0d5b7b6422579acd17d1b73eb0921e9a27a0c2986bab5cba996e3eb126fb45d3

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a24ad835fbc665b9a4128ea2ad619140_NeikiAnalytics.exe
Size

80KB
MD5

a24ad835fbc665b9a4128ea2ad619140
SHA1

e8f0573d29f9fafdf75f7e7e578e5ee41b023b8b
SHA256

0d5b7b6422579acd17d1b73eb0921e9a27a0c2986bab5cba996e3eb126fb45d3
SHA512

8b755ac82b5e4c683a20196914ce57333756a892a22c8cc9cbf77b25316a798b27cdfb5b2cc0886bae0b2d828c4d21076d0876104726ef8061975996ed2b722c
SSDEEP

1536:wgBtjWeffhZ5qMoZBIT78a2Lw0J9VqDlzVxyh+CbxMa:wKFWe338MoZBIT4ntJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe

Executes dropped EXE 64 IoCs

pid	Process
1604	Daifnk32.exe
3160	Djpnohej.exe
2644	Dpjflb32.exe
4412	Dchbhn32.exe
2396	Dakbckbe.exe
3340	Efgodj32.exe
1912	Elagacbk.exe
3920	Eoocmoao.exe
4920	Ejegjh32.exe
4352	Elccfc32.exe
1680	Eoapbo32.exe
1044	Ecmlcmhe.exe
4672	Eflhoigi.exe
4548	Ehjdldfl.exe
2264	Eodlho32.exe
4692	Ebbidj32.exe
4028	Efneehef.exe
2500	Ehlaaddj.exe
4504	Eofinnkf.exe
3496	Ebeejijj.exe
1804	Ejlmkgkl.exe
2524	Eqfeha32.exe
4180	Ecdbdl32.exe
2364	Fqhbmqqg.exe
4820	Fcgoilpj.exe
2812	Ffekegon.exe
4368	Fmocba32.exe
4476	Fomonm32.exe
4324	Fbllkh32.exe
4792	Fifdgblo.exe
3708	Fopldmcl.exe
2064	Fckhdk32.exe
4700	Fjepaecb.exe
2496	Fihqmb32.exe
5096	Fqohnp32.exe
312	Fcnejk32.exe
3604	Fbqefhpm.exe
4836	Fjhmgeao.exe
2788	Fijmbb32.exe
4224	Fqaeco32.exe
4904	Gbcakg32.exe
1312	Gjjjle32.exe
4308	Gimjhafg.exe
1768	Gqdbiofi.exe
2536	Gcbnejem.exe
2616	Gbenqg32.exe
2892	Giofnacd.exe
624	Gqfooodg.exe
1452	Gcekkjcj.exe
660	Gbgkfg32.exe
4056	Gjocgdkg.exe
1856	Gmmocpjk.exe
2120	Gpklpkio.exe
876	Gjapmdid.exe
2896	Gmoliohh.exe
444	Gpnhekgl.exe
4704	Gcidfi32.exe
64	Gjclbc32.exe
3852	Gmaioo32.exe
988	Hclakimb.exe
3404	Hfjmgdlf.exe
1972	Hjfihc32.exe
1192	Hpbaqj32.exe
2460	Hbanme32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Daifnk32.exe	a24ad835fbc665b9a4128ea2ad619140_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Onkhkpho.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ebeejijj.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Ejegjh32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gmaioo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6868	6272	WerFault.exe	279

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpaojg.dll"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inomojol.dll"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gqfooodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1604	3412	a24ad835fbc665b9a4128ea2ad619140_NeikiAnalytics.exe	82
PID 3412 wrote to memory of 1604	3412	a24ad835fbc665b9a4128ea2ad619140_NeikiAnalytics.exe	82
PID 3412 wrote to memory of 1604	3412	a24ad835fbc665b9a4128ea2ad619140_NeikiAnalytics.exe	82
PID 1604 wrote to memory of 3160	1604	Daifnk32.exe	83
PID 1604 wrote to memory of 3160	1604	Daifnk32.exe	83
PID 1604 wrote to memory of 3160	1604	Daifnk32.exe	83
PID 3160 wrote to memory of 2644	3160	Djpnohej.exe	84
PID 3160 wrote to memory of 2644	3160	Djpnohej.exe	84
PID 3160 wrote to memory of 2644	3160	Djpnohej.exe	84
PID 2644 wrote to memory of 4412	2644	Dpjflb32.exe	85
PID 2644 wrote to memory of 4412	2644	Dpjflb32.exe	85
PID 2644 wrote to memory of 4412	2644	Dpjflb32.exe	85
PID 4412 wrote to memory of 2396	4412	Dchbhn32.exe	86
PID 4412 wrote to memory of 2396	4412	Dchbhn32.exe	86
PID 4412 wrote to memory of 2396	4412	Dchbhn32.exe	86
PID 2396 wrote to memory of 3340	2396	Dakbckbe.exe	87
PID 2396 wrote to memory of 3340	2396	Dakbckbe.exe	87
PID 2396 wrote to memory of 3340	2396	Dakbckbe.exe	87
PID 3340 wrote to memory of 1912	3340	Efgodj32.exe	88
PID 3340 wrote to memory of 1912	3340	Efgodj32.exe	88
PID 3340 wrote to memory of 1912	3340	Efgodj32.exe	88
PID 1912 wrote to memory of 3920	1912	Elagacbk.exe	89
PID 1912 wrote to memory of 3920	1912	Elagacbk.exe	89
PID 1912 wrote to memory of 3920	1912	Elagacbk.exe	89
PID 3920 wrote to memory of 4920	3920	Eoocmoao.exe	90
PID 3920 wrote to memory of 4920	3920	Eoocmoao.exe	90
PID 3920 wrote to memory of 4920	3920	Eoocmoao.exe	90
PID 4920 wrote to memory of 4352	4920	Ejegjh32.exe	91
PID 4920 wrote to memory of 4352	4920	Ejegjh32.exe	91
PID 4920 wrote to memory of 4352	4920	Ejegjh32.exe	91
PID 4352 wrote to memory of 1680	4352	Elccfc32.exe	92
PID 4352 wrote to memory of 1680	4352	Elccfc32.exe	92
PID 4352 wrote to memory of 1680	4352	Elccfc32.exe	92
PID 1680 wrote to memory of 1044	1680	Eoapbo32.exe	93
PID 1680 wrote to memory of 1044	1680	Eoapbo32.exe	93
PID 1680 wrote to memory of 1044	1680	Eoapbo32.exe	93
PID 1044 wrote to memory of 4672	1044	Ecmlcmhe.exe	94
PID 1044 wrote to memory of 4672	1044	Ecmlcmhe.exe	94
PID 1044 wrote to memory of 4672	1044	Ecmlcmhe.exe	94
PID 4672 wrote to memory of 4548	4672	Eflhoigi.exe	95
PID 4672 wrote to memory of 4548	4672	Eflhoigi.exe	95
PID 4672 wrote to memory of 4548	4672	Eflhoigi.exe	95
PID 4548 wrote to memory of 2264	4548	Ehjdldfl.exe	96
PID 4548 wrote to memory of 2264	4548	Ehjdldfl.exe	96
PID 4548 wrote to memory of 2264	4548	Ehjdldfl.exe	96
PID 2264 wrote to memory of 4692	2264	Eodlho32.exe	97
PID 2264 wrote to memory of 4692	2264	Eodlho32.exe	97
PID 2264 wrote to memory of 4692	2264	Eodlho32.exe	97
PID 4692 wrote to memory of 4028	4692	Ebbidj32.exe	98
PID 4692 wrote to memory of 4028	4692	Ebbidj32.exe	98
PID 4692 wrote to memory of 4028	4692	Ebbidj32.exe	98
PID 4028 wrote to memory of 2500	4028	Efneehef.exe	100
PID 4028 wrote to memory of 2500	4028	Efneehef.exe	100
PID 4028 wrote to memory of 2500	4028	Efneehef.exe	100
PID 2500 wrote to memory of 4504	2500	Ehlaaddj.exe	101
PID 2500 wrote to memory of 4504	2500	Ehlaaddj.exe	101
PID 2500 wrote to memory of 4504	2500	Ehlaaddj.exe	101
PID 4504 wrote to memory of 3496	4504	Eofinnkf.exe	102
PID 4504 wrote to memory of 3496	4504	Eofinnkf.exe	102
PID 4504 wrote to memory of 3496	4504	Eofinnkf.exe	102
PID 3496 wrote to memory of 1804	3496	Ebeejijj.exe	103
PID 3496 wrote to memory of 1804	3496	Ebeejijj.exe	103
PID 3496 wrote to memory of 1804	3496	Ebeejijj.exe	103
PID 1804 wrote to memory of 2524	1804	Ejlmkgkl.exe	104

C:\Users\Admin\AppData\Local\Temp\a24ad835fbc665b9a4128ea2ad619140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a24ad835fbc665b9a4128ea2ad619140_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\Daifnk32.exe
  C:\Windows\system32\Daifnk32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\Djpnohej.exe
    C:\Windows\system32\Djpnohej.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\SysWOW64\Dpjflb32.exe
      C:\Windows\system32\Dpjflb32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        23⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        27⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        31⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        33⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        37⤵
        Executes dropped EXE
        
        PID:312
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        40⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        43⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        44⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        47⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        51⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        52⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        53⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        54⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        55⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        59⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        63⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3100
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        68⤵
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        70⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        71⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        72⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        73⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        74⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2908
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        76⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        77⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4032
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        79⤵
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        80⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        81⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        84⤵
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        86⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        87⤵
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        89⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        90⤵
        
        PID:620
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        91⤵
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        92⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        93⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        95⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        98⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        104⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        105⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        106⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        110⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        111⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        115⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        116⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        118⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        119⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        123⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        125⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        126⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        127⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        129⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        130⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        131⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        132⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        133⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        137⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        139⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        140⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        143⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        145⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        148⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        149⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        151⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        152⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        153⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        154⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        155⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        158⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        159⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        160⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        161⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        162⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        166⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        167⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        169⤵
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        171⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        172⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        173⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        174⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        179⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        181⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        182⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        183⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        184⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        185⤵
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        186⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        187⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        188⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        189⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        191⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 400
        192⤵
        Program crash
        
        PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6272 -ip 6272
1⤵
PID:6672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
80KB

MD5
4329619bcf75feb215843ba704f32fe6

SHA1
395dae7294a920a9afe312be78aab7c535e87a3e

SHA256
e40a1d84fe1ae76c7934ebfe7a5e078b721cb4f2974df7fe9324cfeb3220e34e

SHA512
60e2c1909a45ba2f5802bf51648587ec19af44860c99117e4ec4886c5c6318d32dec3034569a16c209f9b415bda9ef9eebd7993213305c0ba8943c3d6b32887e

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
80KB

MD5
a01501364bb40e567e91a5b3b34e2597

SHA1
23f36b6e42ba08a3ce4abd14e3f8a0a0f0ecd37d

SHA256
f15b7b5aa8539fe3ba471ac69a7fa12eea522c7240dcdfd110574a0738e55d4b

SHA512
2abf977c7ae4a0a7e5c1fe3d785bd80b028d17ade0738aa4dc7dd10f71949aff1a40bdbb931a93be7b091a25d3459abc28cff841b638996989c207a446b09936

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
80KB

MD5
161658087de18286b981421ada22038c

SHA1
625d60098f8c56b31ae874730e44312ceced9652

SHA256
3ec512bc99683f977f4d66746ffa15151b1a17beb1b4735de366aebf3cce24b4

SHA512
e0848b76b6466044ba18c2a86f5970fa9080af47e2780364cc75da9c20cf68d194eee9780814a36b52fbe5911fdadac65a9f874a32c1544a1c6dcb0bd640b32b

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
80KB

MD5
18ba30bf148dd8eb46835fcf36202cf1

SHA1
1c99aa5e5ae5c2d3545280c9bf09e10d0ad77194

SHA256
507355b9ee7b2fb426a10e78d029926689efb5a4d8479001a96f044f397cb611

SHA512
0e30e185f06b86e4806acf5fa126681920023c7efe75d3e8d9ea9825c393fe9f7a3121db69c7fab4466b313277a7bfd69666d009c1c0f9800dfae1495fc0dbd3

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
80KB

MD5
697e02455c52f74a7a2b400e1014aa27

SHA1
145ae973cac150c3ec7d3af0db9617ad7db38d35

SHA256
879e6a59d79f2c3059a29d4eec9dd31b984eabd4b46feef37c3d252683517067

SHA512
ccb4d37e5288622b11cbb2c8f18496323c3a1aaf82c2a3de2dcfa9234191e8fb7e79ffb4d5be39fb57096add90fca5a51c77135facf8d6ae22b5d58669e0ef97

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
80KB

MD5
307c50318d1951abc0224049d8f40eb5

SHA1
699f7a6fb8b3b1ed1ad386bed18486b232bc25f6

SHA256
0442a624e1323615e33b15e18b8ca5e5e88366031943759b212254cb16456142

SHA512
08c5ff2d308be5d645734d59452203136655b9be25869d5539d8113296564c7d32cc8188ce2f88f31324316f14b55206ebaaa5e01f7915cce902508c8ad0e682

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
80KB

MD5
79afe8000ff4ea0592c746697723f8e4

SHA1
a79858c06124ce7e69fe9c6628803f4983bb9331

SHA256
ca69ee05f03224ce6e0d4eba28fcf48a0efee270ca45ed8a28b278d85068f400

SHA512
7fa608e9e0ebdd284814438259e3fb0d6905da7745e3247714d2121fe8fdaa9491fe5648ac78884f06e67bf5a3d7e53e9323bc15ed472f31f773355d31391de8

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
80KB

MD5
1145d68f66595233228a50cc570f087e

SHA1
301993bd967a99092e83acf031190d6060a23cbd

SHA256
e0b2fb89332702eb0f3669664c9cfd128828e198b6c79b49bc563af9768a17f3

SHA512
9e26930e681ec7744b5cec1ab94aba03431894403b1c1c3395a1472267669e026491bfca7c629d006958f3c8e69e61c90396cfc34f5c84f53571f0103e9034d3

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
80KB

MD5
c0c2571c95a300384193bcca7fe03565

SHA1
9757a5e22eaca337ddd9f1ef1056691813b79564

SHA256
f2067f05184eace9ddccab0cd5a3faaee9e0638d3945d6983b13edb4c2e007e5

SHA512
4f1bf7b6c6d88e5ac9606edfffd3c2dcf9736d937e0dd7b2f2a8077777738e2321111e1e682faff500395186a2a4cc674b4ab334219b0332c5c330c587a0a216

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
80KB

MD5
b890ab897f9eda3e631dfc9aa48c06e7

SHA1
426c096211cbacc78d5a96ddd6a7bbac23fa1b82

SHA256
0ba93a2e2324c4d56cf0a7db3752c85bf896e3ce1ad762bdafbe6e101073d747

SHA512
9a2e9aa6cff85e9da4efc89b871fe5e498f92dea65ebaedc34af14967d43b072f5aab265aa1113447119f11de77772f6d176ba6907cbba5671c6d83f0170a12d

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
80KB

MD5
0343d5e684de4ec26931d3a693645c48

SHA1
2fa4e47cb0f1b8bf769f7d4bed2e0d4e386240f3

SHA256
355bff7c377e1dc0716a2ea7958df7329025402f7364f6293dec4e945d09c0d0

SHA512
afe0b6f30f39013c8dadfdcf120ee0689d4030da108c58589c39e01348fd7430aaf903849d60df8f8d5b39d037122b13bf9fe97f855dcaf7f8ee941b64afcf85

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
80KB

MD5
54ecdb409b31cf47b1713a7a10c7ba0f

SHA1
915d6a8e93e91a9759f3fe3a20787618ab0830ef

SHA256
15d99e48baa91530e68a70738ce22f6669bd65dc7b955d9c7254c2c1472741ea

SHA512
7b0a39ff03acd1d0f356a033ae1b2c05bee3461f3f95fae7d845ae9344f522c14f72f028e196ccc43d4163fba300e98bda32f111fe29793accf5df32216781ba

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
80KB

MD5
01e57aea2ad8d4df460c4d38c5091d66

SHA1
abc14064bc9698353b9545d5682dc5fa8008bd3e

SHA256
9d0152d5f59ac320ea5c6d424fb681837273e8b18934066dca4b550d0532c25f

SHA512
0652b08c1262da48cb115953458a9a10e1c5a9dc937ad7f81892130eaf145b29d0956b1c652de2d0cf9ca56db71a8155fd23850af684d7386cbbca50bbe5faf8

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
80KB

MD5
1a147db10fb52be813587c8c8fff60e1

SHA1
4c5c9187dc464145cc3f15eb3a95a7130648803d

SHA256
f3c66bbfa5b7b833a8aa8838110a8c357d93d13480a182d8022f7bf43286b2d6

SHA512
d58c58d855aca360dd816a16e452dcda80d698966042643213fd82c5e7126e308aed52c18b0d48af2176ab400cacfcd6aee96d90215f9115244bf24cad0807b7

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
80KB

MD5
1520f434f767dda296a8f62b5ebfcc27

SHA1
e41db591645243ef53df3e185253111d44f69fb2

SHA256
47825ea85f438495e1b0f9e68003a992bcc9d6ab291bfca510a50893574a1e3b

SHA512
10e661b49626330d24100a873be33ca011b0ca3c3eba8084e2199b5ffd70c1441eb59bfe2840609bc29080575a7b031e0d6b88487a639e0349e677d577372f6f

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
80KB

MD5
509504a21e3de9ed19167325f47efbc9

SHA1
398ecc7d6b29ebac95cf220c529da0616e0ab1d8

SHA256
0c8e8a041a2bd9d4b94447db8869691d6f39b09b9c7a966d0421b01eb0fe9acb

SHA512
35c0792ddd70fd78de0ce61e46294dacc8e2ef49cb4796e9c0ad693ddda44a83f3974e2600af3f822d4b9fabb9e12bbbe4005adcbd55ade98afd7c632b7781dd

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
80KB

MD5
d77346f12bd82175a888f148f2d42d08

SHA1
007ec8ee1296e60b8a0d6d5e3201b465a9560681

SHA256
b7297395809d1caf3fe09f5bb0e19179e3ebf3ce0ebeab4e4dcb4b2f1329a913

SHA512
9f5b2edb67cf72b670df30a0ab2779c4b1d8d2571bd5d7039b641cc62d93a641a0fecb3b5f3f085c543e0e3d2434c7f6b3900fe89c85678a7997e65d020deb8e

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
80KB

MD5
861a821a4a6e90b6f67787ef464914c9

SHA1
ff7a6b281d95f6b0c9f6f6f261feda581a41bc53

SHA256
b7b02087461b532a5876ef57abe080bcd36ed0850b00e3b4a6ca11c2649b7807

SHA512
e909930336f76e22a964d27b59ffc25a7365ac2d8a0eb3f17b993480d599725971344b54a5966bd051bac43deeb485fb7787d72a29c0ba089731f8415149e389

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
80KB

MD5
0b07ed88f37fed59dba43f3cb3db8678

SHA1
f579566ed6814867fa34f4e419bf031785f8f8dc

SHA256
522c9e8b60b9a94bde3fce83dfb33cea9640b34fbe1f7d555d03cd449e2d7d32

SHA512
55a1c2a0354bad0a899610dcc72cd7b1fe310d989cb897031e095ebbcba08a3eb12940152aaf4267a48985f094006a44f8e4c584b465558823a16d8d563bf9da

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
80KB

MD5
8997d6fc38306f4814e6e9a9e4a482f0

SHA1
bcfc6433d0175fdc67b68904076b7a66f7871533

SHA256
fab46817d535adc68ec85561f0021df69e542f010b05bb467eb33d403bc1ff56

SHA512
cfcf399ef745835d356a867cc1fbef65f5a147ed7f384977b408629e6e63919fb3f248439350134da4bb4dd68cb768b26c99e2c039e36b66361dc9c1ccccff51

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
80KB

MD5
71ffd9ff312648897038185f6af26b0c

SHA1
a13e35e880492f7e8f25c4ce4fa515ca2e5c96ab

SHA256
08ddbec3c3e5135172f44db8ceeb2820eaa0064a6186ba9ec90edfd71d3eaa0f

SHA512
435be733e338ce8188138ad4d5708ce9e823972c3d9af49aad7670e41eba754b7350c0147103d48bb97449b93810e9845372ff86d7c5017cab0c41535c09104d

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
80KB

MD5
cf325e2489031a417552ef99b873c8b9

SHA1
6df00d57f3abf69f1d84b1e1686ab65fbfd04be5

SHA256
1851e574c1502f9dac1bd46e43c3c3fe6b6b81968495008cbc9ec9df310bd903

SHA512
4cd248408ebd51883343d44f9a11b54f3f8c3a0d3c064325d2d5a7f55d0c9e49192e6bc23be20526d06d86b7555ae71835d69b890c858576e2b0f91916f99e31

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
80KB

MD5
8ea99a7866dfc6e53c900723c9f22277

SHA1
6088818722944b4d2644a65f023dcb7c6dbe9f9c

SHA256
81991a91db01c21a5b43464ae3111c56e16df74886195d36183e7148da5fd355

SHA512
385f81b7d2ccb6c18f11c15e9d81db1ba5545178a37884e455394855c4758201be8169918d204b5151a6b3403219883bc7c6bd7feb96e8540357813e78e129fe

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
80KB

MD5
55e75954818088ac6c81eecb6701784a

SHA1
a0c6c05ec1a0622f555b38357c6d101db8bcd5b0

SHA256
132e15d962646f7e67200741e28b7714062315bbb08e5b0df7441122f2c99b16

SHA512
4ea5685c321b25363c9be3b0538fd21663863ef495e240a46686356a3c793bc2bdf6f5bd90aa6076be173fffec14b9f93ec0458260f4362d3d89c33c7634be31

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
80KB

MD5
dce1b862dda21e6f6539e86e7053b49d

SHA1
47be5d635486ffed3566bebd0da4a7b4fb2a1a96

SHA256
d30d65e054a2f861b8c9ab13e1a129e091c41ba90f56203af6b44a47d42d017f

SHA512
1927754220838fae25eac94568505bf7be48f060419e6578ece2aefb2d1b3e368ff25e60732ffabeaf36d8cecb76774f853c739cb0f2515eac9268dc1bd7b465

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
80KB

MD5
189fb484996685cadb156d79af8ba8c1

SHA1
ca4a2e5d7054dbabecc8dc96b0b3e62f64cc12e9

SHA256
5bf1e6290a13f4e350db3cbd431b0d84867fca67a1ee7cf9f0ccf96165885df4

SHA512
6dd675293c4e5914a2ebd8260c914761a47d2b70c5b7954f42959b25400984ac80577406aa53d98d9abf2f6309e5d26c14c6843b16f02554da47c9df3f5f7e89

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
80KB

MD5
2b1dfa8fd8dcd5ed63972e872e5e954e

SHA1
464a051962c649797115b26fb277ba3901f9b27b

SHA256
db34bae167d447c6ecca04bfe1afb4d1ef69994a85eb4701c65357eac8d5698c

SHA512
1af919359b73a699c5fae248dcfa3240d0b20d709977e603b3a562910277df66c2d445e11db81ae1df478251b325a791876779398913906b52fcaae8bea2ebd2

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
80KB

MD5
ab738d3fd29956551fd65dc5ecc2b055

SHA1
5ad80afcc9611540a0d6c12937a33491b86e0da8

SHA256
f34cee541fdd8e40743b01ec5969e4626a7fbab691c246ebee55b0566084e08d

SHA512
298b21a62fa44c9248488334d5fd32b6d4e0b88e49fbd0f7cf7793ef42bcbb8cbc93e611c357411e7ed5033e3724d19afba72b90d1690d0d09ab1a60e78e7023

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
80KB

MD5
a4da4e200eafa9f7217ba2de8434fde8

SHA1
6dab41e02b89c76869a1426139d3596f285fd871

SHA256
7982712ea191808b5458b9bb666de0ffc8c16d5e24bda8a4266dd88e09db4737

SHA512
25fd1d1f49118c37887ab9f00fdaa977a7ae63ba58e52ad0f7525d211398683b513c0dafc096e22d6e2c163d9f67ed7948b3f5e30bb7526c0aa75472ff90853a

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
80KB

MD5
b1750aa39af5cc1675c85d60a60e3f02

SHA1
5a9240d18e166634d332d794fec3b5142452c4c3

SHA256
1ebdc010e9df98de5f027209ca5cfae98a16d8db7c1a6751b3274b40ec8bcbb9

SHA512
0b2ec04ef7dc8e97674ac92026554609d6a9a3de139df9ea38adf25f03682d07427aca1a003956566edc2fdfdac57cc203b89bbd7dc7f4a73bf3963074b97850

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
80KB

MD5
cdb9a4d4b23ca73e3c71e525027bf764

SHA1
1d66218e4daf6338189fc8fc82d98950106cd7f1

SHA256
98378891c0af9898565d1543eb82ce7d902b17a9067790fb767765eda03c9afd

SHA512
8e73ab923b3a8c13b92863160a08e1765dd460fea0af4961b1f06aa56efeb85a6fe6dfd39cc7fe0f1e95d6f57ceb093b6f0f8f8db5862592f60fdd7dabd87cb5

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
80KB

MD5
7fe779ce99a0fb4298a681fd03ac528e

SHA1
f363c43b0e430b090225de549336436e6e354c15

SHA256
2c97ca967c8ff54e75b7f0b9e66f38f11476999073377fbfa136d1aa046c01ac

SHA512
dbb47dea1f638e385d6e23f8355d56590bfaf66eb41b59120a3919ba011375b7ac488ecc53a709885b385e418ee694595987fe8d89cba176878d473090ff0e0d

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
80KB

MD5
9fd8b54cc23db440da6d01d254f52f08

SHA1
70a1440c5ba633958a25e2ce918c87c4e5ece222

SHA256
c72d9e742db581079263556e1d43065d17edbc861ab17512d9320146c058b006

SHA512
7dd0e2208fd0116731163ae6a0d7428575720c54e030cbcaa943dc9cf8e50d85207159046981ee65ed4991e739aad1e7014188caee205f0aa4e59a8c2cac9e4a

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
80KB

MD5
8b993a28c10d25d032812b83b6556973

SHA1
e80de5354aa2f33b0e3b11fc6060c4e28d6d4c43

SHA256
5a05a6113d1f4cf16314e286a1b0c454245cc7f10cb524425ac59b95ec11073d

SHA512
8475c9762fea64b6a47dc33f58d0b41a41433c000f2424d8c208886d9df9637dd5bf2507d5b5ba774763e8dfb1fff7a9bff1d616f2ce7f02d7a9171e67ff5861

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
80KB

MD5
9b278b8922f35a757c687a0442f9681c

SHA1
ba5ed2b13bfc06c70a494ddb4c7e8849ecba2e79

SHA256
d64d3f3ebb29b6d508baf63c527110840135acb27243414928a99dacc96cb091

SHA512
5b15a95879981b0cf8614c3c4616b901885701913de773896a33dbca231b90ca06f0481913bbcf7f74c889094e54449dfd93f1ff3ee59f0b126dac66024cfba4

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
80KB

MD5
4dc22f51d22858474635dbe76159e182

SHA1
700703da5e490a2408c7e0b6a00606c3de2ae485

SHA256
0fe2888d2d14f7e9d0957932b0554dd1f7a1a70ce0d729079d31bcd0706aaf3f

SHA512
70526d7f08327642228c3a124c852812f3520acbba38b10eb1257f150b260510060a907903b0c4a5da5cdb3c08cce84a973f9cbe2010607a210934513501bea9

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
80KB

MD5
9d13636ffb208280de9ca5228f833ed4

SHA1
1f32ee4ea3f7ee5d529bf849dba22a5b929ff5c5

SHA256
5decd4a328eb19f05685df49d2403248b9fd57e5d504433262af9a3837f51a2e

SHA512
dd29457a3a73f8b4689b839f278a8429c78553e1ead3ebcda3a4505d1a964b6c28febe3d4f8e73fb0ce6d1e3bcf7987f9b10ed2e223f33b779c3868f1fa2e00e

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
80KB

MD5
4663d1c821084bb8a08f9204516980db

SHA1
fcb4edf7eebdfccbe615b88cb41f91d8d8f6a7a7

SHA256
8a3ed47db915a08de7a010b0370ac86eb78c24dcbe49b7bafff00bb12a13f60c

SHA512
5d8193ad0cf3897cd449b184eae10fb47babc0f78879316cb068f138288ed33e5206d0270f04653ed3fe0b2078385278d37bd59c070dc7d0906c28c3dfa0c1a1

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
80KB

MD5
0dd5e018e4df48463319b120b6c98525

SHA1
3c79a2a1becb7668ebcd837ee01efb1a9d570d81

SHA256
774794c652d7ac0af06c8acf5104cdc9a9e5cdb2f0d4c29702815e65b1983f71

SHA512
5280bda955c551dad9da935319cf91cc71ebe4fe12b0636d99bc94cd35da7b1e4487f525a5927ddc31fba9fa97586fc6f7b3a8625342db685560b551b83b85e5

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
80KB

MD5
6613092390840b667b8dd6f4240102aa

SHA1
5540eb103a24dad2ed7fe35cedd7dd733574a169

SHA256
bbaad2fb7a25936d8e497d6ea9ef3808dd1d79465bb3bf7e1ef92406a5b6f84a

SHA512
5a4b26c3b7c3b8f7892b6e3aacfc897815af012837c417fc54f041569271bc79bd84cf87496ff6e21c17bb5e9421a66e6d1fcd43e312ec3d5b0b92c429f60fd0

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
80KB

MD5
3869dec9abba92dfa01a412f1f3f22eb

SHA1
49f40a2e738638c0359d7128a554e9723203352d

SHA256
c34d386b56702e97475153169161ec7fde0c0cedca3099c4ada6b3d2b763290e

SHA512
03a3cf09ec91f3ef4208ac43433823025d88fe8c58ab3a9ccbc3d2b60ea7b8f1fa23c77b4d3b141e00122818fc0d34376cae54eee25c04fb182149dfe829d273

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
80KB

MD5
732348a7157e90aae4e5f0eaca919bb6

SHA1
ed09b9155412c3adc96a5a81fb4ea6ab24f21ee8

SHA256
d6450fd685c1e56c8072af5e83cd306b3fbf5fae96e5c95cabeb8652d2d03904

SHA512
8d348f235940e32652f0c38719086cf9c2458a4337071a00e0a2eecb88d2ab1a3a375610eb70b555f6f3b557b2d01ae9f4d5d2e568882e26334059f0ab69bb34

Download Submit
memory/64-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/220-595-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/312-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/444-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-607-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/660-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/988-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-562-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-537-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1588-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-570-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-609-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-584-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3340-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3412-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-531-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-601-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-38-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4672-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4700-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads