21f5341df2f8de9d81bc736c0a735edabf92f72d88b28d357c2d0b16fc544bd3

Analysis

max time kernel
140s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe
Size

1024KB
MD5

d1e27a790353c97196307af7064c9d90
SHA1

e7fdf6cf31986f5570200dcf4e96aee03215bdaa
SHA256

21f5341df2f8de9d81bc736c0a735edabf92f72d88b28d357c2d0b16fc544bd3
SHA512

10a2d1aa64535914516c97643722effa282bc3d22da23e170ba9e84070df6e1b94f7b9b021293e3a5aacfc42cd265ec34b5942149934301c7acaa4f9a760059f
SSDEEP

12288:i94RSfkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:i94R6gsaDZgQjGkwlks/6HnEO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debeijoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe

Executes dropped EXE 64 IoCs

pid	Process
944	Cidncj32.exe
2876	Dlegeemh.exe
2664	Denlnk32.exe
1084	Dhlhjf32.exe
4484	Dpcpkc32.exe
440	Debeijoc.exe
2892	Daifnk32.exe
1088	Dhcnke32.exe
1840	Elagacbk.exe
3908	Epmcab32.exe
2376	Eoapbo32.exe
4624	Eflhoigi.exe
4956	Eleplc32.exe
4572	Ecphimfb.exe
4180	Ejjqeg32.exe
3128	Eqciba32.exe
3468	Eqfeha32.exe
5016	Fjnjqfij.exe
2328	Fmmfmbhn.exe
448	Fqhbmqqg.exe
1928	Fbioei32.exe
5068	Fjqgff32.exe
2412	Fmocba32.exe
3776	Fcikolnh.exe
3388	Fifdgblo.exe
1916	Fqmlhpla.exe
5064	Fckhdk32.exe
3248	Fbnhphbp.exe
4952	Fjepaecb.exe
4612	Fmclmabe.exe
1396	Fqohnp32.exe
888	Fcnejk32.exe
468	Fflaff32.exe
3752	Fjhmgeao.exe
3640	Fmficqpc.exe
2732	Fodeolof.exe
4880	Gbcakg32.exe
32	Gimjhafg.exe
1588	Gmhfhp32.exe
4232	Gogbdl32.exe
1816	Gbenqg32.exe
2172	Gjlfbd32.exe
432	Gmkbnp32.exe
1764	Goiojk32.exe
972	Gbgkfg32.exe
3024	Gqikdn32.exe
852	Gcggpj32.exe
2720	Gfedle32.exe
3204	Gidphq32.exe
4896	Gqkhjn32.exe
3316	Gcidfi32.exe
2340	Gbldaffp.exe
2016	Gjclbc32.exe
4404	Gmaioo32.exe
4708	Gppekj32.exe
2528	Hfjmgdlf.exe
1432	Hihicplj.exe
1800	Hapaemll.exe
5028	Hcnnaikp.exe
4452	Hfljmdjc.exe
4648	Hikfip32.exe
2976	Habnjm32.exe
2548	Hbckbepg.exe
1440	Hjjbcbqj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nokakckp.dll	Denlnk32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Dhlhjf32.exe	Denlnk32.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhcnke32.exe	Daifnk32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Denlnk32.exe	Dlegeemh.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gfedle32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Dhcnke32.exe	Daifnk32.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Plbehnol.dll	Cidncj32.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	Dpcpkc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Fbnhphbp.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Dpcpkc32.exe	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Daifnk32.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Eqciba32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6180	6048	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjcpe32.dll"	d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmggiogn.dll"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobgoedj.dll"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 944	3364	d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe	82
PID 3364 wrote to memory of 944	3364	d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe	82
PID 3364 wrote to memory of 944	3364	d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe	82
PID 944 wrote to memory of 2876	944	Cidncj32.exe	83
PID 944 wrote to memory of 2876	944	Cidncj32.exe	83
PID 944 wrote to memory of 2876	944	Cidncj32.exe	83
PID 2876 wrote to memory of 2664	2876	Dlegeemh.exe	84
PID 2876 wrote to memory of 2664	2876	Dlegeemh.exe	84
PID 2876 wrote to memory of 2664	2876	Dlegeemh.exe	84
PID 2664 wrote to memory of 1084	2664	Denlnk32.exe	85
PID 2664 wrote to memory of 1084	2664	Denlnk32.exe	85
PID 2664 wrote to memory of 1084	2664	Denlnk32.exe	85
PID 1084 wrote to memory of 4484	1084	Dhlhjf32.exe	86
PID 1084 wrote to memory of 4484	1084	Dhlhjf32.exe	86
PID 1084 wrote to memory of 4484	1084	Dhlhjf32.exe	86
PID 4484 wrote to memory of 440	4484	Dpcpkc32.exe	87
PID 4484 wrote to memory of 440	4484	Dpcpkc32.exe	87
PID 4484 wrote to memory of 440	4484	Dpcpkc32.exe	87
PID 440 wrote to memory of 2892	440	Debeijoc.exe	88
PID 440 wrote to memory of 2892	440	Debeijoc.exe	88
PID 440 wrote to memory of 2892	440	Debeijoc.exe	88
PID 2892 wrote to memory of 1088	2892	Daifnk32.exe	89
PID 2892 wrote to memory of 1088	2892	Daifnk32.exe	89
PID 2892 wrote to memory of 1088	2892	Daifnk32.exe	89
PID 1088 wrote to memory of 1840	1088	Dhcnke32.exe	91
PID 1088 wrote to memory of 1840	1088	Dhcnke32.exe	91
PID 1088 wrote to memory of 1840	1088	Dhcnke32.exe	91
PID 1840 wrote to memory of 3908	1840	Elagacbk.exe	92
PID 1840 wrote to memory of 3908	1840	Elagacbk.exe	92
PID 1840 wrote to memory of 3908	1840	Elagacbk.exe	92
PID 3908 wrote to memory of 2376	3908	Epmcab32.exe	94
PID 3908 wrote to memory of 2376	3908	Epmcab32.exe	94
PID 3908 wrote to memory of 2376	3908	Epmcab32.exe	94
PID 2376 wrote to memory of 4624	2376	Eoapbo32.exe	95
PID 2376 wrote to memory of 4624	2376	Eoapbo32.exe	95
PID 2376 wrote to memory of 4624	2376	Eoapbo32.exe	95
PID 4624 wrote to memory of 4956	4624	Eflhoigi.exe	96
PID 4624 wrote to memory of 4956	4624	Eflhoigi.exe	96
PID 4624 wrote to memory of 4956	4624	Eflhoigi.exe	96
PID 4956 wrote to memory of 4572	4956	Eleplc32.exe	97
PID 4956 wrote to memory of 4572	4956	Eleplc32.exe	97
PID 4956 wrote to memory of 4572	4956	Eleplc32.exe	97
PID 4572 wrote to memory of 4180	4572	Ecphimfb.exe	98
PID 4572 wrote to memory of 4180	4572	Ecphimfb.exe	98
PID 4572 wrote to memory of 4180	4572	Ecphimfb.exe	98
PID 4180 wrote to memory of 3128	4180	Ejjqeg32.exe	99
PID 4180 wrote to memory of 3128	4180	Ejjqeg32.exe	99
PID 4180 wrote to memory of 3128	4180	Ejjqeg32.exe	99
PID 3128 wrote to memory of 3468	3128	Eqciba32.exe	100
PID 3128 wrote to memory of 3468	3128	Eqciba32.exe	100
PID 3128 wrote to memory of 3468	3128	Eqciba32.exe	100
PID 3468 wrote to memory of 5016	3468	Eqfeha32.exe	101
PID 3468 wrote to memory of 5016	3468	Eqfeha32.exe	101
PID 3468 wrote to memory of 5016	3468	Eqfeha32.exe	101
PID 5016 wrote to memory of 2328	5016	Fjnjqfij.exe	102
PID 5016 wrote to memory of 2328	5016	Fjnjqfij.exe	102
PID 5016 wrote to memory of 2328	5016	Fjnjqfij.exe	102
PID 2328 wrote to memory of 448	2328	Fmmfmbhn.exe	103
PID 2328 wrote to memory of 448	2328	Fmmfmbhn.exe	103
PID 2328 wrote to memory of 448	2328	Fmmfmbhn.exe	103
PID 448 wrote to memory of 1928	448	Fqhbmqqg.exe	104
PID 448 wrote to memory of 1928	448	Fqhbmqqg.exe	104
PID 448 wrote to memory of 1928	448	Fqhbmqqg.exe	104
PID 1928 wrote to memory of 5068	1928	Fbioei32.exe	105

C:\Users\Admin\AppData\Local\Temp\d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d1e27a790353c97196307af7064c9d90_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\Cidncj32.exe
  C:\Windows\system32\Cidncj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\Dlegeemh.exe
    C:\Windows\system32\Dlegeemh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\Denlnk32.exe
      C:\Windows\system32\Denlnk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        24⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        27⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        32⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        35⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        38⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        43⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        48⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        50⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        54⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        59⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        66⤵
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        67⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        69⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        72⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        73⤵
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1124
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2112
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1272
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4864
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        81⤵
        
        PID:664
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        82⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        84⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3440
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3212
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        90⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        91⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        93⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        94⤵
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        95⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        96⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        106⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        109⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        112⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        116⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        117⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        118⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        119⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        120⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        123⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        124⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        126⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        130⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        132⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        138⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        139⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        143⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        144⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        145⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 428
        146⤵
        Program crash
        
        PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6048 -ip 6048
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cidncj32.exe

Filesize
1024KB

MD5
5c5ac69b71b26e45a079b767fca4de4e

SHA1
84ff1233b75867fe99d7b23bd172c2aa8fa5deb3

SHA256
f8c20503eb9f5c80bd50c07ced6e387f1723acc7f6232d92e712e3c910c53d94

SHA512
af395a45ea98f682094e5390d84a07037b1cd1b2790172f0d493341c8b4c4bb3e299785fdb89d0fa9c3f8c3ce0b25ded444a31b1a9fed959a640b171d9975fe6

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
1024KB

MD5
5bdea1d2ae7bfac4ff3ddf267de2c177

SHA1
5ac1fc65312733249402e5e4bdfa9f6e2f0ba1ce

SHA256
68167330363ae78b4bb0163d656932d5fd5e74e84af4a7c3e1eb278a8b49c7b3

SHA512
f37c38a9781bd650a3fd762801c0eb454efd2ae760322619b22c23a845721b70b1bb45a1b5fb6867c0c2226bf7c7ebc2e4ff93d9297ebb4ee1556b28f8d7ee53

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
1024KB

MD5
0bf3a05efcfdee4d7fe57bd23da71a90

SHA1
6b5e5364af49ed73a7547c2018a7549ce4081fef

SHA256
7cb0d9a142757abd461b5e67401301b0175a8ab99c900bd53cc6b001113e5b6d

SHA512
88da9eb163fb344bfb46c9c015fc586898c2e351d338717c8b4dbc3b056d35837691815889f6a6e4a937cb1d6e38cdb6eb614a8e32b135cb23a42e2be709e00b

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
1024KB

MD5
1ed56f8fd406eab180b6eb12ca6700a6

SHA1
3a7b2130a7ba8920c54714b49079675120b26f92

SHA256
5163562b85d0b416916b49a9c8c9a59b655765bc38643527d229c397f0acdfd3

SHA512
93d4a294ed2792f37a4692debc3043245f817c28f9808a2317458c32f4b744ca8d5fd8e4ab27469590db2a22bd7c03644391c1fc910441e70a440876bf4387e9

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
1024KB

MD5
d715140c421cd2aef9834a74a4cb768e

SHA1
d18ea055a65a7595c71f780ae31acacb7138ab79

SHA256
fa102a6ed2b93d33160c91e002d3bd4b519c47570a2a675557ed92671c1c86ca

SHA512
781c8c5844ac8a6361c19b1b863f5e9dbe74fb29f765cabf50ba940d58828c92b97abebf786549f1436f745a037a197f7db7ff6ed6fa1c2c81d65870ed87c15d

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
1024KB

MD5
d9755afdc06679b6b068a67d638ff5cb

SHA1
b6b0eea3817409850d43b2e7359095c909b75059

SHA256
595a27a27989e470051a87eb2cb78fa737c815eb29c11a9748d0d46fd95f6aaf

SHA512
99c70c5d06228aff6f7a4426e8b4d3989e0ad3529ff7cf7367aaa54fa83c6a8536deb4057d510e9d281512d2d7c94db9849eb9b22d918f32355c4fc026afcb30

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
1024KB

MD5
a4fc846b9282abecb7e490ac94e064b0

SHA1
122b9b37066bf4adcf9b02209d762678f34a4a37

SHA256
56bf3b28f963b84ac4a97fd16c9b009e03439e88872a8d2d4b7ce8108a62bdc0

SHA512
202ed824cafad378c34881173fa308cd5c44ac95c26de8b522e16a96733f0ca0ce72862f13ce6fcb595f1fba5e674ca47e026fd1f2742163b7bd442546d2b183

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
1024KB

MD5
a5a0a9699443d3cba9a328b3907ef825

SHA1
adb96edf99377669e8391ead2627109e197f5e47

SHA256
e133ef85922df100a1085af10dd17a8c0bd1a5917a8b0d41fc8773353768cf28

SHA512
dcc5f9f9dc245587a5ff1e4baa9cd05952971b0112381cfe1758496ce940c0a385e197ae4b00e339d606b519f0418f9e889282f3840a7ebe6345dda17f823601

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
1024KB

MD5
dd9164c6c16350ea0e007c9ef76ff9ae

SHA1
2c98ea390fed7cb6dea28ca7a591fe738c355ae5

SHA256
a8092d3ddf9a464943f6f8f3768942ea7b0150a8ae7bad4bc2ab6941ea8b4d64

SHA512
c236c333fe63702ef300d552ddf022a637e6aad2afb84aa1d23adea8a257818328518d039f203d41f165d22fbdad9309e8a44640a8715719b121da1b20542252

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
1024KB

MD5
3785b3ef2ca4ef83f054669bfbe35a73

SHA1
edb14b99d4b870c08a4e4430d3c169469799d7e8

SHA256
232b228e06ac1e84e7d1815a7f25e5b22816bf71be26d1f345361a5f2b03d59a

SHA512
c146e4fa0e183983e722654cef2c33c00673d59df2397076f4fb86973273eb8753e08665e66db145a1136a4b575437610de5af4fb8d37a0ac5dcd0487314b5da

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
1024KB

MD5
5b3ef213fc07fb3479415956ade451e3

SHA1
7b14d64396db2f0be24f044bfebb5ccbfc972eb0

SHA256
78636d86a7e88587260275de95968e847204c9ae2b72f7598e886241c26926e8

SHA512
d5f4f51a52707a464421d34e4821fda814cd60a7785449bde690d36070f8e2d9a299914c47e5c6824ebee8aef9b00076c3f4c6920ea173e76fbeb9f59156db28

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
1024KB

MD5
a068c0a13c5e8b62b66e545ce4439b33

SHA1
9bd64d1c7489ad6713291664e24c8637e2b577c8

SHA256
aa127a1aad1902b55350ef7ff69aae9d9c0e463a2e66f066c61513964fb344f0

SHA512
efaa7d22f21fe0cda98e6eebd92e7640c65b17a8c74a0aec17547d8b377754b70a3940a4113dee31d840d2328fa33ba830bf1b46137a103e86872be834805178

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
1024KB

MD5
f15d818303a20df999e44cef1f33fc44

SHA1
e9936031db4a3d8bcad975649881ccd3f781a785

SHA256
9b490808cedc7305d797caec3c34585007c3eefdf39d992c90caff60937c2730

SHA512
842e0737b4a109641b160f57774835bcb91fb84d1372269b9fb3983235120f0796529acabef196463fcd9dd40f7d8ba3fbe62632bd3b7ac9e3ba58856876a246

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
1024KB

MD5
634d37468cd54337743af03549dc53ad

SHA1
7b8166397457c17f8d035ae8dccbad4b3df173a2

SHA256
5ba313849d6b3c73a84b2ffbf3bb4a5da96bcc325d1225b427138486a2c6510e

SHA512
e249b71488c4ab52306dbf54976d9251e42a7837c1ca947b1f52f5e4aaaa3b6849dbaafc82d3e5c0caf15e74bc6f6e4a6f75782f3dc439039cc1a3755fc75441

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
1024KB

MD5
a2c7cdd0f1bb6ccd68aa67536417c8bb

SHA1
7aeeb370be9e537d897bcee4e2a31037afee379b

SHA256
f912aecefcad61c893aad8803a621073077c1d4fb37a4ec0d2234e3a2b4f66a1

SHA512
ac3f03bcc2643518e1759c1fa9dc06c2421820693f25197304841d610e38c51d29ede8069ae868a6eb0cd82813f050c5da4dfe4c06241633629cadf7bb43af78

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
1024KB

MD5
b62c8ff20fee5e8c9b71da671ae82c34

SHA1
88ca00ed540fa22522c57f57e46c805740cdd525

SHA256
435656e70659c687dfcb3b318aa217b94d486dafc1907a7c838bd6f6d69a09d6

SHA512
60e4aa762544141d9d43698d37e661d1f1cd2e1c0c66141d39d3be9528ba01de8f0996c3d30d6b3829f330b0d1adea6a4599b25bf85f62a2d8bf37ac9bece6cb

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
1024KB

MD5
728cc158c085873eeca2070ffc832736

SHA1
8b8fd8caa33bc943f173923c917222057a0606cc

SHA256
debbce0932dd3354c0b35c1a7a5eb40524b0b45124f536dd7aedeffac81d4ee8

SHA512
0ccc0f928a25d56f19c5ad7bc27a150a81c013ace7685e79ba70675bb43244656d988ec9b159826f13bf5e12810ec5e28f101448571b7acc87a56e9aa9edd697

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
1024KB

MD5
aa27683e78e5bf9eb914fd10f39ae705

SHA1
a80338b8083d9971865fb58e2279162d63009495

SHA256
10302e2a1b4fecb96eb4dabd81d32baa0b9c516cd7dbfbe1cee9b36311cecb13

SHA512
0a6e58f9681a395e2908917cfdc28c6834fa1922e3f16e7cd0bf0b22b8906cb9ab24938d1d0fcd5eb74ab012ec1a9b845225ad74838d4567648236a0e56b8022

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
1024KB

MD5
5c7a1c127025dfd10ec97ce22efef84b

SHA1
8c981228ad95142154b36ab99f50c6577325601f

SHA256
bec04580d8de54ec74f7b0271c787d2af7610732b4e68ad7b473f59231078b4c

SHA512
640f734b209409b39e421ca7a7e8c40117f809418f23838212ce1d4f0bfa01b848b9a69ec45aacffb103bd4e3dbb35556beb5b48a35446054a040f5aa80935aa

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
1024KB

MD5
f8f44ac1ab3fa576f0d01c907b9cef92

SHA1
ff1609a78314e76fe4220058428cfa808b4e6aff

SHA256
536d8e63b51cae0946c737aa37c50aefc2b310e8b04e1b447959ca051f9363a4

SHA512
4c2fbd4776fc131ced9f425a251028524771afecd2728dc62680c1574e46222ee0a4791d5cd4074ab29503cc5a31d83a6240c543201da805ee4f4ef08219ac52

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
1024KB

MD5
4e1a0397c7d8e24c7ce5b15d25f5613a

SHA1
f97833025dddd611d2630dd1360318c08a436c26

SHA256
380703f6a2cab5b791ca8a285abedd7c49962dab7326e94a81ab8a814dbb8ea5

SHA512
de0539873e72de43ffb872f4fd07db0de9e77865b00b9fdfee1fe3589fc7623442ef77466bcc2b4950d28594cdf7760fe21107a38761e6d0f434573da9b677b7

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
1024KB

MD5
496e2b90357fd3e6f78e484e6976e935

SHA1
273f42cdae05cb2b10ea79074a21188d187ccd75

SHA256
7af9d698255917040d7363261b179e46ee38c1cefb8d0146dba8cc5ec141f14c

SHA512
36b0d36ad67a08789250a228983302bf0b7a2c3c2f14285deca99480419b8d9c372c7d2d7f7f63c9b67ebc3bebc66e3da5e2dd27244875cd49c59a2caebce8de

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
1024KB

MD5
c83b5cc008105b7e4112230c73874b13

SHA1
9905b4686cdc15a315d7945c35535ad23cb9e72c

SHA256
0b0cd3e47a02b5bd41a0c04ba3af7d7a873449e1afa7b764517b608d80f87a53

SHA512
a6ba54ab2f425bad7eaa84cab30abdc8505f8528ab0e49c305b53a76bf8b42d79c1f4aa0fbf5b9dea4a37e57b3d044586dbab82ded5f5e1d2f9bf2d8c4acec99

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
1024KB

MD5
7b041c2d6c46e6230c87d2a3ee1ea77a

SHA1
51c0194deba97cacb902b3d3203c8f0fffe59d18

SHA256
a4df7e209f1e30e38ef8100c4ee4a8b87da6a2e854afa636845dcfa2dc57a7b7

SHA512
35d163d044f8b41d78fbb643e0bb3ea62bd5ddb0dbe6302f75cece3fa482f062bd53d3be8fd703d6a77957d86f5dc1e803a35ac079fd20e474c129784808d08c

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
1024KB

MD5
382b4ba25817de985a804fb02b022aaa

SHA1
f5dccc1bfd225662dbfd85dcc9b14b63b67a8199

SHA256
fa3abefc9f927d17f507a7a88bc1fc456f4e78df75acc161c954d1680a856dda

SHA512
1d04dd43b4601cf924812474c57ed621ea076f47f59abc97b19b3d8385f661b47638b0e572fefb9b5f5b43c700e37b2f7b5443c7a4ba760653d4f05de4783b77

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
1024KB

MD5
338f2e442cedbb5b99936dbd142bbdd2

SHA1
17c5ab6f04c53cb981628266f00c2f94cfe4af6b

SHA256
40a0693e193b90a8bc341dd5dbf35dbd2d28c2cd3ea0ee7653fd38993260a1c3

SHA512
fe0a32bc401f3a557188fae8f2099d1615abb25c45aef0fe8bca97085d831577a30c017b6915b406e9a8966de792bd8ba48b9b03241395e278b1b2590c8b5c4b

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
1024KB

MD5
029e02a4d3890cb0e2d4bef3625bb5fc

SHA1
e727fe6276382b1a2e36365b2aea0dd2a9578ce1

SHA256
ab0fe5a0344db1332f50b9eace03b54f0e2c348475554a564afe50f074149309

SHA512
5c386ed1854a81296a61aacdfb45e5cae69f3c4764d20cc67575e3582d8f1df1008f60bf10726ab32d3606c686740cbc97ac2fa11cfd8b108cb18665c3cece98

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
1024KB

MD5
741fea78247dc16e821c8712f58f7a5a

SHA1
34dd4f2f5120d04ceeee895999dfb41ba264f9f6

SHA256
aabedf5a7444286173df9ac82b0474604b950e473bd7dda5ded20bd6c9c16eb8

SHA512
80212b78814dccf062b60b1e146f5d1213c3f3fe8cd42bcd44b40f0813315ffe66ef5bb85848f994a86ed7d9b4c08992fa7c22568304b2a6d66baa7ba70efa24

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
1024KB

MD5
514eb1eaff03cbee1629b52bc9f0042a

SHA1
18282bbe8276e4e84a81eea5415a1036434d376e

SHA256
81fef0e17cd310f438f0eecca920659d7c0011339c537b7a107ce4abf0b8cc70

SHA512
e06de50f3bf0ad32b2b7283ad85845cb8d012333df023edb17caf29189cb3a9a311720e0131a4624e1a1a304b7618263519856298913e437e7cb0cabf6ee9c06

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
1024KB

MD5
530f0021e403e505dffb01aeaa455bbd

SHA1
c8d43d94da233168119026fd00d537afce03f2b6

SHA256
b593e85acd61631617ddafeb2b98cbc2ecd0bc95f28fd79f06bc5c53abc2fa48

SHA512
9d562d222e016b95b757faa9840711f9f0fde2320d9ea12e060f61dc7d3a800799e19ff32687a9fe2b5a0bf66c25ab3682b570d19eae87e3c66b27d95b4811f8

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
1024KB

MD5
499a904996121bf1dee57330dec68eb0

SHA1
48d627f62b6d3323672aa69c11691d66ebe1dd79

SHA256
36aaa067e3bb108f1811bb5d2ad4cb3fd8e7bbfbdc229a0f3d9cd3caeb90ddfe

SHA512
39d5c9ed28feb536b01552b069a2c37a47935c786a6175723abbf2693a77fb3e0fbee75cb1b5398ec9f00987736df5bc78e03cf7f3ef782b7fa2cf0bca30d37c

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
1024KB

MD5
212e228b683d3b765f68726c598f6eb2

SHA1
6872a3c616269ab2e9a85c3c536a1d992af7c835

SHA256
8cca53924c7a36f7f41c64e6b00e69c0f0ccf3f2bccf10e5d65c01b343a89642

SHA512
6f3f3337c3e4c5ac4e257ba2de6df062f740db09ad8ea984549e825100571b0d8ba56056d2e38531883804a4afbe8635f1d7a503879990d698e5bd2ebecba6f8

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
1024KB

MD5
e9d36618cd0d18d0581bfde89785f4c1

SHA1
95a791f2173b064bf7452e1306572c31d84e030c

SHA256
3efb5b0a91c8da4b2ca9d44ac385ea8c0c1631a793dba0aaab5052b7aeac63e5

SHA512
91846d0fe417453b9ce09158804a19e2a41e98d7ba39485d87425a76808a93f17f927cb9c690e8a578d6bf75ff13c085096626c272506fd6bbf62a6a4e2ca908

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
1024KB

MD5
7db16d01b9950d6ee9c9ff8a7be0a2fe

SHA1
da13180fbf7254f6ac06046ed1787e552baa048e

SHA256
d18bc9749e2d74494f5e58329cd85fb403a9dce3b94955e5bef742e32581c550

SHA512
8b99007e7e8c60ac9f2c91e9281f8a9e0669392bd54da26a054f44a01311b8e97ebdbfa9bc671ca2419ca2b69e85b9355262a628920dbae6d2b5b845cba768bd

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
1024KB

MD5
d6f93ce50afdbaf4b40dcb92257da21f

SHA1
57abc5bc7025d1ea2c9aa8e91b4a9ea8155fc70e

SHA256
a739ebcdec8d6971f64c7118cabf5897ef4f7bcb5d3191ef55d87b022b65dc6e

SHA512
990146fbd34da4c252fa6c863ade796a3bd7020cc6cc45d3e6afd663e79e80c02243e3a96212da63b4f892fa83384ff6bdf6f64b311262efe87100d2fd59a826

Download Submit
C:\Windows\SysWOW64\Gqpmkibm.dll

Filesize
7KB

MD5
8417e06b90ad00b73dd3f16367585f85

SHA1
81af767e2fbd2e56ddf0723889435d20ed7bce21

SHA256
b9ac165eb95fab6b5d5d7931fcd5918343fcffcbc55fa4231a021be044a375cc

SHA512
6f43e22791a63e765c3a0b85f0ed32e9ed3f2067ef992c34532a85907f1727a18c44138903d8744f631d51e51845a077e9defd0c939ac73fef60657947b97a99

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
1024KB

MD5
208577b27bc602d72235ac8e0379242a

SHA1
eb26b0bd8ac05132636b5108dd9eb62e063db12f

SHA256
b28cecd87f1ede4b33281a99d9d56a3c6fa886d2309136fda29537c39bf6591f

SHA512
710807994bb0ee5cbb3c90bed1725139b5d8a23c675cd0886fb8b38d667468b29dbcb2daf74c8d90f928474716ff33af32ae92d61b82b98f19364006f7210a73

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
1024KB

MD5
ae1607be607fe9ec474d1a5d5a27bdf7

SHA1
e612948a9941b8cfdd06e914cc0b93d8b1c47e0e

SHA256
4c9ff6e7790aa419e8c3f1c40dc4b7eb14285e02e95a5227c741fb80c1cd5e04

SHA512
1618ef0610f1927bbc858258aa963d5c39542ecbbcd8f9b7b996266e95420810c1aeca6a7e5f0a1807378b461b008c7ef3ae027ea37e3fde42ef610be98d1a85

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
1024KB

MD5
b8f80f47a4e013a339a104f28ddbc8b7

SHA1
d4eea040c31a11636d672b026c84536a45b009e6

SHA256
395e7baff8ba3022197467dae4b765bd28847cbb997b648ff663e3285482c633

SHA512
53eee7b67f36bbab45aeacdcfb1727ae426ad390862d75df58199ba3bff49f01fd19008f65608eac428f29218c98fa7713740a07dac0b3580a5de342618231a6

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
1024KB

MD5
75fcfb3be70c5cf6b1ec3945871f4f64

SHA1
e7f8fe66ecead7e25e4c7327748e5a1ea8370751

SHA256
b68e90d39324f30dd052968e12fb0bc534caab526d738f14d89085236e3a69d2

SHA512
4d176a9e6e190de8900f5bd487dcf610cb3e990dda566c29944807f045f0bddfc82b6a0f729321f67a0b6f01fd1c50d1eb82af11be64055486d77e0050b0b3d7

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
1024KB

MD5
73856597bfbdc0f81d2fda0e9f55a3de

SHA1
08effa28e3f0dadbf9b4c5aed3a634050aca03a4

SHA256
57e36fcb837e7ed20edab55c9aeb9bccb3ed4d5a39dd83b53475179f3f865423

SHA512
95540d7dd4a5d677bf489fb3e7fa207e177067ded49429e2c8553993569ba097e2fe5f865320a0cd6526aa34e46c92e30ee5e66f1f63a8195d93abf6d6a5c185

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
1024KB

MD5
ffb97941a53fd040f2766a7cf0c59ba4

SHA1
c19cbeb35b92b12a75f640b2a35a8aaa98e593a5

SHA256
55712f1d96fa60be811ed127f0f9fac43ad8f38c374f47ff9f2dce31c54a5725

SHA512
8b72b6cd0b889181014b91e3446b8e4d0c50e1ac148ee160eb6fa559ce981ae075c89e3c9f5a69650abb171731f44e67da3a467f62d33e8257c5fc10ece4a3f1

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
1024KB

MD5
9c2c51e0d693765a283a2a7ab45edf02

SHA1
c9cf39ada33fa18332b115fe94a0d351b89efdbb

SHA256
8f41416baa9432fa796568be0058e0d37e3f19c0a0c6e652a4985b4ad57b037e

SHA512
91e6368934011d7f97b29db23211a651c7f75d6b159131bf053c22a4315d7280e4e2fa3a26e5b6242ebf26498283df3e76bb76f5c819a3ccfb3fcdcbb66a0ab4

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
1024KB

MD5
33a0759f27400563afda9bae0cfff74d

SHA1
238199e6f3385b2fa9e355ec9d994b83ee477832

SHA256
1a9821fcdb7f1091f812f4dceab7321a85776fc337463b0cf0b7f7c0a5e432cd

SHA512
52f747a7db6e009996cbd36f7e1a0bbf55aebbba01ccfc703a027fad1d229249c8ea79245ab442448a404194e8ca04b8d8ec34bbd0cdb206b862aade16feac6d

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
1024KB

MD5
4d313504a928494987b6d34eb0a43ebe

SHA1
327866c7d6c8e0c6957d759003da0cfd649bedf1

SHA256
f2661023bfde7e5a195af059260aa8c5e446d6e67c6ddab0afe8c014acbaf5dd

SHA512
d232eab7238046bec26a7d06ce463ee7ea869ee4427589878f6d24ada6a90670fb2c30b46f052f7a81a6d6f62408859d01a391ca578e194be9907f3c46dfc8a0

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
1024KB

MD5
e0e2f427bad8ac8d63726b502ab14387

SHA1
1a8877eef2e3b03d80c82ebf5945f66061563e96

SHA256
36e2f309721f2d801be9875dd96868df38505efff37eac356390bf153f51dd2f

SHA512
cf7ca0609d533ef7a8b69eac0dc1d8b80e2f9d1aa0f1c0c954b589f2980d3a6c611ed0bb5def7d71f4ad5daa2681639699e536c86dc80f4141daa4da0cc9b548

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
1024KB

MD5
0e34558f5c7150f6dbe8095a10f57907

SHA1
fceb5e8c8f04c356b8def7a6dc67b600a2230570

SHA256
de9741ec3cb6c76d03ac77f145c6a6f1301a87e23ec1190b4704b023c12dacd2

SHA512
264c8884c46d7de8aed101ef904e8a38b9f87021cac5491ca8ff013aa7082b0b197fefec475cb5312157f8bd8c2e7d67efb7bfdac7c48687b2587402c2bfddf0

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
1024KB

MD5
a4d1b6c089ea8e3672b5e0de0cd4824f

SHA1
f72cf3d60bca9e73ea2024bd88ef8389da0da382

SHA256
ae06344627a1b47ca0e843260a4cb973d04c77a9d87d61d40a6f0b65e2563341

SHA512
e88d04ee72dc68c547a6131dd0e3d3e19719e94580889b753e410539fa883e3259993715effb7e4b683f082ab5047b3dbdedc45992aae7481e3f327464d12e87

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
1024KB

MD5
3936fe2a6651b26df87966271bd3c571

SHA1
52924cea3a39142bc30799701189d188a9a47779

SHA256
9d1aab2eb854c747fe5855f7026160b1e7ea186b508089e13282ac2fff6b1665

SHA512
c367c44f99448bc9dc987c14d07ae6bb0618de18350bc76b53c34254f6134586bc871043ed1cf109682076e3e0309703321bf1572eed183f2cab0256af00d8f6

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
1024KB

MD5
a3d329f7002a7d6a985dd1401ff07e31

SHA1
8226f42cbdcbe7438cdcff2788b15f2cdbd77a02

SHA256
98df2b5238ca648e9dde3b471e1388b9999f1d2836feb59a5bbe7bf5891d0db1

SHA512
19905aee63d56acf0737eb3a4e6064fe635c7bc3ce51f56f0f6e441d5d8c9cd98eed9c22e9c0d6c4a61b51884829f5fb2b5427096cb6a1574da7caccb78e8f7c

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
1024KB

MD5
d8121ae978e4265b0b3eaed26bef10df

SHA1
c5a471bf7ecd1db6f5f89a425cdfaaffe9730b58

SHA256
e04c29ea7a4df4f51afced7ff0cf1cc95cf24d8561616a00adf18c52fd0cd464

SHA512
4f233995e5b13e9a074ada9b606b3436e8905baaf6d42d4f1290401d08bbcec8b03cfe46d8ad931f600dd55a075d8f9e7ef8dc52516f35ae1f1db3c3857989e8

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
1024KB

MD5
f7ed553114b6477069ce5d031f6abc17

SHA1
ce690e6088ae655050768e7468b2ddd8499ad972

SHA256
2e802b6468eb8631da16f55cd394b60e630e3df2a6fd431057cebfc18cbf526f

SHA512
ed72ad3e259e4e1589334d5b09ec126b0a3e6ff2f09b52072fcdaed5034408591dd922e07f40b21d10c11e5da41c13c3aae4ea7530e594612ea0ae48a8a68d4c

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
1024KB

MD5
01a144c0884bbf76f1f26dfe087abfa3

SHA1
a968c941025c15e64947819c83ce888b10ffd964

SHA256
210748d3190266f73dabff1b7829d30b3f97ee232ef1706bb5130fea2e49ad42

SHA512
d71f4bd37f41900fa53b35841ab441195c8b65897f7a4e379e390046f9b313cbe7ab22ce165047d9e1a42a2bc73c8871e15d832b40cf69cdcfa8614544560a24

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
1024KB

MD5
8d92cc264d3a88b476355534616db18d

SHA1
c909e1e363e040702d6bb639570da6eeed8992cb

SHA256
4816d2cca0d09bed284c9916bb4a2ae74f4f2fab5a1a71433d1450de00d9e4bb

SHA512
f62551b6674884ed8caf0a41b24978848670a78c5b69054df4e99e83ccfff8289bd67bb33f90ad0e1e603856544439db7d88e69f195b31a30ff03e86b2cd640e

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
1024KB

MD5
f44bd6a939095c22889b860bd7be2e03

SHA1
af9ac36c3294ba8bd467034544d80b9281976cc7

SHA256
e19e9f21cf31ecb63d53725c33459f21f7a14d356391539333f54d34d1220c50

SHA512
dd68924ec1b1d313b086fb902d9ae021a59b52aec352fbdc0e454bb0776b670e85c2b6091476f23215b17ff77c100ff4c3e1e970c5596e4582348beaaf75cf84

Download Submit
memory/32-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-610-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-616-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-626-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3136-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3364-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4180-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5148-634-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5684-951-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5948-949-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads