f1ad69734b657fbfa039bd6b9aaa4860d3d3fb2b8ae9110745128e0644715d5f

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe
Size

384KB
MD5

80ca877063957ce72c6f26507ef61fb0
SHA1

9e3034391c25bc2cd8ccd8c9c56f16749f4f1efa
SHA256

f1ad69734b657fbfa039bd6b9aaa4860d3d3fb2b8ae9110745128e0644715d5f
SHA512

0d687c9c6e6618aa7b42a35cb1f41dce59f70ad27714488584d57a070fde9981b46a106c123682df9902a6fc18011597a66fb1376049041dc6b8d1c270213668
SSDEEP

6144:c4e5dJK8SeNpgdyuH1lZfRo0V8JcgE+ezpg12:cp5dk87g7/VycgE82

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe

Executes dropped EXE 64 IoCs

pid	Process
4764	Dllmfd32.exe
2488	Daifnk32.exe
384	Djpnohej.exe
4128	Domfgpca.exe
3280	Efgodj32.exe
228	Epmcab32.exe
556	Eckonn32.exe
536	Ehhgfdho.exe
3292	Epopgbia.exe
3940	Eleplc32.exe
3760	Ecphimfb.exe
3796	Ejjqeg32.exe
3204	Elhmablc.exe
1100	Eqciba32.exe
3724	Ecbenm32.exe
1636	Efpajh32.exe
4748	Ehonfc32.exe
4640	Emjjgbjp.exe
3268	Fjnjqfij.exe
1016	Fqhbmqqg.exe
1788	Ffekegon.exe
2084	Fqkocpod.exe
4176	Fcikolnh.exe
4900	Fjcclf32.exe
4644	Fckhdk32.exe
1352	Fbnhphbp.exe
4700	Fjepaecb.exe
3064	Fmclmabe.exe
2264	Fmficqpc.exe
412	Gfnnlffc.exe
4044	Gjjjle32.exe
3272	Gmhfhp32.exe
1232	Gqdbiofi.exe
5040	Gbenqg32.exe
4308	Gqfooodg.exe
1344	Gcekkjcj.exe
2796	Gjocgdkg.exe
4024	Gmmocpjk.exe
4868	Gpklpkio.exe
4252	Gbjhlfhb.exe
5044	Gjapmdid.exe
372	Gmoliohh.exe
1876	Gqkhjn32.exe
1480	Gbldaffp.exe
2524	Gfhqbe32.exe
936	Gifmnpnl.exe
1804	Gmaioo32.exe
4328	Gppekj32.exe
4576	Hboagf32.exe
2364	Hjfihc32.exe
4084	Hapaemll.exe
4452	Hcnnaikp.exe
5032	Hfljmdjc.exe
3672	Hjhfnccl.exe
3688	Habnjm32.exe
1128	Hcqjfh32.exe
2844	Hfofbd32.exe
3628	Hmioonpn.exe
3260	Hpgkkioa.exe
3316	Hbeghene.exe
2280	Hippdo32.exe
2244	Haggelfd.exe
3576	Hcedaheh.exe
4488	Hfcpncdk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Efgodj32.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Jfjdddho.dll	Daifnk32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Kibpam32.dll	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Efgodj32.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7136	7024	WerFault.exe	248

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Domfgpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjdddho.dll"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4764	3184	80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe	82
PID 3184 wrote to memory of 4764	3184	80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe	82
PID 3184 wrote to memory of 4764	3184	80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe	82
PID 4764 wrote to memory of 2488	4764	Dllmfd32.exe	83
PID 4764 wrote to memory of 2488	4764	Dllmfd32.exe	83
PID 4764 wrote to memory of 2488	4764	Dllmfd32.exe	83
PID 2488 wrote to memory of 384	2488	Daifnk32.exe	84
PID 2488 wrote to memory of 384	2488	Daifnk32.exe	84
PID 2488 wrote to memory of 384	2488	Daifnk32.exe	84
PID 384 wrote to memory of 4128	384	Djpnohej.exe	85
PID 384 wrote to memory of 4128	384	Djpnohej.exe	85
PID 384 wrote to memory of 4128	384	Djpnohej.exe	85
PID 4128 wrote to memory of 3280	4128	Domfgpca.exe	86
PID 4128 wrote to memory of 3280	4128	Domfgpca.exe	86
PID 4128 wrote to memory of 3280	4128	Domfgpca.exe	86
PID 3280 wrote to memory of 228	3280	Efgodj32.exe	87
PID 3280 wrote to memory of 228	3280	Efgodj32.exe	87
PID 3280 wrote to memory of 228	3280	Efgodj32.exe	87
PID 228 wrote to memory of 556	228	Epmcab32.exe	88
PID 228 wrote to memory of 556	228	Epmcab32.exe	88
PID 228 wrote to memory of 556	228	Epmcab32.exe	88
PID 556 wrote to memory of 536	556	Eckonn32.exe	89
PID 556 wrote to memory of 536	556	Eckonn32.exe	89
PID 556 wrote to memory of 536	556	Eckonn32.exe	89
PID 536 wrote to memory of 3292	536	Ehhgfdho.exe	91
PID 536 wrote to memory of 3292	536	Ehhgfdho.exe	91
PID 536 wrote to memory of 3292	536	Ehhgfdho.exe	91
PID 3292 wrote to memory of 3940	3292	Epopgbia.exe	92
PID 3292 wrote to memory of 3940	3292	Epopgbia.exe	92
PID 3292 wrote to memory of 3940	3292	Epopgbia.exe	92
PID 3940 wrote to memory of 3760	3940	Eleplc32.exe	93
PID 3940 wrote to memory of 3760	3940	Eleplc32.exe	93
PID 3940 wrote to memory of 3760	3940	Eleplc32.exe	93
PID 3760 wrote to memory of 3796	3760	Ecphimfb.exe	95
PID 3760 wrote to memory of 3796	3760	Ecphimfb.exe	95
PID 3760 wrote to memory of 3796	3760	Ecphimfb.exe	95
PID 3796 wrote to memory of 3204	3796	Ejjqeg32.exe	96
PID 3796 wrote to memory of 3204	3796	Ejjqeg32.exe	96
PID 3796 wrote to memory of 3204	3796	Ejjqeg32.exe	96
PID 3204 wrote to memory of 1100	3204	Elhmablc.exe	97
PID 3204 wrote to memory of 1100	3204	Elhmablc.exe	97
PID 3204 wrote to memory of 1100	3204	Elhmablc.exe	97
PID 1100 wrote to memory of 3724	1100	Eqciba32.exe	98
PID 1100 wrote to memory of 3724	1100	Eqciba32.exe	98
PID 1100 wrote to memory of 3724	1100	Eqciba32.exe	98
PID 3724 wrote to memory of 1636	3724	Ecbenm32.exe	99
PID 3724 wrote to memory of 1636	3724	Ecbenm32.exe	99
PID 3724 wrote to memory of 1636	3724	Ecbenm32.exe	99
PID 1636 wrote to memory of 4748	1636	Efpajh32.exe	100
PID 1636 wrote to memory of 4748	1636	Efpajh32.exe	100
PID 1636 wrote to memory of 4748	1636	Efpajh32.exe	100
PID 4748 wrote to memory of 4640	4748	Ehonfc32.exe	101
PID 4748 wrote to memory of 4640	4748	Ehonfc32.exe	101
PID 4748 wrote to memory of 4640	4748	Ehonfc32.exe	101
PID 4640 wrote to memory of 3268	4640	Emjjgbjp.exe	102
PID 4640 wrote to memory of 3268	4640	Emjjgbjp.exe	102
PID 4640 wrote to memory of 3268	4640	Emjjgbjp.exe	102
PID 3268 wrote to memory of 1016	3268	Fjnjqfij.exe	104
PID 3268 wrote to memory of 1016	3268	Fjnjqfij.exe	104
PID 3268 wrote to memory of 1016	3268	Fjnjqfij.exe	104
PID 1016 wrote to memory of 1788	1016	Fqhbmqqg.exe	105
PID 1016 wrote to memory of 1788	1016	Fqhbmqqg.exe	105
PID 1016 wrote to memory of 1788	1016	Fqhbmqqg.exe	105
PID 1788 wrote to memory of 2084	1788	Ffekegon.exe	106

C:\Users\Admin\AppData\Local\Temp\80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\80ca877063957ce72c6f26507ef61fb0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\Dllmfd32.exe
  C:\Windows\system32\Dllmfd32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\Daifnk32.exe
    C:\Windows\system32\Daifnk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\Djpnohej.exe
      C:\Windows\system32\Djpnohej.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
      - C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        24⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        26⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        27⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        33⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        40⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        44⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        45⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        47⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        48⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        51⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        54⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        62⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        65⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:888
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        70⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        71⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3356
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3472
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        78⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        79⤵
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3448
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        85⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4052
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        87⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:436
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        89⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        93⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        94⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        96⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        99⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        103⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        107⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        108⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        109⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        110⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        112⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        113⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        114⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        118⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        120⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        123⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        124⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        125⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        126⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        127⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        129⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        130⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        131⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        135⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        136⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        137⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        139⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        140⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        142⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        143⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        145⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        148⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        150⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        151⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        152⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        153⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        155⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        156⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        158⤵
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        159⤵
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        161⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 232
        162⤵
        Program crash
        
        PID:7136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7024 -ip 7024
1⤵
PID:7084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
384KB

MD5
00ec493a8c5f6771d24685ec2314de97

SHA1
900977183fddd8619fe6658f3f13b702f2c70288

SHA256
8c1396321d3af3d5c199e573f5005390e153535188b5cbd9d20bac6a6f82bf84

SHA512
ffbfb06a34a875ad38c5d684fcc1e24771e719e241472be9f782b58a26e2fe4e93b8dd4e7474eb6bbdf0305e67393aca85b036ee4972a1edafd34c68a83d1d08

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
384KB

MD5
a5ba96d67f148451e048dabd2306b13e

SHA1
262db1548591abd29d7e880dcd88c800f3d45d67

SHA256
4a5cf3f90ac87fdddfa00fe65427a6ee4959bd3f5c4deddfa6eb60e10e8a9409

SHA512
0b957d2c74e4c2c29c5bfcdb4cc59ead2389c5ae6dc1acd770d95ab823b617a82d9c3295a2ccc4ff894607929267b5c31e362be34b78cc2b9ef113b18ade1b9b

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
384KB

MD5
612ae2fdc2363fa8f5e21a697e1d1724

SHA1
931d3e9401d575b055838a25f9b1469fb9c4c0d9

SHA256
44d431ddb7554afbcc3468d0a9bbe7d28b4e11b7d62778b227111f2e3f531c78

SHA512
0aea520caf896a4e2f3403c0eded2481bea92112ca267999310d2566c8ffe6a56753cc2b4924679685cdffb8e5535526a9f5b732af08c8aa5cdfd20a02285108

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
384KB

MD5
09139c37fdb017556b25a9d91054c7bf

SHA1
2ad20d127f1cd12e6a607fac07e8bc5f32dc3039

SHA256
636633331121d02ad32094b508f9eed9bb2f0f20849cbd870241182ef56e2963

SHA512
f19d388336ed98e09d1e1d0c14181867d188ee68db2ec089c2709c6fa372c3dd2a6fd9c562a6698b7a28b9d44b7ac5572d75d370e4f888399481ba2171cf2b64

Download Submit
C:\Windows\SysWOW64\Dpgbbq32.dll

Filesize
7KB

MD5
5b6a9fc68c1b869e134b1578257ee9bc

SHA1
0ea1119d9ce0454ca531905ec322c280f830e367

SHA256
d078559a21c1fcab070e01e9c1aad06088f8f910bf8f61df65ba0427a2026c57

SHA512
3845950f309fe2d8a62f8d0c45429fe7a63e996d620c3348dfa3b448ba95de064c4bd6b5dfb4f110e1295e9c94bfc0dd9d1c6648073e397f3e6f2fd97000869d

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
384KB

MD5
ba15e7201a2fd3642c7115cf572b5bd4

SHA1
bfc917041153389753fe8e4fc9e50fd4d2c85853

SHA256
bc0401764780d56e1e6d54765e7228ec6dc0fbc522942dafa1dbffc13e75f738

SHA512
a6372a4efd859fe006e95e915b09594f7557183602bf6d3882eb4f8d18dd462c85b964f6833ca5ed3552d03402fcc3d72927ddce3787605184b74a56f7fe52eb

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
384KB

MD5
96bbf2716b76b6c47bb5b2100c41d474

SHA1
2c263e6bf6ab4ba9e407c39ea9e973c08122cf02

SHA256
74e5f47af2d580fb1db07a653aa4e4e5f4c3acf9bf1686f75268b54782e9d5ac

SHA512
dc1afdd97797485b475a95e7ea58d4b1541f4e5983f4c6884b1304414f9c02c298dc64fe75e35b76604fd639f3fc53a3236dc1e6e8afe6deb6e37a7ce787ab6e

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
384KB

MD5
b37c4c6deb93cf5123409847ce48f8ba

SHA1
c0584a942da71d5f8cb06874df6123b67145e69f

SHA256
2e9bfbddd1addf479ef1008214c41224d0318da3e09e466433e3972684b1ae39

SHA512
4222fe6ae45fd398c1f5338eedc0059789fa8a2926447970e25ab831923ccf1f22798b92ec9e0cf7bf65d67875b164eb49a38716245e2871d1b31185a17a54cd

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
384KB

MD5
69d160772a04b672ed8a92f4b1422d83

SHA1
7c12100e64281bf82fb5321a477a976b75c56289

SHA256
c9cde4a61b152665fe3aedf2d3a63c33b44c1c60141913c415a748cae1bd6ace

SHA512
5204e4291d602a0ee0208402f27e37f0d06f13018713d83194667b8cc31a38fca27e1c98ccc8f7009ed5edbcbdc6a711339eecc54ea8ab12cf6048000e5036e7

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
384KB

MD5
040dd3c10a74815471427690532d42f1

SHA1
b51f8b75d4713e11bd5fcb24463912286c0865e5

SHA256
02a59ecd206b2b1085519bb9e4fce0b2caab36ff786fe78c2710c9143b67763c

SHA512
4b1b0d503f0d2fb68cf5df24f1d29b83ced2fa362f8fe35db6c017c24ee69fdaeb94c01fe2e8dd377ce1de15fd4245d2f41e5392345a3f3de1dc7a3e11419803

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
384KB

MD5
baf1f717b959234ebc15698664a0c43d

SHA1
35eb9590c602eaad7507c16a16ab4bb3e0199743

SHA256
cd5d2328730b83929622891a44eaac5f98547391fd076bdc80e5614e1ae3d44a

SHA512
6cb6fd2303e9898e91658be11e3de7272b8e06061fee07241e36e50039e559aade96272aff75c4728246f9b800abb657d36be180276d695d625a9ae9c191de72

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
384KB

MD5
4cdd423ee9eec8552e0f3befa37c55af

SHA1
0542af956ffca10f5d83dd1684a5e447b338c381

SHA256
226bbb14f4d5ff6a0d624a66e960263cbe70c730057081a4364500d2f7f34ae3

SHA512
cf007f51f9a93d8f8396d1e9943a1dea1d1786b289401a6f9a1812944ede476df3dc511e0c5768a8c675ebf6981587ca5aca248c92462d273252f8dc6e66e5c3

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
384KB

MD5
f003862a10f377c10ec90d542f6b2248

SHA1
e56885d28fbfbebdc0312724504c8abbab4924fd

SHA256
193d9f3c522bf538005b266ff1907299b2155097c83e02d02f6ca9d0bf508e74

SHA512
ab406970f09852b719f0e90250da91b805086f46d7b361dac0c1c1072abfc7f08297eea2fe0f5d122706c76cf0b58f7ebcc8c7a28611fb87a3e0f101b3ca45fe

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
384KB

MD5
f412bdbef0efd31439dba80f728372f3

SHA1
8f6032681fb3d139e037682f0e2c86a3596a2952

SHA256
054766cf2be8e9446b332b6befc0306cb6297e89a0bd27b9f03170aec81e89a5

SHA512
741d65760b56e608132036ba7efb99abfaa682480859dfa29220341151694c04448c0faf50139eb370d8786f1d50ba146454fc0bb64568289fb441c2b9abb2f8

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
384KB

MD5
9003f6a3679bbe4d280a179a1d4a6a37

SHA1
0367e37429e4e92f92089006b3eee06204b452c1

SHA256
db30a164c942a73b677543f9cb9ba9563ddfcf659984f4f369336fb7f4dac32f

SHA512
b458579c30a64b2b5a367d7cc4586b5b0370e13186e44674445c2aa4ca755e62118ef6c5e66226d06d73336949c3fcd6c4bf40bfaa219bffa8084c15a6ab0ebc

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
384KB

MD5
614e5e86d8824aabeacf85ce81bbcecd

SHA1
02033e4ecf1debe3a1b669b9fc439020d2142e00

SHA256
d139288a07553a802d8cc7ed4064cdd9f348a9c9da3b82b14ff8ed22b7bab389

SHA512
fd1b68a3ab2471f1106795c57045075fd39b65a356d44825b3dea8b870a2af829f3e82d7d30f2432624754c03d758f02798f46c6e5c2615e50d678b981b42c9a

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
384KB

MD5
ea2cac1e57f70a96fa011aa8bef8d738

SHA1
450f89a29bf9e51e6ecaec5c6e093f0167861224

SHA256
1c4f787397b2e7cb170a37fc707f053a3a1f731ba0efca6d7f3ab911b7f66208

SHA512
7fa8dce5af4c5e6cd94d847d0a32401a4d6fffac9301e0e541d02ca9d4bcfd9ab92bb09f4b53a61c24861929a7c651177292c9180c3f88dcdf48f5f8e3854519

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
384KB

MD5
7938c52f4f2fc921c3fbc1750a4014c0

SHA1
ecd47b73f3fe95520734af8e289d19cf1f5df97c

SHA256
08804512745cb8f2513904ed4f8a8dda7ca1df8e11f0883402680e4ec798d10a

SHA512
b4173a530c10732d88b4fdf3c8c2819abcbb52428d92fa4863cc0579f02e13136b73f9e178301b393c7f5392090da35021fbf88c1ea5abce7dcbb245517661e5

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
384KB

MD5
17f6eff39350641c4f2d84acdd6e7b77

SHA1
2c8bc85ddbb05af349ea7dafde37509da0a05af0

SHA256
6786a175c2509295920eecbe6de66ce59f61579884adaf471a730968c542d3e6

SHA512
bad329f60f2ffc4b49c18b049dc9ab7c4d7c4fe89cae7060e0aa341c38320cb39283b7aa602cd4ab8ed5195568b954d66a48f9870e5c1af030ed100ee05c041b

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
384KB

MD5
2e8b17de36bb70c44237e6c648f2811c

SHA1
fd96d0cfd2b22ace8d6c7a68c6b369567c23022f

SHA256
c17fca2898dbaf31c7b15623c42d966d07a25dc3ead8c2304643c6a9a46d0e3b

SHA512
9a2643a2a63db16388b913b3bf160ef7bd6e642970918fda66c583e68865e8ed8421d522a343e8a7afad01ce4a84a30a33cc20c26be70e3a7bd79f85d47ab411

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
384KB

MD5
7ad91089fa4f1dae6a5ad7d6b581d822

SHA1
81d9fafd9aff864f366f56391dd2d57f41b46607

SHA256
c5520878c70038233a97daf5778ed307cd7b8905a7d49765d12252cecbddf431

SHA512
839343af8e39ad13587bee67a440dd843b75de5806c41a5bf801efe59022bfefff1ee8d8581ffc372d02db0e0486c7e9f2f008d404dacfb22707a3511aee7c89

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
384KB

MD5
b3d11e65e38a833be1e3a02abc276e86

SHA1
f254d860f6ea2efcf2edd8ef274356507967cd07

SHA256
332f87b152a6191966ad433ceeebbd391ab5fa748b1ca5b749a1722e3a32aa98

SHA512
4f4e9b8e24d82522fc11135032628e117199df6a123140bc0c2d4cfc7159ae7fe8afb3d55a3c653605418c6006745a325ebd6e1beb784ff20157021bebeec0e7

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
384KB

MD5
059bc18ec9bf5152f9203d719ce309ef

SHA1
75c670f51f27dd0ac06710b552735043f34870b8

SHA256
51e1616b002323bd24c76f613e9f0a01dc6866983ce0ec9e97e27993e5fe893d

SHA512
24b26e90cfdca222244e714c584976a960641d1ba00fcac08cd57159d9f64348138853fa73f104988c0c42237805cb69caf848004a2c49a8b64376cd6caf045d

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
384KB

MD5
39a48d5ca53758001e4980dd57f05850

SHA1
00fe6240eb8c0754ffd2de80c2ccb6916aa51264

SHA256
758458176a06fa1bafc341194cb17eb270320e65d79967ecf8df30515bd543db

SHA512
02f5ad825afdd24ef7495e93fcea572f42875008fac280154f983c00693e93e7fc0d350d66a11a972f37344d92457928e82c45dd97eb17ff914cd04f934a991b

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
384KB

MD5
8dddcd55de806ca832371baf1663a559

SHA1
3f1b8332d1994d9818e7db0e4dbfdfcb14cc1ebb

SHA256
2c93a4eb8e18787ee8088b2d1b07e261e4808607d70eb4f3d073f5fbaddb790e

SHA512
d7841a67fab5b245620325a819bab32bffcd833c9bb8eab2cb2f8c229df067600eee766f3b31d6c3d45d7f683a2e050d7f1f2bd29c8eeb9d725a46d25a442ccd

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
384KB

MD5
bab4a158b6f3e655ba657065842ba7e6

SHA1
7365e2cab24e5521c586b0e3f31f583b30470f49

SHA256
88397b8ad19f8bbd3b7fae3820dd0140e734a11b08f01835630988e3aa2d8bf5

SHA512
a881aa57a333dce94d9bc5fec0d5b2b6cee95e1a025768d9b542db6f30e5c2799859d6aacaf452b3433273e814f24effcd2791aadc924b2cd95c96b9a599f90b

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
384KB

MD5
34501f19c673c9b81dd175609175a73e

SHA1
6117a5105a7ed96b712f31e5cc3dd759d7013d45

SHA256
03b821f16000c8a24ac78ccef207cdb8cda83a9786c24105060c7aa24cf57be4

SHA512
c053d9c843f8725418f88d9c31fceab7ece7e1cc14ed345691d5b4b6fbbb4a99c2046fdc334a554f004d8292863934258c74642257cad5a2445aa201cd860367

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
384KB

MD5
48385c16525f561dda00568656fed69f

SHA1
36d9e2cfa3f6451c8706b7ce2e519cecdd9a011e

SHA256
bb99f25df12cce2c0dbb6e10d2f7cb5e5786be69cb5c863ace52881489bc6cf5

SHA512
e0fc9a64cfcc5e0c9b4ccadbcb9c2a17fd86c4ff1ec334aa918c071840279c5bc3dad80294ab7845704b690e84e38d26b45d1f3c0a37fba7f80aa9427281ce71

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
384KB

MD5
91116df1daccf025cb74a6e811e0fed2

SHA1
11fa6411c79dc26d6732e3bea9fff615ba5176ce

SHA256
e1f4ec6a79895cc03773347e234c9e0f539ae021b8fee96d77f6693c46c62282

SHA512
3c03b724d3119f6f4f125a22643c96730983f4472cfc4583df601c6569a2b66db1a1c25583d436b491135bf40949c0b24444d3f896ae9eee4272434fcabcb296

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
384KB

MD5
d58cbe333e2b29db474dd50b0b36af7e

SHA1
d1e26d59d7a1796c5400d19ae5eee29002cabf12

SHA256
1b8885ac2e144611adebbabe377a7ca89dcca8e48796f20fb614aef0c661c81a

SHA512
3e9eef9748680be4e6dce0b2e993ec03b301377399231fb71be71d7f23eb49298d2d4e957b4e7c02b9ca6347cf8cda50c9a7af56921956922b174dc458906f92

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
384KB

MD5
72569ae33d6209c546070df4953ddf67

SHA1
78deb2ffcab6c6feb8f253ae05ee0bd7a689a8d1

SHA256
66697653258512940355ebb0d33e197f0dce0f4931dbcfba17e6374dab5c4f89

SHA512
2c877cd736aa290468aa6b0d0698246f209100b520041808e6e4a283b3822d242e215a3af78efaa26cb1ae257ad59bea86565c9abe7c0d99e586a4fad788d739

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
384KB

MD5
ec6186f5c8b23f9aa0804cae7b3f01a2

SHA1
fe8a69f949efd9d695bebd8eea47a71a99045e3e

SHA256
7560cfd93c5eb8f6b82ef1db1e10b710efe04e8e63352ce48c2cfbfe928b036f

SHA512
54c57bfee9579f6f1771bb2596f03dcfc7d0b7524d779beb7fa603b63ce3dca359a5c27f859e7a72a8c1172ce99f25a8c4382951a714e61ef3f8f6de56591f85

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
384KB

MD5
4214ed138c7bf3fbde53a4b9c1169744

SHA1
8b34afe1650718f7c1dc9a3dfcfcfc6db9e18d84

SHA256
71b23e296f8af83db5f083149e97c1d7851b4bf4015256175793f8a0823d3d4b

SHA512
0ea490589542c2abfb13ee652ff66444e334425c6eb25281ccfc68e2e032cb0b38cf233803c2556b39ea36261c23bb02b2fabafe87d92e18e8f561ead51d772c

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
384KB

MD5
9cec0a626af91678dc43e963822801fb

SHA1
9aeab4b61ed36faeb9ff73853527ca1a48475db7

SHA256
387e24dfae0349ad3da3925500a5e8d18a3761f389053a9e698d08a0d9738185

SHA512
e74047ef4beb1c5e0a525ff784f267f387039f59e93952257bf30046e181cb93b5c1cffea4445b9cb715135bf8c0ecc8722459ba587a395bec2f02d4688c8b8a

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
384KB

MD5
acbcb62d31dae30356dce153e6cb7d59

SHA1
e5f859e9af7501cb8d4eec4420e3a7d0ebdf7eb2

SHA256
e38927e62b862a7673e018f55653c93a8c8d9137f5137cddcc7cfccadc4bbb95

SHA512
92e351d45d19d41f8139ef79db41a77cdb12fdb39e5357142fe66872df9634ced4249aa15cced61dde2e1ed8ac16fea1c5c50674c0d446af4c0e9c1999eb7110

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
384KB

MD5
6cfc3c191b983930270f6063f8d0a8ef

SHA1
1aa8a791814cb1c60d3208a3d37a4d03c4c56b5a

SHA256
b695fcacfbc6b6d27f56fc0200e6331e55107b8e587a3f847e90d073d7068012

SHA512
81b0f62d7bd43fb70207a7e192f007a8813f94fb30185346ea6aa248ca1f760e3c14afee3411b62ce9d9310499361a7f0e152e43c3a3723850967be8df68c2b2

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
384KB

MD5
5b435cc97bce8f23c044b2b33e32a74c

SHA1
8d083ad22923c751da6d03eb0a3580e0d521ebe1

SHA256
9183b1f7af8e132dac6244e3f4e81733c66cd3702b2ade9360b789a7cf6a6fba

SHA512
f4c195e11c6b40dda9f539f7846c99791cfdc30b9cfa16b9591308008fe8f86469e1728338c1a2110f273038028c7f48dc4c7651ef734e01d869ce3ec7fa10a0

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
384KB

MD5
4afefd2bc5f322a30041dc6beb6c378d

SHA1
c1a26265a34adc95eb9ba70ca24def152c04a06a

SHA256
549b29f4559240ed717ae91c3cad682c07f1eecc63d4e1823b74d8ddad30b757

SHA512
9d4a053ec4821bc512ca02417e5098c9813ca8fda488ea5ce3b999044e5f8d6977c8dee7a5b4f96a21f291970b13c21b6210b943bca29e5f09344929e1abdce2

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
384KB

MD5
71303bcbdc5df3de635b08e67e0b8f2c

SHA1
bb7bf5ab6158f62b469f4a02ce2db3be319f9e43

SHA256
ccd5c0bb8496c7cdfb0c450243415807234cbe09fe21d68db58f14a1c855e89a

SHA512
0ba0b381badd690b03e8d58115cfd8e3bfaa07ba903040e68a4e157428cd98a93b0ae5909178c3b9596db2f4ae47d608adbbfeb04e9021d7e9a4b0914d0c8e5d

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
384KB

MD5
785a62fe0e48afbf0ab2c2c2579343fb

SHA1
112f1aa5769f51e5c97872e3851a80993e673f55

SHA256
2771c44383e2c00f4fa943a69edaaa1b09fa5c707016317917aa4e306a864d5d

SHA512
64a89a4870f221e4762f225249db13d6b2f82c681a07119ccf8db750f8a5154b1497270df6c3045e4be0a357577be4c92ca17b7d43853aec14936fc4e56e4634

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
64KB

MD5
f7e385c8efbbe125e9483620a1a83327

SHA1
4748df87648ab9ea154878dee45a17ce4b84fa78

SHA256
dc6a5fd884f2fe73faa1718ea9489eecd7c69d5c64bbc224ecbce094abf0b45b

SHA512
278119f456c09de2988f5ba91865df4e3c5af801a50ee42a06581b08a12ce2ae77eca5c1f0463222b1441a2d6eeed8ed00d5ca5b3dd46e93fe1305069472cdab

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
384KB

MD5
e16c3df1e753a01bce31d26725879107

SHA1
1217a84afa3ebfffdb88a402e5d369f7633d147b

SHA256
2a4080be1c2534c0837774e54150f4370e9d8c84b37b202002e77b309bcf6ac2

SHA512
f232f8045d1a2f5e88e3c1bed141e5281a6241932596f3f5ddb1ff80a2b6b257e92f8b4974cab6ddcb634a2138f6cabb973a877f822f672b1ea28b3f5a5a04eb

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
384KB

MD5
6db7284297ca3fb3e4c3fda18448a8fb

SHA1
c1869693fd6ef49760d64610b00b84e0192f8dfb

SHA256
6150c08d9cb4c3770a0d07fc7890a819add5901f005029197e8f20137bf82f8a

SHA512
d0c18366e16fc9680026785bebe6bc40ae5a38f2fc0d7303405a9b2a8eccbbd4901168c79487b8da73a604656bcc83456af5dd9ee49074c2fbe88ec61323e9ce

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
384KB

MD5
5f6b986e8c6d10a8167f6e82a484a67b

SHA1
920e3262473d828f114a9181a266e976d8d35e52

SHA256
c0f2ea1777119e7e5623a3aefc6b7e99f576fe588848e180cb3b265da3040b2d

SHA512
17bc29f9c8f6adf448dda3571c529e5828e96f215545c154264cb19966fd93fc676554313c8577646dd9014ab1a9273d452395fb395627d9b8c32dfa966e90e1

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
384KB

MD5
0dd46e2f2b9ae95ea0d1f74c838120cd

SHA1
6fff202300438ae8a7ee4cad7c1b45cfb6e06683

SHA256
6de8dc499ccb8f1042c409ebc5ffa588894c6be1533d4193c641707f9775ea18

SHA512
d07bcf6f0507902881bc61acea37fc23606d52ca9f9848c0eeaad9105e93772aa25595da34248ebf20d423af6e691c76cff8866171a3aa8aef633260a123483b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
384KB

MD5
e0b7f373709785b3ed93db1c166467f4

SHA1
f8405f9d4608bcd3c7d9c8ed899666f49271d8aa

SHA256
d76202e17a3a33a079a43d3fdbb2d4895b250a6d4ff4fac33d13d704d75d3d8a

SHA512
430363fb6993f7f07513187e61658b80cc2d7a15b3801d12cca2a1a674b8e800ec5d6fe28270ac2806c9ab9b8e4c272316ae401af2a90b8fd5e5929dea221cb3

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
384KB

MD5
ac7fe8adccf1d2f303fb6f0a7e560630

SHA1
a94fd01ddc2cb5537528aa2ef270551a19dfd836

SHA256
edbccf9ef2be434d9284c5407f03d6dc9b1ccd0a69f5c0ed85fbd097cfad37ee

SHA512
c7cfdcb52adcc35386d9a4544b807c5d4af1a3529b089331921a3dbd372de6764344e463a2dcc74b8bd2fefdd60c4be67bd913c0537c81a7f76893621d2214eb

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
384KB

MD5
a324b321d6c5368233e87b1c352cc7c1

SHA1
b30fb7a140ec624eae144a4676aa46c3d9433d47

SHA256
a545694809f67309f5d4cf6d637179add000803a0707729615aa87c0871e3607

SHA512
9a0fd2ae64fdb22456ebb60d833ee7067e1e7e899628a7c5131e5a6a57b6f281f2b9c952434afb4f81169a2df67e64fac8d1aaed1dcf491b1a0dae5ce5b8aed0

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
384KB

MD5
850bb203016247cb939cf5b75c37e589

SHA1
8f2f8a84703db4c2648521327833a34e05b9dd41

SHA256
68fe993aeefe50bd79e6acc1915dcf9556054710e2c18eb047941b311156a5c2

SHA512
c1fc9597fc5ce8533903042f4064079fff5a1236092300e8f7ff0d197cca4416a383fc4c3a897b0c8d5e575a210d5214d35c830fa076566ee5965a97e24dc846

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
384KB

MD5
9e64d69e76ee9dd734de5f88152cdf57

SHA1
5561be30819f6f03acf575a3e46aff86c8e13902

SHA256
45eaae4c5d58e0005ab4dab01dabf99cc3ad0434fbd69600d7fa0cecebb278e7

SHA512
771128aba6b988bafec56192238a441787cc96dc060c8b327a745c0f56b1ef53cba501685ea4cc1083b664c80f98bcff818552c23edf7af7d13a25c8e2ab8e95

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
384KB

MD5
01ec295b6cc5a0b1f780eddee528f0c7

SHA1
5987c01e315ccd3b4e1c89aac449c6a357db2d37

SHA256
42801fd95c2efc5c5fb7fc7c734ba6debb952b44120b6b23d325ced0fb32e016

SHA512
41c4257cb3c762cc0b45e6f406c20834d545b02ca1610bce94b8b6268c26f186a5f19e92caa614418a4b9e339fb42e9056a72cd6c364e30518d14223f4ee3641

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
384KB

MD5
c25f8af20e6313f678d4723bade08067

SHA1
bbe33ab368cb5dd033d8eea1e298f306eb022de9

SHA256
f0dfc299e74cb0b22c5f0ae055a7a350eb7799b4744ee8cae293679870b58c72

SHA512
f7b56934a01341f7eb34cfd06f4ab748e6b8e9e98781df370e176ca7f1272968b98870656bcb555666bde06acfa93838a60141fc4b29171982d4d57934e0fd38

Download Submit
memory/228-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-1139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5988-1142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads