b3b767a5f3caa0f3f24ab5

SHA256
79acb19ebaae82d55cc441ee5f5295dc887442a75d0083a4e40ccb213df4a67d

SHA512
67accd6f25776cffaf0cdfa656d988b4e0525547235f2f44eabb209cf006e4dc5063ab00a3f92edc47594be0e0d49e438bfbb75fc7adc75149f4c58faa0c0a1d

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
336KB

MD5
69fa37987748b6d3777f40574ff55d3c

SHA1
dc253e395d964bad68a8270bcade48513d9d1b10

SHA256
af2695dc149beea13bc295aac3456254e1d2d1515fd50720dae02103e14bfa60

SHA512
dc21763d1026ec7dd5831a17f5c2d986d8827e382c81995434b655ceea65a27acef7b2294b0a383f31735fc7000580b4021df9c276ec622dc0f36f023a84f0e1

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
336KB

MD5
b04c7d1f0bd628cf40ba820a8c4af639

SHA1
db1cb8ac8434d5f1cea0fbe59ed244965476a81b

SHA256
5b10caa02b0264bdc311f216f064360eb912d2fc80877e042f23ca419c26e508

SHA512
925c62e7a115cbaabc8bf4c672402caca944d7d02767fb13c242488235211dededc244d9e3eaa1d1602eb0d565c0d60f2374ae65a7ee48b46cc6459178a3b2cd

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
336KB

MD5
c6e49bacce1120734ce6f9df6f948621

SHA1
6d3f62ed9dd48f46d8f20befc5e5d6a536b18222

SHA256
01a29e0cbbdf1207a2093639683516b4921709dee966e1ef3f88ff6211c03101

SHA512
995a8226c75b5baeb6ab26791b8c41f9e598d95cc5e92a8ebc9c31223d08175b0b9823a009f4fa7e3073b26131141f48ff582d3d7fe15133439995a0f848150c

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
336KB

MD5
ca09c013ed0fd75a17c5b112d5eaba52

SHA1
7b40a827e5042fc633d14670d0cc070af170347e

SHA256
b3e70a5a7c7be750c4cd2b070c852e9a1d11d3edd9fd7bf4fffe69ca1e60563f

SHA512
e1ac02e546f24aab43aaeff68bd82d5c1f7539b5a27ed4408f9937ad0605b12a883326b987b62057a2c66dbbed9884bf29f5cdeb29817ddf8b41c6330fc7aa20

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
336KB

MD5
6c012a9c9008f9791a314a6105f35ba8

SHA1
c92ffd56705eaf510ae5c99eb763942176d3cefe

SHA256
fe4d889128ffecd11e7b370f13dad5152b1087583f53cbfc1104f34acdc878b6

SHA512
c92c737518b1939aaa11c5d4fce51c894c78c4c5f90d3340bb172233a2311f7e4ab32ab56cd0a4a1257fd6c7802e46749d19216fc2e20874f197ff17a3b7d430

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
336KB

MD5
59d159cd90a53cb3348408dd85a7681e

SHA1
a158c1711c7fbc73a8834e9aeec3d8399a0fbd60

SHA256
6becec40bff9eb92b9481dc19128c7794b39738d9558d3c41e99789e265b1a77

SHA512
784691abb73bf597efac9ab4f092ab56273793c99b02b1bbb9e5b1a18c1bd766de9a6d4a45dc962b58e78fd111514bb23810dff30cc2ab5a40209f411fae5670

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
336KB

MD5
1f092a9baa6af26a3c8fe6632ecae370

SHA1
210431969dd3e94424948439aba94be9a512b395

SHA256
9bd6714e5fe95f91084376372d3bc42e308784d9c3e283bad058799aa946d9c3

SHA512
ad4c220c6765ca20c9c98c3ca75075ccb18c0d91fe8dc8e90d8f6534eaf119943ed02bc4b00843282ad76410f74f79606dbec95bab6c97efb658753de08e0554

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
336KB

MD5
22c387e446f09b4caa9f646681b61c63

SHA1
8978f214197ce82c8618257e148b96a8a53d5ec8

SHA256
c3975adaafac6f4c1001a9876d99938adfc2af7a110c7b66e2a0f36b71ee49db

SHA512
bf8eea727eafdbabd7d7eedc570d008186965db93b7f66456e578b30237c588c4bafa272dd75613f427097a65181aefd2506f6e49dba3e0c3a614d8b776fd83b

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
336KB

MD5
84bec63574e169cb67dbbce9cde49d81

SHA1
6c00e7d33ec1deac348f53bc5c36990891a21d48

SHA256
6a1ec4a6eb0fcf6466fab8004c52286354124d26b206e2d2b557aeb37d1bb424

SHA512
c2996a619197d01451e22084f68d51573c121406f996518bf00392eefbc14adeffdbe7ea0fa42bc4a74b266ee340f5ae0611b02d264fc920258fc5b7c223b911

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
336KB

MD5
16412eeec6630b78f04040c6de44e69a

SHA1
2d9c223c84ba845999ef4a5ebd049979511abb3f

SHA256
7ff075b8b5525dc5786a62be9b63f4eacb0e92aed12be9a018a7916e405b5cb2

SHA512
ccc4f224067b17606a1fed173506843328930485aaa0795fc3c825d232de30a7d7363e74c81833b390ed4f3eff612fc43e03a7019ba69a7b1e6b29cc30487089

Download Submit
C:\Windows\SysWOW64\Eoodnhmi.dll

Filesize
7KB

MD5
9c04bab56c7b6af7d5527fd84a91727d

SHA1
7863cef79ab5741e82ecefd4646e68230d4439ba

SHA256
4bc958a94695c2507c0a9773162b257cadb8387d033acb43f15b08ef7858d51c

SHA512
d3bc7a636be24e9c040222ee58178a2d1061375979fa96ce677aad0715d6c1204a84d2e47f17ba37838db032235b691bd2243241f1d1b39cc3f89a361a5da109

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
336KB

MD5
8339271158d672bda51f60ee64be37eb

SHA1
803deb008f4dfeb42cc8d76bb509819ab7d84c00

SHA256
86946452fae70b630347b4679cb4c9230fedd7ae539c8f42c418d12ad0dbee23

SHA512
7e5578322424c51f0e0703e0528d983a4a813dbfe4298915d12d2f97ac95eb438a38be78af2b6a543d4282f72c5794dd68dc717c25f908e75c4fe0ad0344e145

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
336KB

MD5
60103c02ee17c59085fc77a780df12b8

SHA1
3940546e57d1e874bfb44ebbe3b41d1a02636318

SHA256
b5597d286d4d09f9fe72f437de3b721993a2d23bd0e4c0d82adca7c68c678000

SHA512
e1b3f3b57d606dd3d24732633009cb6b8b8b67ce527d295f561ce684139bc2313286528ba8cc3ff33684df24ef9c2d47f07d5e817c872dd7a733b9b87a99bc60

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
336KB

MD5
b90f00a4c2a8158547c7edf546945fa1

SHA1
68f959d60b7f4b8677e1047c416f93ea071c3b85

SHA256
d170c864b0894424daeffcee84f7f0470488584c1b1d3e995daf422556fca1c4

SHA512
23862a9130a9f2de494c0ab9ef817a0e24adc36daba6c9ba4b625d94adf3e1866c2446c5ea94224fdf014e3c3c43eea5720c3bef07540418561ee7d1ad5696c2

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
336KB

MD5
ae540fe2fef9f7b99fcf6c679ebd0b27

SHA1
4bc280a26efb3d036d6e0143f868724970ec60ea

SHA256
1fc3250189795cf0a43e5d025feb4ccd3d224694a1d20e9aecab909f5cc4e64c

SHA512
e33c40c2ffb7cbbeadc61b1291113769347f629247e5e3b495ebb374a8242b4d8024f6ce71564842313546433b12d0b98eccf1b7f019080446b23617031a6561

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
336KB

MD5
62a83c26ea4f43bb0eff1e7e3172e1de

SHA1
e031d55882051b0f5df19d74fe49dafbcd5568b7

SHA256
bc04e8ea6cab5fe0f1d552424c8e8f472eeb67d08f5fb4a6ef8d30849f000c0d

SHA512
c1d4bc10b9581e0d21ceca75b6fa15b8909f63faa855b7e3cdfab584a8d6deaa4ff269f483cd1c63369705963ee64c72225145559e3969f923b4e93502b21261

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
336KB

MD5
38211ef75f61c2f30ae5785ffb1b9621

SHA1
64c86985c0e4d801878bf3789752405396e4a4ca

SHA256
96250f0c68df225f7b45b946cd0d2436cfeffe32d15a251df86073ed9f1012e8

SHA512
bf5222b02a7c06d6c6d93d5debd68431947f626b3f7608f02d7d1bb5191ed25953a2380a1f01aec789c60d9ad7e4388feb0d20314cf5cc431b032d71f22187b9

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
336KB

MD5
be30a515bb1205b6fde2d40378488e24

SHA1
2104809138a5fa39274aa8e84f4af879557403b7

SHA256
4ccf6c3a99a035d7247cb36bd7374591e8e8f4b313b40ed0dd6862f2e3d65cae

SHA512
4a1b08127582a0aae3bc877f9a02d5541ebb595d6900f299b2acda4d44bb81bbaa99759bd0feb042866e5a79f284795b4eb30516ab0f37469b54fb1ed645d727

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
336KB

MD5
f2c6b2289ddb8b0948db5f75d87f570c

SHA1
96ddbbad61fb2eec29d4c36036ef48254fbb5262

SHA256
7949466ed674c87bba25a79ae92e4dd1460bd3ef6eb11f12f5c70fec63936be8

SHA512
8ec603fd8af2bb8b4f8ab34f5cccaf7b474ea0c13a3930a8753f476be480d1353f85f77e74fc9e3b5eafc5a6297dd7f12fa977e9bbfcbf2794ad05ae4ad801f9

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
336KB

MD5
1db55576ec47f3ee7652b8b4c835e9d9

SHA1
43108a742c5e3e9d27866fb0e1dd0b9d6134391c

SHA256
c5b3cf56d28e5eb50c3810b2c9fd5ce06d656ddaf6cea1db842a0ab5d9a96423

SHA512
1d702818d1ff15f2b0c7ff52b6213ef400c7e966e79bd30b7610a83a5b31831ee66792c1f2a0135b1bdc110f3ad9146c11274c52a53fabc0090b71545b75e84f

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
336KB

MD5
5106ff9b93c4e0ef3a7da89ce0aaee54

SHA1
458f5fb11c86cdb081b745e70288f4122002c2b5

SHA256
d8fcc95865882433199c38c5991edf01f25f437af9704d2955b7ae11cec38f77

SHA512
cc30394ecc846acc69d3938bd5539de2244247a8d1b9a0bc1d1273d90f45d9bc38f1a32dc18454f185a882162bab3d0905e4a45fe131d93a9dad84c97e1ea87b

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
336KB

MD5
a33cb554af98b1fe326c8f30365b1a67

SHA1
2d333ef5718d5b7ede3f3952a8366eff53056fc7

SHA256
891b184d963b3b06dbaf2e998c6c1ec66565437083f335930aa1f706c047cf41

SHA512
f0175af50c6bd8d033e226e500eef11edc12b51668aaf7e8c7af9821f03a20991edf6f4063ca565171e4cb6d9ed5aa2576a90195f00c410b9e929626aad22337

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
336KB

MD5
fcc8cb2d6c75cf4248b903dedd0afbcb

SHA1
d58569882f9e8b7977860bdbba5f176169fdbc0e

SHA256
600e1186cfbfd09b4ec1aa6747c3276301843bc7642fadf231fafa94b61f0cf5

SHA512
ffff4aed41bedde8a0404a534ae269d3cd15defdfc0ae5cd3b8fce5f7a4a3e4248dc3e53d8ce2360a5bcdaf27134fbb8f7b4a7ae52e4e1beb48f264b43ac6ee4

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
336KB

MD5
307f263c34f99956341be5231f8eb057

SHA1
e28ec9b98b3f8f1847419d31fd7c55a717016d8a

SHA256
cec0717c0a14e449cb09124dad5614afd4124119524bb625df8187e26d26ad3b

SHA512
1ee3f18843a81ced61da33b6170fb0089e167b0148a31fd14b50ace45460e95c1c37d2719ea9f969a0010266727d9ce55f6a869bb498bf84ea33eaa6e55c52b9

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
336KB

MD5
74ff81d33962367ec5f457d3f51d03e8

SHA1
94473222eaf11f8a9ad5e4a7fda37a6520cc40c5

SHA256
23d5876736651e5c083dc17ad298877588ea408baf46a96ee34784919b90d8ca

SHA512
9954821d7aef8c3dbbe6ac976449a029c9fd41d1b0e7dbe9fae652748182bbec1cf2dfed0c3b7326fdd6c7f7284354ea3cb6d00accb98f08e32757f6a7ebb6e0

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
336KB

MD5
e72ccfa0e69389a5585039eefc2e5bc1

SHA1
66bbab22a0e85e9c70c284175f022a6e8674f458

SHA256
00fb9f0c2f2018d63a8799ef6c0d06803152924b1403dd881be5d868e2d182c4

SHA512
973b0957322e0d49323749795f94b46be372f76647bb1a2b8dcbd6e023c5dbfbb13416306f810b33fbf2876c7fe62f71b9b46de22dee6256479d07e45b38f0b4

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
336KB

MD5
d96ed8fa441f64ad76dfde08b8c97c4f

SHA1
385f3a239433cd3d3839087caae6721e11f56de7

SHA256
3228b24be742658c3bbc9ee6dd5abb3e0a92cb04b67ef6e50b13d4e7cc4081e4

SHA512
26a33edd5039c14645fb7c8b7a938bf7fd4b919cb8602931a1d3ab9314668f9d1f8ff8cdeca4c07ef486bbea47279adeddccfa3abbcfac1a5027afa291271b76

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
336KB

MD5
1fe70f98e10a3fee7d19c80edc8d423e

SHA1
7b476046595385e9f3ba638047bee8a0f16c2af6

SHA256
20d6f7c3c61e40a6557120eb349c11bbc8cf31933b93deb641b3e288991919ce

SHA512
8944f5b8099bc389a4b3e0b4bcd67918dea5c066bd285e3f089ab7cfacccb171bff608287355029b3cedf50a996ec0b7a79a728bc43a0c2761637bd292c2428e

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
336KB

MD5
08a4c118658945e745e9ee50ab3b33c0

SHA1
0c163faa7d488aec20d1c3da7914a3c12c2f44a9

SHA256
42e539c42f96c4c7a985034bf7ceb06dcf23dd971ea617af7cda552005824d65

SHA512
d8a74ef75e48765b0864eb12c38e081aa0bb1300d0a3d8d84fdfbae41dc00f59988c26fab0125c39943317c961801a560dba98d1db6d5ee9c0812a2ce5bb9cef

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
336KB

MD5
63c292251dabd76511a640cec608fa5a

SHA1
66f1d10b4cadc82122abc54c76df07738f459a28

SHA256
301e4765bbe6197848fc6d8769aae52d1b1d9a714885a0edd7f4525ba837897b

SHA512
1587db55ef7d68ea2cccd9a166b8f54b55ef71b96ff0967b4581bd731d9a78bd8ee6abdd1de1c55de4a5ff77d4b12912f459809aa6f1124df80cbc81667c38b7

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
336KB

MD5
6b3bbdeea9b9d05281134fd95d136d3a

SHA1
87e2e953723d50d4ca172c8973ff10a5648e0bd1

SHA256
3c16058982c0ef5b342a958dbcdd63747c9a7c92d6b84470b77209d2aac4ec13

SHA512
b26435b7af2417ccfff3baaa547d479cc46708a0464aedd97ec296f3ef71d17571b68b960159f573787293f888a015c192af6b110676a6d054b6db869852728c

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
336KB

MD5
90a43afb9512ca82723571a8e87adc6f

SHA1
4d915c642481c9fb635b5454aa525e17ce9e1eb1

SHA256
b9ca6c89664ce8c10e50102e5cf00962b05e52f7c6252ab625a0750ce1d91128

SHA512
75bc822b62631d2c5e210b19e32be93003a8430ffdcff3e402fed6d597f83670b74f94d4ccbc563dad172105439c7d461b57f954c54423892bdae8fd205e223e

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
336KB

MD5
d1543987e9de265e7d917fd061d0d633

SHA1
6d91f9ff6782a1f5ac9ca84fed4728fafac93777

SHA256
7cddaeb0141120a17d5f6420e8fb3120bade6c3f59546a00e3d26b1690dc765e

SHA512
6883182c3396bd47eefd92877ff2ff0022e33f686e8a1224fe3aeafafdd8406311a91df42dc2ddaf0bbad8f2359b64b4c67399f9fc06edc8dafd8a66dcc6a1e4

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
336KB

MD5
5045855dfd92bc5c3805f463dd2a921f

SHA1
267f230d201857353a79d9eedcfd76a191428e7f

SHA256
24be880e231d18e8c05644425a9ff9d1c995a2c773339a287b9b16cb7313de5e

SHA512
5caabc4f8ce51f2526646cef993223e01bb10af89c052de66a41c899b61e8cf42d96a38277ed4374561fc4eb785b8443ce63e16a047b934bbc7d9358702fbdb4

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
336KB

MD5
8cfc43ff41fb2932c8f0b2af105549dc

SHA1
041cbb18d6f01243c460bfbf92c5904a2ccc08a7

SHA256
22079beb2a83111b35730379971c833ff3c66deac0312131dcce7d82b9a61b7d

SHA512
ef14d7689eb5b3789e208e6decae40ac4869275259adeb8c3a918f1c4da8590bf0ca20418af92085bc9c5ec7ae14a450aa35543cbab0b27169e92e3548d1c135

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
336KB

MD5
8c86a49ee227b140ee1638d20dc31673

SHA1
077bade95b7ec66ed1bf15ad7311594996b24e55

SHA256
bb4107ef5a2a9b292bf323404fd5c566348f7d05c723b3a431a3d286705fb0be

SHA512
5c58b805597f30a23911bbfc3fb813cd49ae4408dba6a1276a9e5b6ef320b73896e335772487830121881c4d3f4177b95ae242188f6e85e7a6c1ac8592735905

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
336KB

MD5
73a293ac1e2144374875ad1379c90dfe

SHA1
11ffd35c63acfc776d72033270081f76890c281f

SHA256
5849e8a015d2e32837775d158550790949d597003509e4e629e7849844d631e1

SHA512
a4d15a071915d74bdd5c0a865a1b847588b0a6137072796e4fe152dfb893acbb7089926f795a816be0f13455811650feb78e2f4f8d7ca24b6e6e50f7b8c7802c

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
336KB

MD5
3dc5d3e7184bb7b4afbc41a1d956650a

SHA1
8459c8f8f1ac3faef534bd320b9d15c6d142ce18

SHA256
b35b0e74e61854ee7df4a2c0270d9fe29815daecfc4070ecb416bec78d4533f9

SHA512
69d245ec26fe3780d2432adf66b1eb274d2e674c3794f8ee6b367b29adb0ca8b16593bfc40fb9bc0b54271b2f5bda67feedc54f33fe2f9b878c4df1d72202894

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
336KB

MD5
b1b046709499d98ff448e5a7c1c3f364

SHA1
878d0a0ff15f037da476eaf9d2c15885db87cff4

SHA256
12f13d4da618b13105c3f4d460e39cf56890cfd332418fb62c593f8ca15e92f4

SHA512
bee1d45cb1cd9440272a379d359e4f964f2de2e9aac6c0c7077c7d7c7c0f3502afb9aad98bc480f2069fdfaf31403e059bbbecfa7226a26e162413d8608b15b8

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
336KB

MD5
2ceb8242b9d062d8dae2d891519cc1da

SHA1
0e2eda349b4054a9076608b754b0099a53d42103

SHA256
c246071813d3d7b8271c46ff89eabd6fb37b6bf1d96c58e384941aa71d3313de

SHA512
bc77a4c1a3fa2354ba9532c470a318941e3534cba5805eeceecdd12557983f974a8c9e025021334f657a75b218ac481f8e7713ecba90e8e9924ce0f597507511

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
336KB

MD5
bf7be971bd8061390251ecb3bd680187

SHA1
07713a8907c0a649ae05f24130ab7cac0a2dd07a

SHA256
f26a5b33f3dec246c7d2190c7e6360c4d4edec53cf29f22f519968641e968b0b

SHA512
65eea54b84c3542a482b8d06a6794d915abd35a6385445a011db26f238f9208313e8ad1443e676948f62169700cc868f58e91f551a92a84defc494ae183d9aaa

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
336KB

MD5
02b51f03cf593dc5fc037a9f4d84a15a

SHA1
157ace0c0d49b865d0d5df108380cb32bc3f7914

SHA256
8e8ebb6574054d726574662fc15b8b546f8c10c4d647663ec7e285daf3ee79e6

SHA512
d5ad28c92fac68bf63533cdbacd0a8882d3248d5990bd7f851c4d073f5be8ab64a18786fb430f92308dd4639c90dc44731e1770417bead59bc8b4598674a6af8

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
336KB

MD5
f9cc02a8e3997485f885e231f085bebb

SHA1
a92d0a60550c639f295d84f79a50bc21598859dd

SHA256
933fb21048552792d478bb4e4397700462f6b8875044d72fe6244dca135e7f21

SHA512
08aead255e7208c337c242d08268f169795c96a600ffcd3f1195bf4cfc1192ade22513b8f19a38053a5c377c7f3cac62f25176cca7eacb58b321f144b000007b

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
336KB

MD5
41df873499440a316d1d683f68d4343b

SHA1
857ab0925d56991274b519684b5878568e31556f

SHA256
93182a6d5b609ae56a2362b6f74fc09d5ef4ac257678ab55954c662009269a02

SHA512
119c87ab617650d3f2e6030ff0fb0ac29eaa7fb5d745ee270dc02ab46dea42781a45ff451f479b6295a696cbc09bd731b3c6f4358fcebf622808cb3935385e7d

Download Submit
memory/404-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/408-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/724-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/732-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1036-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1176-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1320-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1576-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2152-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-598-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2420-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-596-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3120-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3148-511-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3348-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3508-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3672-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3908-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4008-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4224-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4280-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4288-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4572-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4876-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4916-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5032-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5152-539-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5192-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5220-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5416-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5420-499-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5428-603-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5428-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5436-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5500-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5532-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5600-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5604-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5648-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5660-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5664-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5684-584-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5692-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5700-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5852-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6016-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6044-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6088-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads